HI!

I have NOD32 and Kaspersky Anti-Virus (KAV). Could someone tell me why is NOD32 better than KAV.
My opinion:
- KAV (4.5.0.49) use less resorses than NOD32
- KAV have biger antvirus databases than NOD32
- KAV reconize almost all trojans and backdoors, NOD32 reconize less than KAV (i have around 1000 viruses - KAV recognize all, NOD32 around 800).
- NOD have advances heuristics - here is NOD better than KAV.

Could someone from ESET tell me why is NOD32 better than KAV?

Bye

Heh lol, another NOD versus X Y Z AV thread ::)
KAV uses less ressources than NOD???
Really, i dont think so.
Best regards
Ole

Instal KAV, you will be surprised. Link: ftp://ftp.kaspersky.com/products/release/english/businessoptimal/workstations/kavwinworkstation/kavwinws4.5.0.94eng.exe
OK, than tell me why you're using NOD32 (advantage)?

Bye

Hi,
You're so incorrect, KAV use many resource that NOD32 NOT!. Also NOD have these pro that KAV not:
Scan more quickly that KAV (many);
The viruses decrypt are more "professional" at eset;
The updates are more light;
the GUI are more better and easy to understand;
the heuristic (AH and the normal heuristic) are much better than kav;
IMON scan in any or the most mail clients, kav only scan the bases of the mail clients, in other words if you want to remove a virus, yo need to disable the kav monitor (some exceptions are the bat, outlook, oe).
The only good of KAV in comparison to nod is the unpackers engine and the detection engine (not heuristic).
PS: I've the same version of you, and NOD use lower resources.

OH NO! Here we go again, and right before Christmas . . ::) . . ::)

http://www.wilderssecurity.com/showthread.php?t=14902

Don't mind me, just diggin up bones . . . . :o

-{ Quote: " KAV (4.5.0.49) use less resorses than NOD32" }-

I too would dispute that. I use KAV Pro 4.5.0.49 as well as NOD32v2 and though I think that KAV gets a false rep for taking too much resources it does take significantly more than NOD. NOD scans much much faster. With regard to trojan detection, that is a widely held view that KAV has better trojan detection but I personally would not trust any AV as a primary AT. I use TDS as a primary AT and KAV (And NOD) as secondary.

NOD has significantly better email protection then KAV. It has been a widely known issue for some time that KAV will lock up Outlook everytime a SMIME-signed email comes through when KAV email protection is enabled and they have been way too slow in resolving it.

I have a great respect for KAV but I wouldn't do without my NOD either.

-{ Quote: " quoting: sir_carew link=board=24;threadid=16912;start=0#msg104718 date=1069967819]
Hi,
You're so incorrect, KAV use many resource that NOD32 NOT!. Also NOD have these pro that KAV not:
Scan more quickly that KAV (many);" }- 8 more minutes? Nod32 used to scan my drive in 8 minutes, KAV Personal Pro in 16? For the extra malware covered I'll take KAV anyday...

-{ Quote: " quoting: sir_carew link=board=24;threadid=16912;start=0#msg104718 date=1069967819]
The viruses decrypt are more "professional" at eset;" }-
Where did you get THAT from, <snip>


-{ Quote: " quoting: sir_carew link=board=24;threadid=16912;start=0#msg104718 date=1069967819]The updates are more light;
the GUI are more better and easy to understand;
the heuristic (AH and the normal heuristic) are much better than kav;
IMON scan in any or the most mail clients, kav only scan the bases of the mail clients, in other words if you want to remove a virus, yo need to disable the kav monitor (some exceptions are the bat, outlook, oe).
The only good of KAV in comparison to nod is the unpackers engine and the detection engine (not heuristic).
PS: I've the same version of you, and NOD use lower resources.

" }-
The light updates, yes I agree with that.. But KAV DOES DETECT MORE!
The GUI is easy for me in both cases (They are BOTH confusing,. LOL...)
Heuristics are a "Las Vegas" gamble for me... Nice to have, but I wouldn't bet my life to it..
Resources? Well., if my computer can handle it, I would rather have MAXIMUM Protection...

NOD32 is an antivirus par excellence - VirusBulletin records proof this time after time - beating KAV.

Since layered defense is commonly accepted as the most preferred way to go, an adittional stand alone antitrojan is recommended. This goes for NOD32 - and surprisingly for all other antiviruses as well, KAV included.

Common sense is not putting all eggs in one basket. Having just one app coping with all leaves one's system helpless in case it has been killed or compromised.

As for heuristics: KAV's script checker uses heuristics as well, Dr.Webb relies on strong heuristics, etc. So far as heuristics is concerned.

regards.

paul

-{ Quote: " quoting: Paul Wilders link=board=24;threadid=16912;start=0#msg104896 date=1070030519]
NOD32 is an antivirus par excellence - VirusBulletin records proof this time after time - beating KAV." }-

Yah, but let's never let facts get in the way of a "mine's better than yours" discussion... ;)

-{ Quote: "
Common sense is not putting all eggs in one basket. Having just one app coping with all leaves one's system helpless in case it has been killed or compromised.
" }-

Agreed. Not to mention the possible fp's, and detection of dubious "threats" of little to no consequence. ;)

(Jim plants tongue firmly in cheek...)

