Good afternoon,

Just read PC World's latest take on AV -- http://www.pcworld.com/article/id,130869/article.html

They weren't too kind on Nod32's file virus capabilities:

"NOD32's overall malware detection rate wasn't stellar, however. When pitted against AV-Test.org's nearly 900,000-strong "zoo" of Trojans, viruses, and other malware, NOD32 caught only 90 percent, compared to the 96 percent rate of top performers Kaspersky Anti-Virus 6, Symantec Norton AntiVirus 2007, and BitDefender Antivirus 10. It fared surprisingly poorly with 32-bit Windows viruses (approximately 1 in 11 samples in the zoo), catching only 73 percent.

In disinfection tests, NOD32 cleaned up all malware files but missed resulting changes to the Hosts network settings file and most of the less-important Registry changes, for a disappointing 55 percent success rate."

Having just discovered a virus on my system (ir32_b.exe or TROJ_AGENT.CJF -- Trend was the only one who had any info on this) I am a little concerned about the protection that I am getting. Can any of the Nod32 experts here explain how Nod fared so poorly in file virus identification (was it the default settings)?

Best,

Sender

And now the NOD32 disciples can start complaining and bashing PC World and AV-test.org...

@ Sender


Hello !

-{ Quote: "Can any of the Nod32 experts here explain how Nod fared so poorly in file virus identification " }-

If you treat me as a NOD32 expert...

-{ Quote: "
"NOD32's overall malware detection rate wasn't stellar, however. When pitted against AV-Test.org's nearly 900,000-strong "zoo" of Trojans, viruses, and other malware, NOD32 caught only 90 percent, compared to the 96 percent rate of top performers Kaspersky Anti-Virus 6, Symantec Norton AntiVirus 2007, and BitDefender Antivirus 10. " }-

900 000 samples is a lot . Who knows where did they got the samples from (from the very dark side of the net , probably , where a normal person would never go in) . 90% detection rate of zoo trojans is good , in my opinion.


-{ Quote: "In disinfection tests, NOD32 cleaned up all malware files but missed resulting changes to the Hosts network settings file " }-

NOD32 is not a behaviour analysis software so it cannot prevent changes to the host file . However , in real world , NOD32 can find/block malware that would attempt such bad behavious , thanks to signatures/heuristic technologies.


-{ Quote: "and most of the less-important Registry changes" }-
NOD32 does not scan the whole registry nor most AV products do . When the malware file is gone , the registry entires are not dangerous at all . The most important is the malicious file , everything else is just a matter of cleaning.

-{ Quote: "Having just discovered a virus on my system (ir32_b.exe or TROJ_AGENT.CJF -- Trend was the only one who had any info on this) I am a little concerned about the protection that I am getting. (was it the default settings)?" }-

You found a virus/trojan on your own system or this is from the review?
If you find undetected sample , send it to email samples at eset dot com (this is ESET's Virus Lab).If Trend Micro was the only one to identify it , it may have been a FP

You should also take a look at proactive detection :)

Why don't you just admit that NOD32 is loosing it against Norton and Kaspersky more and more.

Not trying to start a flame war here -- I am a Nod32 user but I have licenses for Kaspersky as well.

While I like the proactive features of Nod32, the numbers they throw around in the review are distrubing, particularly the ability of Nod to detect Windows based infected files (73%?!). I currently have Nod installed on my main system, but this report, understandably, makes me nervous.

I agree that they used a large sample - but 90% vs. 96% (Kaspersky, Norton) makes the numbers identified by these other vendors all the more impressive.

-{ Quote: "
NOD32 is not a behaviour analysis software so it cannot prevent changes to the host file" }-

Neither is AVG, for that matter, and yet the PRO version (which does NOT include Ewido engine) reversed both changes to the hosts file....

-{ Quote: "NOD32 does not scan the whole registry nor most AV products do" }-

This is actually correct, but most AV products do, in fact, remove registry entries of malware that they detect. Registry entries are not dangerous per se, but registry entries can modify settings of several applications in your operating system and put your computer at risk to future infection. And since the change was done by the malware automatically, the average user would never know that the settings have been changed....

