About a year ago I went through the process of evaluating AV’s for the company I was working for.
What I did was the following:
- Setup some detection tests using Eicar and some “wild” viruses.
- I asked some vendors that I had short-listed (Symantec, Sophos, Panda, Fortinet) to provide fully fledged versions.
- For each of the vendors I looked up their listed vulnerabilities in the past year (ovdb) and the time it took them to issue and install an update.
- Compared the upgrade strategy: engine, threat DB, application; some vendors don’t automatically give you all of that.
- Used info from http://virusbtn.com to compare some results in time.
- Setup demos to see them in action, and test their reporting capabilities in real time.
- After all the technical work, of course $$$ came into play.
With the information I made a BIG table and put some weights on the items and let the best player win.
PS: For those who will ask, Sophos came out with the best results in our environment.