Jim,

-{ Quote: "Yah, but let's never let facts get in the way of a "mine's better than yours" discussion..." }-

In case that's the purpose from a discussion: fully agreed. Personally: there is no mine; we have them all - although we do have favorite ones ;)

-{ Quote: "(Jim plants tongue firmly in cheek...)" }-

I've been there - don't do that for more then an hour; I ended up visiting a medic ;D

regards.

paul

Hi,
>Where did you get THAT from, <snip>
My opinions are based on my own experience.
months ago, I sended many viruses that KAV don't detect, including Trojans, Worms, etc.
All the time Aleks Gostev reply my messages, but a day Aleks Gostev write me:
Stop sending crap to I.
Is for it reason that I believe that all the team at Kaspersky (The virus decrypt team) are ignorant (except Eugene Kaspersky and Costin Raiu).
I will never send other sample to this "company".
Best Regards.

-{ Quote: " quoting: Paul Wilders link=board=24;threadid=16912;start=0#msg104896 date=1070030519]
Common sense is not putting all eggs in one basket. Having just one app coping with all leaves one's system helpless in case it has been killed or compromised." }-

A combination of KAV&NOD32 is quiet a good choice. Not really cheap but nearly a "perfect fit". :)

wizard

For sir_carew

Could you please send me viruses that KAV didn't recognize?

Bye

Hi,
1) I only send viruses to people that I know, sorry ;D
2) KAV now detect these viruses.
3) KAV isn't perfect, if a new virus is uploaded to a web page, the most AV not detect it.
4) Each time that I look at the symantec research web page, and I found new decriptions, if a P2P Worm, I search it in Kazaa, Edonkey, WinMX, etc.
Thank to this, I found many new worm (Like Bereb,a,b; Logpole a,c; etc) and the only AV that detect those proactively is NOD32 using AH and McAfee. Obviously now KAV has added these worms to the databases like others AV. KAV detect more "know" viruses, trojans, worms, etc that NOD32, however the heuristic of KAV is bad.
I personally think that is more important the heuristic than the bases.
KAV isn't the best AV, In a AV, the only important isn't the bases, is important the heuristic, support, GUI, resources, compatibility, languaje interface, and many others factors. (Obviously all the factors not have the same importance).
Best regards.

Did they really tell you to stop sending things KAV didn't detect?

Exactly no, when I send a new virus to Kaspersky, I don't receive reply, but at the other daily update, KAV detect it.
However Alexander Gostev send me mails like: Stop sending crap. I will not detect nothing of you, and things like that.
I will never submit samples to it "company".

To sir_carew from Firefighter!

I agree that strong heuristics with few false alarms is important but I don't think that even NOD is capable to detect the majority of NEW viruses. In some test lately NOD missed about 9860 File, MS-DOS, Windows, Macro, Malware and Script infections that McAfee 7.0.3 detected, and McAfee is not the worst to make false alarms.

Most of them were not even new. How could NOD miss to detect them with heuristics if it is that good?


"The truth is out there, but it hurts!"

Best regards,
Firefighter!

-{ Quote: " quoting: Firefighter link=board=24;threadid=16912;start=15#msg105144 date=1070100053]
To sir_carew from FF again!

I agree that strong heuristics with few false alarms is important but I don't think that even NOD is capable to detect the majority of NEW viruses." }-

Could you provide proof for this statement?

-{ Quote: "In some test lately NOD missed about 9860 File, MS-DOS, Windows, Macro, Malware and Script infections that McAfee 7.0.3 detected, and McAfee is not the worst to make false alarms." }-

Which tests, performed by who? Can you provide the test beds?

-{ Quote: "Most of them were not even new. How could NOD miss to detect them with heuristics if it is that good?" }-

Without any backup this is merely a statement; no more.

regards.

paul

To Paul Wilders from Firefighter!

I don't want to start a new war again, but I think that u already know what I'm refering just now, at least many of members from this forum in my mind.

Those test beds are not public yet, but I don't think that it is so important, otherwise McAfee is "the mother of all false alarms" what I can't believe in the first place!

Besides, NOD was not alone that missed quite many infections in that test, but it missed.


"The truth is out there, but it hurts!"

Best regards,
Firefighter!

Hi,
>I agree that strong heuristics with few false alarms is important but I don't think that even NOD is capable to detect the majority of NEW viruses.
All the time, I'm downloading new virus, especially Worm, P2P, mass mailing, etc. Is true that McAfee detect many of these new worms, however in some cases NOD detect P2P Worm that McAfee no. Indeed NOD is able to detect using the AH about the 77% of the in-the-wild viruses without an update. NOD was the only in detect the Swen without an update. McAfee detect more BAT and mIRC viruses using the heuristic, but NOD detect more P2P, mass mailing worms.
This is my list:
1) NOD32 = Is excellent to detect new Boot viruses, encrypted viruses, Worms (except irc worms), scripts (except bat).
2) mcafee is excellent detecting bat, irc worms, and scripts like Dr.Web.