So, registry cleaning is important in a sense. Most of us with decent knowledge about malware and computers can perform our own cleaning, but not the average joe. And like it or not, the average joe constitutes the majority of PC users, so for all these users, only those AVs that fared will in the disinfection regard will suffice. :)

@Edwin: Throwing a direct accusation at a company is not going to get you a response. This applies true for all corporations that NONE of them will come out and say that "hey, we've degraded in our performance, we're trying to get back and currently company X is better than us". Having your own opinion is OK, but corporations are never going to admit it. If you don't like some company's product, don't use it and tell your friends not to use it (if you want to). Since this is getting OT, if you want to discuss this further then feel free to send a PM. ;) :)

-{ Quote: "You should also take a look at proactive detection" }-

Yes, this is a very nice thing for NOD32. While heuristics are VERY good, they are not enough to save the day all the time. I'm sure many people have seen samples being missed by every AV's heuristic, not just NOD32. NOD32's excellent heuristic engine may also make it a target for malware creators to code the malware to circumvent NOD's heuristic detection. :)

-{ Quote: "And now the NOD32 disciples can start complaining and bashing PC World and AV-test.org..." }-A pre emptive strike! Now thats not fair. :o ;D Seriously Edwin you would be making better use of your time if you at least attempted to provide a well thought out argument to support your position as Firecat has tried to do.

Great post from the 'Inspector' on another thread and much of it should be borne in mind...

When speaking about Antivirus Products you have to keep in mind that a antivirus program is a living product. It's NEVER FINISHED. That's a big difference to a car for example. You don't have to update your car daily.

And because of that it is pointless to judge based on a few tests how well every program performs. You have to see it in a long term relation. Of course one of the major points is detection. The best GUI design doesn't help if it doesn't find any viruses.

The real important point is not how many samples Antivirus X doesn't find but how many important samples it didn't find. There are thousends of undetected malware files - detected by NOBODY except of course fortinet since that flags every wet poop anyway.

It is also pointless to let a scanner run over millions of samples if you don't know what it is and how much distributed they are. The only way to get accurate testresults is if you (the tester) knows exactly what's going on. You have to know which types of malware are still circulating, which types of backdoors are popular and so on. And that simply doesn't work out if you just scan what you've collected from somewhere.

There is no "Number 1 AV" and there will be none. NOD32 is a solid antivirus product and from a technical point of view more advanced than the Avira engine. NOD's emulation is top-notch for example. One reason why they are scoring good in heuristic tests without adding generic blacklisted packers.

You can bring down every antivirus program with stupid tests. It would take a few min to setup a "testset" where kaspersky scores 0.5% for example. Now based on this 500.000 ppl would spam the kaspersky forum how bad they are. And the story would repeat there again: Somebody would try to explain that the used samples are not important, crap or garbage. And they're right! Almost every av program provides enough protection for the average user. You'll never have 100% protection, just keep that in mind. The big thing is of course how fast do vendors react to important things, meaning updating virus definitions. And i think that's not a secret, but Kaspersky is there amongst the fastest.

From this thread...

http://www.wilderssecurity.com/showpost.php?p=990144&postcount=16

PC World did not measure system utilisation and CPU usage by each scanner. If they had, they would have discovered that NOD32 towered above the others in "lean burn" technology. Kaspersky Anti-Virus 6, Symantec Norton AntiVirus 2007, and BitDefender Antivirus 10 all stuff the PC up so badly, they virtually halve the processor speed. So there's a balance between PC performance and amount of protection - a point which PCW have wholly overlooked.