FireFighter, can you please stay on facts with references ?

I tell you something.
Speaking about heuristics KAV has not even a minimal chance against NOD32.
It starts with generic Win32 Fileinfector viruses and it ends with worm detection.
Ok, ESET has to improve the heuristic for script based IRC things but at least they have a very well working binary heuristic.

Speaking about generic detections (such as Spybot Worms or generic SDBot Backdoor Detections) KAV sucks as well.
Unpacking is not all in AV Business. I own hundreds of undetected SDBot Backdoors within KAV. And now the suprise:
NOD32 finds them all ;D KAV is beable to unpack all these samples (just attach a debugger such as SoftICE) and verify this via memory dumps. What tells us this ? The generic detection of this backdoor is weak. very weak in my opinion.
But based on this fact i do not say that KAV isn't a good AV, but it lacks also in detection where other programs scoring better. And Kaspersky has false positives as well because they are including a lot of useless stuff such as a batch files that only copies a backdoor into the win32 system directory. THIS BATCH FILE COULD BE A LEGAL USER BATCH FILE even if it copies a exe file into system32.

Feel free to reply ;)
Regards,
Godzilla ;D

To sir _carew from Firefighter!

According to this what Schouw wrote, NOD was not alone to detect Swen heuristically,

http://www.dslreports.com/forum/remark,8050123~root=security,1~mode=flat;start=0

I'm using eXtendia AVK Pro (actually my kids are using that, I use eTrust 7.0.142 Inoculate), so if that was true, eXtendia detected that also.

Besides advanced heuristics is not a normal option in all scanning modes with NOD. So it is only an add characteristics, the normal is deep heuristics.

And to Godzilla, my refered source is not acceptable in this forum, I have seen that so many times, that's why no more facts, but u'll find that from other forums if u like.

My simple asumption of any av:s heuristics is that, if they are so good, there can't be situations like that, McAfee detected 98.57% other than trojan infections and NOD 77.31% from the same list. NOD used deep heuristics if I remember right in this case but it doesn't matter.

And if those about 9 860 files that NOD missed more than McAfee were junk files, after that VirusBulletin has no value because not using that kind of clean files source, VB isn't recognising the value of true misses in real clean file tests.

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

Firefighter, I put an interview of Richard Marko, the developer of ESET's heuristic:
Basically, I tried to create an algorithm that followed the process normal of analysis of code of an expert antivirus. It knew that basically there were two forms to do this in the real world: one of them was to use a special computer in which to execute the file suspicious and to analyze the changes that this one carries out in the computer and others. The other form is to take the suspicious program, to desensamblar it and to study the code by one same one.
-------------------------------------------------------------------------
For that reason, I tested against virus real, really in activity. The results were very good, since the heuristic one detected 90 % of them by itself, without counting on the base of companies of the antivirus.

-{ Quote: " quoting: Firefighter link=board=24;threadid=16912;start=15#msg105235 date=1070130301]
My simple asumption of any av:s heuristics is that, if they are so good, there can't be situations like that, McAfee detected 98.57% other than trojan infections and NOD 77.31% from the same list. NOD used deep heuristics if I remember right in this case but it doesn't matter.
" }-

The question is here HOW IMPORTANT is it to detect older stuff via heuristic.
And numbers doesn't count here. You can scan a lot of old malware (maybe malware which doesnt even run anymore) if a heuristic detects such things this is fine, but it is not really a threat.
But missing actual samples (like the SDBot Backdoor) this _IS_ a problem. a serious one.
Because many people are infected day for day with such open source variants.

And now ? You are going to tell me that it is importanter for you to detect a half million of old viruses (which may not even seen for the last 5 years) instand of performing a outstanding detection of all new viruses ? LOL!
And this outstanding detection of NEW MALWARE does include a first class heuristic. To prevent infections before the virus is even analysed by a human virus researcher.
And as you may know, not all types having the same basis on binary formats. Who needs today a heuristic for new Dos viruses ? Nobody.
But you need a heuristic for the ACTUAL THREATS. And the goal is not to detect as much as possible out of a mixed virus collection - the goal is to focus at the new ITW malware. And this Malware can have other flags (heuristical flags) than some old malware. Instand of working on detection for already "out of date" viruses the virus companies working on improvements for the actual threats. So does ESET. And this is the right way to protect home users and business consumers. ONLY THIS.
You can trust me here about this facts i am also from the AV business and _NO_ i am not aliated with ESET.

Regards,
Godzilla

Hi,
I'm agree with Godzilla. Old viruses for DOS, Win16, etc aren't important. Maybe the KAV heuristic is much good than nod detecting old viruses, but NOD heuristic detect much new viruses like p2p, mass mailing than NAV, KAV, AVG, Panda, etc.

If you have to rely on NOD32's advanced heuristics constantly, there isn't much benefit. Some of us would like to actually use our systems, rather than run a command-line scan every 20 minutes. I do realize, however, that some people don't mind being prisoner to their file scanners. But not me.

If you really have to rely on a product feature that doesn't work in real time, the damage will be done by the time you detect the malware. Better to run a product with strong real-time protection, and stay logged on as a user with limited privileges.

Safe computing practices and frequency of virus signature updates (where Kaspersky is much, much better than Eset) is more important than an inconvenient command-line-only feature.

I'm not agree with you comment: "inconvenient line commander". You can download NOD32 Advanced shell for check every file that you download from P2P programs, etc.
You also said that KAV is more good on the update area, it's true, but KAV for the most new viruses, need a update. Moreover, AH can be used via IMON and EMON, these 2 components of NOD32 protect the mail, etc. Many new worms use mail to spread. Also via NOD32 control center you can add a new task that include the AH enabled. In a real-time monitor, isn't the only important the protection that it give, the resource that it use is a very important point to consider and KAV in it point sucks.
Also you said: "Safe computing practices". If you use a firewall, download all the patches, not open any file, you don't need a real-time protection that scan deep into archive, packers, etc. For it purpose I think that the best method is use a on-demand scanner, so isn't very important include AH in AMON, ESET can't make a AV that use many system resources like: NAV and KAV

To sir_carew and Godzilla from Firefighter!

Why NOD is not using that advanced heuristics as on default settings in all scanning mode like there is with the deep heuristics? Is it because of those false positives that can be one reason to not get that VirusBulletin award?

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

I don't think so. I think that ESET not include AH in AMON, because AH use many resource and ESET didn't want to make a AV that use many resource like others: Look at it phrase from ESET:
"We're confident that you won't be disappointed
with NOD32's performance - now, or in the future"
AH isn't similar to the rest of the heuristic like the deep heuristic of nod, kav, mcafee, dr.web heuristic's.

To Godzilla from Firefighter!

In that test I referred before there were 4 545 infections new that were not tested 5 months before with that same tester, NOD detected 3 473 of them, it is 76.41% and they were not trojan infections!

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

To sir_carew from Firefighter!

So advanced heuristics will never be tested by VirusBulletin?

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

-{ Quote: " quoting: sir_carew link=board=24;threadid=16912;start=15#msg105284 date=1070140825]
I'm not agree with you comment: "inconvenient line commander". You can download NOD32 Advanced shell for check every file that you download from P2P programs, etc." }-

Since I do practice "safe computing", I don't download junk from P2P programs in the first place!

But on-demand scanners are useless much of the time anyway. Most of the applications I install have setup programs. Many of these don't use self-extractors, so the contents aren't accessible to on-demand scanners.

What good is an on-demand scanner for this? None at all. The files of the installed application are only accessible once the application is installed, where a real-time monitor will have first dibs on them.

The other route of infection I worry most about is holes like this (http://www.internetnews.com/dev-news/article.php/3114171). Patching isn't the real answer, since Microsoft hasn't patched these (and other) holes yet, and since Microsoft is so careless, the holes remain even after the patches come out. Again, in this case, on-demand scanners are useless; only a real-time scanner will catch whatever comes through (just ask Kevin McAleavey).

-{ Quote: " quoting: sir_carew link=board=24;threadid=16912;start=15#msg105284 date=1070140825]Moreover, AH can be used via IMON and EMON, these 2 components of NOD32 protect the mail, etc." }-

I was unable to use IMON, because it was incompatible with Apache HTTP server. EMON was also useless to me, since I don't run Microsoft's buggy email products.

-{ Quote: " quoting: sir_carew link=board=24;threadid=16912;start=15#msg105284 date=1070140825]In a real-time monitor, isn't the only important the protection that it give, the resource that it use is a very important point to consider and KAV in it point sucks." }-

You've got me there! The KAV real-time scanner can be very CPU hungry!

[hr]
I guess it's apples and oranges... What is right for you depends on your computing practices. If you download individual EXE files from questionable sources all the time, preferring to throw caution to the wind, an on-demand scanner with good heuristics is a good thing to have. If you only download from reputable sources, and just want to use your system without spending 18 hours every day scanning it, you need a good real-time scanner which is updated frequently.

-{ Quote: " quoting: Firefighter link=board=24;threadid=16912;start=30#msg105303 date=1070145791]
To sir_carew from Firefighter!

So advanced heuristics will never be tested by VirusBulletin?

"The truth is out there, but it hurts!"

Best regards,
Firefighter!
" }-

There is no need for this. NOD32 has almost (if not) perfect VB score. Regular NOD32s heuristics is powerfull and good as well.


tECHNODROME

To sir_carew from Firefighter!

My personal priorities today to make my decisions about my av are,

1. Capable to detect in the Wild viruses in VirusBulletin.

2. Updating daily, including weekends.

3. Good unpacking engine.

4. To be among those top 5-10 in independent large "in the Zoo tests" made by VirusBulletin, VTC, Rokop, av-test.org, VirusP and checkvir.hu.

5. To be not the most common av because script kiddies are attacking mostly against them.

6. Not so famous of false alarms.

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

To technodrome from Firefighter!

An advanced charachteristics that has never been tested by an independent tester is at least suspicious in my mind, is there something to hide?