I can't find anything about the test system used or the configuration of each program. It would be very easy to misconfigure one AV and have it rate much lower than it should. I would suggest that AVs should be configured to be as aggressive as possible by someone who knows them inside out before the testing is done - so far as I can tell, that wasn't done here - so we can assume that the out of the box experience in this one test was better for Kaspersky than for NOD32.
But let's take a look at the overall scores. Kaspersky comes in at 85 and NOD32 at 84. That's less than a 1% difference in score. That suggests that PCWorld doesn't consider Malware detection rate to be that important.
Let's considers the stats:
Kaspersky:
• Malware detection rate: 96%
• Proactive detection: 51%
• System slowdown: 10%
• False-positive detections: 6
NOD32
• Malware detection rate: 90%
• Proactive detection: 79%
• System slowdown: 5%
• False-positive detections: 6
The Malware Detection rate break down:
Kaspersky - NOD32:
File viruses - 97% - 79%
Clearly, Kaspersky is better at the moment in time the scan was run. But this is just a test of signatures, and fast signatures are Kaspersky's selling feature.
Macro viruses - 100% - 100%
Script viruses - 100% - 100%
Polymorphic viruses - 100% - 99%
ActiveX controls - 100% - 100%
Back doors - 97% - 95%
Bots/zombies - 95% - 94%
I'd say all these are basically a wash. No AV is really 100%, so differences of 1%-3% are statistical noise.
Trojan horses - 97% - 89%
Clearly NOD32 is beaten here.
Adware - 73% - 86%
Clearly Kaspersky is beaten here - given steady rise of Adware as a problem, this is probably just as important as the file virus numbers.
Dialers - 80% - 99%
Not sure if I'd be as worried about Dialers anymore, given the rise of high-speed and fewer phone lines connect to computers, but you probably feel differently if you have recently gotten a $1000+ phone bill, which I've seen several times over the last year from my customers.
Number of false positives (out of 20,000 harmless files) - 6 - 6
I really don't care much about false positives, and these numbers are low enough to be meaningless - and probably prove that neither AV was set to be as aggressive as it could be.
Heuristic detection (one-month-old signatures) - 51% - 79%
This proves that if Kaspersky doesn't have the signature, then it becomes pretty much useless. While I'm a big fan of fast signatures, I'd argue that Heuristics these days are more important, given the speed at which the malware writers move.
Heuristic detection (two-month-old signatures) - 46% - 73%
Even worse for Kaspersky here.
Detection rate of malware within archived files - 81% - 84%
This is a wash.
Average time (in hours) to deliver signatures for new malware - 0 to 2 vs 4 to 6
This is a big deal (especially if you are an incautious surfer or download everything you see with a P2P client. Unfortunately, the 0 number throws the entire review into question, because it suggests that Kaspersky has new definitions out the instant a new virus is discovered. That is, frankly, bull, so we'll read that as 1 to 2 hours. That means that as of 10AM, Kaspersky has had between 5 and 10 updates and NOD between 1 and 2 - that probably explains the File viruses numbers. Let's a assume that each update includes two new definitions. That means that as of 10AM, Kaspersky should know about between 10 and 20 new viruses, while NOD32 knows about 2 to 4. That's a problem for NOD32, no question, but since signature tests only relate to a single instant in time, I think that signature tests are much less important than heuristic tests. What if PCWorld had waited one more hour and NOD32 had updated again, and Kaspersky hadn't - it would be conceivable that NOD32 might have caught up or bettered Kaspersky in the File virus tests. But we'll never know.
System slowdown - Kaspersky - NOD32:
With Firefox 2 - 24% - 4%
With Adobe Photoshop CS2 - 3% - 7%
With Microsoft Office 2003 - 10% - 5%
I've read that 65% of AV users turn off their AV because it slows down their system too much. I've also read that people can't feel a difference of 5% or less. Let's assume that the 5% rule is true.
That means that with Kaspersky, web browsing becomes noticeably (possibly painfully) slower. NOD32 has no noticeable affect.
In Photoshop, Kaspersky has no noticeable affect, and NOD32 gives a negligible slowdown.
In MS Office, Kaspersky slows it down noticeably, NOD has no noticeable affect.
Based on this, I would argue that for most users (who are going to web surfing and use MS Office more than Photoshop, NOD32 is significantly less likely to make them turn off their AV than Kaspersky. That is enough to make me pick NOD32 as the better AV.

T

Just a quick note of interest.

While Kaspersky is soundly trounced when it comes to heuristics, even NOD32's 79% heuristics detection is a joke when compared to what Kaspersky's Proactive Detection Module can do - this is, of course, assuming one knows how to use it... which happens to be its biggest weakness. Not to mention that heuristics serve little purpose save for selling a product to sheep. Are you going to not update your antivirus product for one month and let your product's super-duper heuristics do its job? I think not. Proactive detection (heuristics) used to be the ultimate selling point of an antivirus product in the pre-Internet days when updating once a month was considered frequent. Not anymore. Considering the current malware landscape, the main issue is ALWAYS how much a product can detect at the present moment, and NOT how much it can detect at some point in future IF you don't update it.