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

Firefighter, no offense but i have the feeling that you write here only to entertain other people and not to listen and to learn from other people. If you know so much things, why do you still need to post here questions which you could answer to yourself ? :D

LOL @ firefighter!!

Various tests use a program's default settings to see how a program performs out of the box as a basic user might use the program. That establishes a general equitable baseline for the products tested.

You're not suspicious when a test includes nonfunctional viruses or things that are not viruses or malware to determine a product's efficacy in protecting against functioning viruses that actually might be encountered during ordinary use, but then are suspicious when a test uses actual functioning viruses and default program settings? LOL

-{ Quote: " quoting: sig link=board=24;threadid=16912;start=30#msg105316 date=1070150318]
LOL @ firefighter!!
You're not suspicious when a test includes nonfunctional viruses or things that are not viruses or malware to determine a product's efficacy in protecting against functioning viruses that actually might be encountered during ordinary use, but then are suspicious when a test uses actual functioning viruses and default program settings? LOL

" }-

Firefighter is happy as long as the AV detects a large majority of the files concerned--no matter if they can infect you, or are in fact malware at all.

This argument/discussion is so old...and the same answers still apply. And they are still ignored. ;)

-{ Quote: " quoting: Firefighter link=board=24;threadid=16912;start=30#msg105312 date=1070148429]
To technodrome from Firefighter!

An advanced charachteristics that has never been tested by an independent tester is at least suspicious in my mind, is there something to hide?

Best regards,
Firefighter!
" }-

The rumor is, there is a big brain bug inside of AH..... Once you start using it its all over... No help…(breaking)…Beg for mercy...(breaking)… But you shall not receive one…..(breaking)…static…….


tECHNODROME

-{ Quote: " quoting: JimIT link=board=24;threadid=16912;start=30#msg105324 date=1070152974]
Firefighter is happy as long as the AV detects a large majority of the files concerned--no matter if they can infect you, or are in fact malware at all.

This argument/discussion is so old...and the same answers still apply. And they are still ignored. ;)
" }-

Jim said it all... ;)


tECHNODROME

Currently have KAV and have noticed more CPU spikes. Can't go anywhere during a full scan. I've been pleased with its detection, though. With NOD32, would TrojanHunter be ok, or should NOD32 have TDS-3 with it?

I'm not sure one AV is better. It all depends on what you want in an AV.

Note: I'm still satisfied for now with my choice of KAV. It's just a question.

An AV that detect more viruses aren't the best.
The rokop test are bad, little comparison are real good, and rokop isn't.

The job of an AV is to detect more viruses.

There have been plenty of discussions on why more doesn't necessarily mean "better" if the vast majority of that "more" includes stuff that you won't ever encounter on your system. There have been plenty of discussions here and elsewhere about that. Some people are frightened and/or impressed with detection of crap that won't even function on their systems and/or aren't any threat in the wild. But that sort of thinking and marketing sells AV's. Which of course is why AV's do include all sorts of stuff in their databases that the vendors themselves know aren't a likely threat or won't function on one's system.

Some people apparently regard an AV as a magic bullet to save them from themselves and think that every virus that exists poses a real threat, even if it's never propagated in the wild or no longer functions on modern systems, while others regard AV's as a backup to their own common sense and are primarily concerned with the likeliest real threats that they might encounter during ordinary use.

KAV is good but obviously plenty of people who don't use it have systems that are not riddled with viruses and malware and never have been. And no AV, including KAV or McAfee, is 100% effective 100% of the time especially if users are careless and don't use the first and best preventative measure which is their brains.

As for Trojans, even AV's aren't always enough to deal with them, including KAV, if one's activities are such that one is at risk from encountering more than the most common ones.

And all AV's are reactive to the latest real threats like mass mailing email worms which constitute the vast majority of infections and threats on the internet. Users who unthinkingly rely on their AV's to provide total protection from these threats may find themselves on the leading edge of the propagation curve if they happen to run across a new worm before their AV has been updated to combat it and the program's heuristics aren't sufficient to deal with it prior to an update.

So if you think more is better go with the biggest database. Depending on your activities or luck that may or may not mean that you are better protected from the most common means of infection. I often recommend KAV or KAV Lite to people since I don't know how much of a clue they have about security or the activities in which they engage. For others, depending on their activities and systems, KAV may not be warranted or not even a real option and NOD may be more suitable.

To Sig from Firefighter!

I agree u that one av that suits to an other doesn't suit to someone else. Why I am so big KAV (KAV engined av:s, F-secure, AVK and KAV) enthusiast? Because I don't know a heck of any malware's life and attitude!

So far when I'm sending a lot of "infected" files to 5-7 different av-vendors and I'll get different feedback of those infections, it's best to take the deepest protection available, because even professionals don't know which is an infection and which not. How can I as "an average Joe" make that "infected" diagnose when even professionals can't do that? Infections seems to be far away from exact science, yes or no, but there is too often probably.

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

FF: also as I recall you have kids who are adventurous on the internet so you really do need to load up on protection against all sorts of things since the range of things they are likely to encounter is certainly greater than in my case. Although I also use an AntiTrojan app just as a precaution.

And as spyware apps are getting more intrusive, using trojan like methods and lax IE settings or vulnerabilities to get on people's PC's even people who thought they were safe since their practices were not particularly risky are finding some nasty stuff on their PC's. (The majority of users still use IE as their browser and if they even know the safest settings often will not use them since they impede some "functionalities" on the net.) Some AV's are increasingly addressing these sorts of things, but not all. And I've noticed increasingly that my AT, BOClean, is. If I may quote from an update email from PSC:

" Apologies to all for yet another update - the world of malware has
literally EXPLODED since Microsoft's last "update" and new holes in
Internet Explorer where people STILL allow "active scripting" to be turned on - trojans are being detected in copious quantities as well on so MANY of our customer's machines. Worst we've ever seen. Thus another update as it's once again "zero hour" for yet more spammer takeover tools, exploitation ad-ware and rootkits. Folks who are unprotected are getting hammered.

*Even our OWN customers are seeing BOClean getting busy as soon as they hit a site and files start coming in, while their file scanners sit there fat, dumb and happy. Never seen anything LIKE this in all the years we've been doing this. The "spyware" people have started hiring the former "backdoor" people and have begun using the same techniques as actual trojans. And unlike the normal situations where an AV catches it coming in as a file, more people have been reporting BOClean activity than ever before, and while BOClean has dealt with it, want to know more about what happened."

Not to take the thread off topic, just noting that the days of the "pure" AV has been over for a long time now but perhaps the days of just having a good AV for a one app protection mechanism may also be over even for the average unadventurous user. (Since trojan detection and removal can be a tricky thing. Often I see people post that their AV has detected a trojan but cannot remove it. They either have to do so manually if instructions can be provided or download an AT that can take care of it.)

Anyway, we definitely do agree that people's skills and activities should dictate the kind(s) of protection they need. You have specific circumstances and previous experience to tell you what you need to protect against. If I were in your circumstances I'd go with the heaviest duty and broadest AV and AT protection I could find. And still have an AT app as a backup, which I believe you do also. ;)

To Sig from Firefighter!

Even I am layering my protection despite of my eXtendia av. Just now my whole strongest protection is eTrust EZ firewall, eXtendia AVK Pro, TrojanHunter 3.7, SpyBot 1.2, SpywareBlaster, MRU-Blaster, Clean Up 3.1.2, Hijack This, CWShedder, YAW 3.5 anti-dialer (not necessary because of my fast ADSL connection???).

So my work is basicly updating those aplications because they all don't do that automaticly.

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

I'm not a security expert by no means. I own licenses for KAV, AVK, McAfee and NOD32 just expired. I am using KAV as my main AV and AVK as my on demand scanner. I've been using this combination for a while now and it works. It would take alot of convicing me to move away from KAV. It is the best in my opinion. c

For Firefighter:
You're saying that ESET not include AH in the AMON for the falses positives. I recently download a ZIP package that include aprox 6.480 files that KAV with the latest update detect as infected and the files aren't infected. I check it with many AV, and I send some of these sample to AV laboratories, and the reply is: The file is clean. KAV incorrently detect those files as infected. I'm segure that KAV produce more falses positives than NOD32. Note that these falses positives are produced with the Code Analyzer disabled!, in other words the bases are the problem ;D
I will not send these files to Kaspersky, because I hate the people of it company.
PD: If you don't believe me, send me a private message with your mail address and I will send you 2 falses positives.

-{ Quote: " quoting: sir_carew link=board=24;threadid=16912;start=45#msg105902 date=1070332127]
For Firefighter:
You're saying that ESET not include AH in the AMON for the falses positives. I recently download a ZIP package that include aprox 6.480 files that KAV with the latest update detect as infected and the files aren't infected. I check it with many AV, and I send some of these sample to AV laboratories, and the reply is: The file is clean. KAV incorrently detect those files as infected. I'm segure that KAV produce more falses positives than NOD32. Note that these falses positives are produced with the Code Analyzer disabled!, in other words the bases are the problem ;D
I will not send these files to Kaspersky, because I hate the people of it company.
PD: If you don't believe me, send me a private message with your mail address and I will send you 2 falses positives.

" }-

I too have experienced false positives with KAV, but none with NOD32. KAV even detected one of my own innocent files that I programmed myself as a virus ???

-{ Quote: "
KAV even detected one of my own innocent files that I programmed myself as a virus ???
" }-

We have a virus programer in our rows here :o
Welcome ;D

8)

To sir_carew from Firefighter!

First of all, because I have seen so many times in this forum that KAV makes SOME false positives within certain file types, I referred NOD against McAfee in this thread's detecting rates. What I have seen about McAfee, it isn't so famous of false positives.

U said:

"I recently download a ZIP package that include aprox 6.480 files that KAV with the latest update detect as infected and the files aren't infected".

"I will not send these files to Kaspersky, because I hate the people of it company".

Are u sure that u haven't any personal mission against KAV?