I can also vouch for KAV7's heuristics. Is it stronger when compared NOD32? I have no idea, but given NOD32's performance that should give you an idea of how good KAV7's heuristics are. It's quite good when it comes to variant detection, definitely a contender to watch for.

EDIT: You've also completely misinterpreted the meaning of "response time". I'll give you an example of what actually happens, as opposed to your little theoretical scenario. About 2 weeks ago I submitted 16 undetected samples to both Kaspersky and ESET; Kaspersky updated and detected every one of them within 6 hours. NOD32, on the other hand, detected only 3 of them after a week later. Just so you know, "response time" is NOT some vague concept used to theoretically justify a 6% difference in detecting over 900,000 samples.

-{ Quote: "Not to mention that heuristics serve little purpose save for selling a product to sheep. Are you going to not update your antivirus product for one month and let your product's super-duper heuristics do its job? I think not. Proactive detection (heuristics) used to be the ultimate selling point of an antivirus product in the pre-Internet days when updating once a month was considered frequent. Not anymore. Considering the current malware landscape, the main issue is ALWAYS how much a product can detect at the present moment, and NOT how much it can detect at some point in future IF you don't update it." }-I'll reiterate what I have already said in this thread:
(http://www.wilderssecurity.com/showthread.php?t=131498&page=2)
-{ Quote: "So on a day zero outbreak you would place your trust in a signature that simply does NOT exist, rather than a heuristic engine that has a 70 to 90% chance of detecting it without a signature...

Now that makes sense :wacko: :blink: :wacko: :blink: :wacko: " }-

Please remember this is the NOD32 Support Forum, we have other forums available on this site to discuss KAV and any other antivirus.

Blackspear.

Simply responding to the above poster, who was similarly discussing KAV. I certainly hope the case that OT discussion is frowned upon only when it disfavors NOD32 is not true!

In response to your comment, I'll place my trust in a PDM which has detected 99.9% of everything I've thrown at it so far instead of a ~70% detection rate heuristics engine, and a vendor who has a response time of as fast as 20 minutes instead of one that responds in... actually, I don't know. I've never seen them respond.

-{ Quote: "Simply responding to the above poster, who was similarly discussing KAV. I certainly hope the case that OT discussion is frowned upon only when it disfavors NOD32 is not true!" }-Not at all, as mentioned, this is the NOD32 SUPPORT Forum, we have other areas within this site to discuss every AV to your hearts content.

Blackspear.

-{ Quote: "Just a quick note of interest.
Not to mention that heuristics serve little purpose save for selling a product to sheep. Are you going to not update your antivirus product for one month and let your product's super-duper heuristics do its job? I think not. Proactive detection (heuristics) used to be the ultimate selling point of an antivirus product in the pre-Internet days when updating once a month was considered frequent. Not anymore. Considering the current malware landscape, the main issue is ALWAYS how much a product can detect at the present moment, and NOT how much it can detect at some point in future IF you don't update it.
" }-

I think you are misunderstanding my point. (And perhaps I am misunderstanding the review.) Kaspersky killed NOD32 when it came to definitions. NOD32 killed Kaspersky when it came to heuristics. I'd like to have a product that is tops in both, but since I can't, I have to pick the one that is more important to me. It's a hard choice - fast definitions are awesome. But on the other hand, if I have to deal with a zero day, then strong heuristics is a better. There's no question about this. Given the rise of small area viruses (spread to only a couple of thousand computers rather than hundreds of thousands) the change of an AV company getting a sample and making a definition has gone down. That makes heuristics more important. So I'm going to have to weight heuristics and more important than definitions, and that puts NOD32 on top. I can understand your weighting of definitions as more important, of course, but I don't agree with it.

-{ Quote: "
I can also vouch for KAV7's heuristics. Is it stronger when compared NOD32? I have no idea, but given NOD32's performance that should give you an idea of how good KAV7's heuristics are. It's quite good when it comes to variant detection, definitely a contender to watch for.
" }-
I think the question of which heuristics are stronger has been (for the time being) resolved. If you are going to agree with the review to give Kaspersky the definition side, you have to give NOD32 the heuristics.

-{ Quote: "
EDIT: You've also completely misinterpreted the meaning of "response time". I'll give you an example of what actually happens, as opposed to your little theoretical scenario. About 2 weeks ago I submitted 16 undetected samples to both Kaspersky and ESET; Kaspersky updated and detected every one of them within 6 hours. NOD32, on the other hand, detected only 3 of them after a week later. Just so you know, "response time" is NOT some vague concept used to theoretically justify a 6% difference in detecting over 900,000 samples.
" }-
That's awesome, but it still isn't 0 hour response. And since it's a very limited sample, it isn't scientific so it doesn't prove anything general, it just proves that in that specific case, Kaspersky well and truly kicked NOD32's butt. I could give examples where NOD32's heuristics kicked Kaspersky's butt (and heuristics is 0 hour response.

But you do raise a very good point - Eset needs to get better and faster at definitions. Perhaps they are resting a bit on their laurels.

But this wasn't the original posters question - he wanted to know why NOD32 faired "so poorly." I don't think it did. I think it came within one point of besting Kaspersky, and had the weighting on the tests been different, might well have won the review. Since we don't know the weighting, configurations, or the testing methods (unless you can find that out) the review is largely meaningless except as a sample of a specific test at a specific moment in time.

T

Obviously, NOD did pretty good in this comparison. They score KAS at 85 and NOD32 at 84. I think you would be pretty well protected with any of the top 4 (though you better have one mega-honkin computer to withstand Bitdefender's demand for system resources).

To me, the most disappointing and surprising result was NOD32's overall detection rate of 90%.

Even though I am a NOD user and a NOD fan, I am not going to bash the reuslts or the testing methods. They are certainly meaningful and relevant.

-{ Quote: "I think you are misunderstanding my point. (And perhaps I am misunderstanding the review.) Kaspersky killed NOD32 when it came to definitions. NOD32 killed Kaspersky when it came to heuristics. I'd like to have a product that is tops in both, but since I can't, I have to pick the one that is more important to me. It's a hard choice - fast definitions are awesome. But on the other hand, if I have to deal with a zero day, then strong heuristics is a better. There's no question about this." }-
There's still the likelihood of which type of infection you'll get hit by. Unless you regularly get bombarded by zero-day malware within the first hour of them being released or so, judging from the statistics it looks like some competing products fare better than NOD32, including two which offer freeware versions. And even then, there're still two things to consider: you're only protected against ~70% of such infections, and will have to wait hours for a fix if the malware happens to fall into the other 30%, and also that some competing products offer proactive protection features that far surpass NOD32's, but aren't revealed by the testing methodology.

In the here and now, however, with all the zero-day malware floating about at the time that the test was taken, NOD32's detection still doesn't match up to the competition.

-{ Quote: "Given the rise of small area viruses (spread to only a couple of thousand computers rather than hundreds of thousands) the change of an AV company getting a sample and making a definition has gone down. That makes heuristics more important. So I'm going to have to weight heuristics and more important than definitions, and that puts NOD32 on top. I can understand your weighting of definitions as more important, of course, but I don't agree with it." }-
That's certainly an interesting way to look at it, but I'd just like to point out that even with superior heuristics, NOD32 still falls behind in detection rates. Neither signatures nor heuristics are the sole deciding factor, they're just part of the equation.

-{ Quote: "That's awesome, but it still isn't 0 hour response. And since it's a very limited sample, it isn't scientific so it doesn't prove anything general, it just proves that in that specific case, Kaspersky well and truly kicked NOD32's butt. I could give examples where NOD32's heuristics kicked Kaspersky's butt (and heuristics is 0 hour response." }-
I think I can very safely say that whatever proactive protection NOD32 has to offer is going to very soundly trounced by Kaspersky's PDM. ;D But of course, they're entirely different technologies, so perhaps the comparison is a little unfair...

Perhaps the original poster was concerned about NOD32's detection rates, rather than the overall performance.