I have shown some detecting tables from different av-tests only because some, not only NOD, av-progs seems to perfom extremely well in VirusBulletin Zoo tests, but not at all in some other independent tests when some progs seems to perform well anywhere. I haven't so far heard any acceptable reason to that. I don't hate NOD, in my mind it has done a lot of improvements, unpacking engine, trojan detection, but so far there are progs that perform better IN MY MIND.

Because different av-vendors disagree about that which is an infection and which not, what choices I have but the deepest level of protection?


"The truth is out there, but it hurts!"

Best regards,
Firefighter!

-{ Quote: " quoting: Firefighter link=board=24;threadid=16912;start=45#msg105954 date=1070348552]
Because different av-vendors disagree about that which is an infection and which not, what choices I have but the deepest level of protection?
" }-

There is no disagreement between different av vendors wether a sample is malware or not. Any av analyst will tell you that correctly. The problem is just that most av vendors started to include non-malware samples in their detections to make their product look better in some av tests.

Some "black sheep" started off to "improve" their product in several unqualified tests and all the other vendors followed because of people like you who get "fooled" by the figures.

If there is something fake with the tests at VirusBulettin for example than I wonder why nearly all av companies support that magazine and highly respected persons from the av scene write articles in this magazine?

But what should I say... The truth is out there but for some people it seems hard to beleave. ;)

wizard

To Wizard from Firefighter!

U said: "The problem is just that most av vendors started to include non-malware samples in their detections to make their product look better in some av tests."

I agree that this might happen because of that feedback i've got from different av-vendors.

But how do u find the best av-vendor that don't add junk files to their database? Is it among the TOP 10, 15, 20, 25 or even 30 in certain large av-tests?

An other thing is then more interesting, how could u make your choice of the av u use?

Which are those tests that can be trusted?

VirusBulletin tests only viruses, that's why VB is always only one part of the whole malware issue. There are independent testers like checkvir.hu, Rokop, VTC Hamburg, av-test.org, Scheinsicherheit etc. which WERE PUBLISHING their TESTING RESULTS. Which do u believe? Why?

For me as "an average Joe", talking about a billion dollar business where is only less than a half dozen testers to be trusted, the whole business sucks.

One interesting thing, from which branch do those "script kiddies" earn their living when they have "grown up"? Are they loco or taxi drivers, do their work in Mc'Donald's, are they working in insuring companies or big factories, I'm just wondering things like this!

There have to be more trustworhtly testers in a billion dollar business!

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

-{ Quote: " quoting: Godzilla link=board=24;threadid=16912;start=15#msg105210 date=1070123010]

I tell you something.
Speaking about heuristics KAV has not even a minimal chance against NOD32.
It starts with generic Win32 Fileinfector viruses and it ends with worm detection.
Ok, ESET has to improve the heuristic for script based IRC things but at least they have a very well working binary heuristic.

Speaking about generic detections (such as Spybot Worms or generic SDBot Backdoor Detections) KAV sucks as well.
Unpacking is not all in AV Business. I own hundreds of undetected SDBot Backdoors within KAV. And now the suprise:
NOD32 finds them all ;D KAV is beable to unpack all these samples (just attach a debugger such as SoftICE) and verify this via memory dumps. What tells us this ? The generic detection of this backdoor is weak. very weak in my opinion.
But based on this fact i do not say that KAV isn't a good AV, but it lacks also in detection where other programs scoring better. And Kaspersky has false positives as well because they are including a lot of useless stuff such as a batch files that only copies a backdoor into the win32 system directory. THIS BATCH FILE COULD BE A LEGAL USER BATCH FILE even if it copies a exe file into system32.
" }-

I wonder, Michael, why you've gone from blatantly praising KAV over NOD32 during your GAV days to, well, what you're doing now? Has KAV gotten a load worse, NOD a load better, or did you have a religious NOD experience of some sort? ;) Which of the two AVs would you consider better now, eh?

It's funny how arguments like this still go on, over and over. After a lot of reading, and some private input from people who I know have a handle on these things, I'm fairly convinced that:

(1) KAV and NOD32 are both very effective at detecing real threats;

(2) KAV is more of a "kitchen sink" detector, which will catch some things that NOD32 will miss;

(3) the things that KAV catches but NOD32 misses aren't threats that any normal computer user has to worry about, so criticism of NOD32 on this point isn't particularly valid;

(4) the extra capability of KAV as noted in (2) comes at the price of CPU cycles, and the lack of capability of NOD32 in the same regard comes with the reward of significantly better performance;

(5) KAV has self-protection features, NOD32 does not, but Eset says they will be added soon; and

(6) other differences are preference alone, such as interface.

I have lots of criticism for KAV and NOD32 both, but I also have confidence in both at this point.

With regard to point (2) above, I have one more thing to say, which has been on my mind for a long time... Aren't the same people who come across malware that some AVs miss the very same people who exhibit such poor computer hygiene and dearth of common sense that they lack all credibility anyway? I mean, if you install a new AV utility, and it catches 150 bits of malware that your old one missed, the first thing that comes to my mind isn't "Wow, that new AV is great", but rather, "Wow, you must be a moron". (And I don't buy constant "I'm an amateur malware researcher" or "I'm a virus collector" excuses.)

Great post, Nameless. ;D

-{ Quote: " quoting: Firefighter link=board=24;threadid=16912;start=45#msg106371 date=1070444299]But how do u find the best av-vendor that don't add junk files to their database? Is it among the TOP 10, 15, 20, 25 or even 30 in certain large av-tests?" }-

There is no secret all add "junk" into the detection. So the better certain programs score in big zoo malware tests the more "junk" is in their signature database. But don't get me wrong a program that has huge amount of junk in its database can also have fantastic detection rates on "real" threats. What mainly counts is how good was the ITW detection but not just in one single test but over a certain period.

-{ Quote: "An other thing is then more interesting, how could u make your choice of the av u use? " }-

It depends on what you want. Just look which program scored over a certain period good on ITW. Download a trial and test it on your system and if it works take it. Otherwise skip to the next. There is no 100 % perfect program available - there are several very good ones amoungst you can choose.

-{ Quote: "There are independent testers like checkvir.hu, Rokop, VTC Hamburg, av-test.org, Scheinsicherheit etc. which WERE PUBLISHING their TESTING RESULTS. Which do u believe? Why?" }-

First make sure that you don't rely on tests from anonymous persons. You can always make up a test set that makes program A looking better then B and vice versa. So if the tester is anonymous this has a reason and makes me just suspect about the real intension of the tester.

Secondly check how long the tester is in "business". You can do plenty of mistakes while testing av software. The longer a certain tester is in the business the more likely is a higher quality of the result.

-{ Quote: "For me as "an average Joe", talking about a billion dollar business where is only less than a half dozen testers to be trusted, the whole business sucks." }-

I think the "average Joe" should not care to much about all those tests. If you ask me personally what I recommend is if you want to have program that can handle viruses and trojans in one: just take a KAV based product. Kaspersky has been one of the first av companies that did work on trojan detection and they are IMHO mile ahead with a huge collection and superb unpacking features.

If you are more in favour of having to seperate programs: just give NOD32 a trial and look for one of the standard ATs like TDS-3 or TrojanHunter. And before somebody comes back with all Wilders recommendations on NOD32 are biased I can tell you: There is hardly anything to criticise on NOD32 whether they have a support forum over here or not.

-{ Quote: "There have to be more trustworhtly testers in a billion dollar business!" }-

I agree. But even with more trustworthy testers there will be a lot of people finding their tests suspect just they don't like the outcomes. ;)

wizard

-{ Quote: "
I wonder, Michael, why you've gone from blatantly praising KAV over NOD32 during your GAV days to, well, what you're doing now? Has KAV gotten a load worse, NOD a load better, or did you have a religious NOD experience of some sort? ;) Which of the two AVs would you consider better now, eh?
" }-

NOD32 did improve in a short time very well. I am not of this kind "i didn't like it - and because of this i will never like it."

They did add unpack support (ok yes they can not (yet) fight against KAV with unpackers) but at least they have now the most used packers included. I respect that. And i did NEVER EVER SAY that KAV has a better heuristics. KAV is better if it comes to packed backdoors/trojans, but as you may know this is not everything in the av business. And my last post means not that KAV _sucks_ it means only that KAV has also flaws. This happens to _all_ programs. And the issue here is not an "undetected" sample or a few of them - the issue is how you deal with such results.

And i want to point out some things the last time:

Only if you know WHAT THIS MISSED MALWARE SAMPLE R-E-A-L-L-Y DOES and/or you KNOW FOR SURE IT'S A WELLKNOWN SAMPLE THAT'S STILL ALIVE ON PUBLIC MACHINES ONLY THEN do you have a "right" to complain about not detected samples.

All other complaining is USELESS until the "newcomer av security test-experts" did learn this.
There is a BIG differnce between KNOWING MALWARE FROM A PROFESSIONAL SELFMADE ANALYSIS and KNOWING MALWARE FROM JUST SCANNING WITH OTHER SCANNERS.

And under "professional selfmade analysis" i do _NOT_ consider that the malware gets started under a VMWare Machine or whatever and only writing down some registry entrys. You have to disassemble AND UNDERSTAND this disassembled Code - only this way can you "open the doors" to the "undected features" of the malware so far.

Best example: Win32 PE Slowinfectors. How would you know a file is virus infected (without a scanner of course because we have a new unknown sample here) if you just start this file on a VMWare Machine AND NOTHING HAPPENS, BECAUSE THIS VIRUS IS A SLOWINFECTOR ?

For the readers who may not be familiar with the word "slowinfector" - it's a virus that does not spread at the same time you execute an infected file. He spreads if some events happening (such as 1.000.000 Files opened or a time trigger for instance)

You will never find such viruses with amateurish behavior - you need here a very deep knowledge about Assembler Code and Reverse Engineering. Otherwise you can not verify that you have a LIVING VIRUS SAMPLE not even if you start a "infected" file.

Take a Win32.CTX.6886 this is a highly polymorphic Win32 Fileinfector. And he infects Files also VERY SLOW. You get almost crazy if you want that this virus infects other files. If you want to know more about this and how you can detect this beast easily without using an emulator just pm me ;D

Cheers,
Michael