I think PC World is getting a little like PC Magazine who will rate an app Best Buy one month and trash it a few months later. I think PC Magazine gives the rating job to the office boy. I subscribe to PC World and I think it is slowly becoming more like PC Magazine as time goes by. As a former Norton AV user, I am glad for the day I uninstalled it and installed NOD32. It was like getting a new computer less the errors and BSOD's.;D

-{ Quote: "I think I can very safely say that whatever proactive protection NOD32 has to offer is going to very soundly trounced by Kaspersky's PDM. But of course, they're entirely different technologies, so perhaps the comparison is a little unfair...
" }-

Can you offer us some evidence of the advantages of PDM and why these advantages didn't show up in the review? I don't use Kaspersky often (except as part of AVK) so I'm not familiar with it.

T

Ok i have read the report. Not the first I have read either. My job is computer tech, certifications include A+, MCSE do da do da. Who here isn't.
I work for a shop that is a NOD32 retailer. I have used Kapersky 6 v.614, and my computer is definitly not low end.

MB= Intel 975X
CPU= Intel PentiumD 930 (not core 2 but I love it)
RAM= 2GB Corsair XMS 4x512MB chips DDR2 800
HD's= 1-Seagate SATA2 320GB 7200.10
1-Maxtor SATA 200GB
2- WD SATA 160GB
I have a corsair 2GB flash drive speed boosted
PSU=FSP group 600w 4 rails.
2 Sony dvd rw drives.
OS= Vista Ultimate

Kaspersky missed 6 trojans. One of my spyware apps caught them. I removed kaspersky and replace with NOD32. NOD32 found 2 more.

The comparatives are for the person who wants to pick a good av but knows jack about computers beyond getting their e-mail, and scanning e-bay for crap they dont need.

I have tested...damn...just about every AV that is avalible to the general public and a few you need to dig for. And I got access to a popular AV that most public school systems are supplied with.

NOD32 has always drawn me back.

In the last year I have retest kaspersky and a few other popular apps.

NOD32 has always proven superior in its detection, in all catagories. And my personal rig was not always the test bed I used.

Bottom line NOD32 is the best. And when I sell a license I do it with confidence that I sold that customer all they will ever need when it comes to online security.

Looking foward to v 3.0, our NOD32 rep says June 2007.

Should be a big a release as Spiderman.

Very nice rig. I'm not sure about the June 7 release date. You are aware Version 3.0 is available as Beta 1 as a suite? There is a forum dedicated to ESS:
http://www.wilderssecurity.com/forumdisplay.php?f=18

-{ Quote: "...snip
In response to your comment, I'll place my trust in a PDM which has detected 99.9% of everything I've thrown at it so far...snip" }-

And I'd rather place my trust in a product that has kept me virus-free for six-plus years in the real-world scenario of the nether regions of the internet. With neglible impact on my PC to boot! (Pun not intended.)

I think posts 9 and 11 clearly show the overall winner

My PC's Actual BD1O footprint

bdagent.exe 28,086K
bdcom.exe 1,348K
bdss.exe 3,664

CPU= 0.5% in active heuristics mode, not scanning

What are the comparable # for NOD32, and KAV?

You know, part of this debate reminds me of a recent conversation I had with someone about anti-x

Him: Well, I've been running Trend Micro for the past two years, and it's found everything that I've gotten.

Me: No, it found everything it found...

Arguing that personal experience with a product didn't yield a detection and thus you've been protected is a bit optimistic. I run Trend Micro too and have never found an active infection. Check any test web site; Trend is the worst performing mainstream A/V out there. Should I feel safe?

/jab

-{ Quote: "I think posts 9 and 11 clearly show the overall winner" }-
Does it really matter? It seems to me that both KAV6 and NOD32 are highly acclaimed and offer excellent overall protection. I tried both before finally selecting NOD32, not because of any noticeable superiority over KAV6, but the latter brought about some compatibility issues with Acronis TI, and NOD32 didn't.

I managed to find the rather vague description of the test system used:
"AV-Test.org puts programs through a rigorous analysis; its overall malware detection test pits each app against an almost 900,000-sample "zoo" of viruses, Trojan horses, back doors, and other malware types."

I checked the WildList (yes, you can write it off, but it's as useful as zoo lists) and they have 1,972 viruses listed for February. Now yes, that probably covers a smaller spectrum of malware than this 900K beast, but that's still a big difference. So now we need to know - of the viruses the AVs missed, how many were relevant? I'm going to go out on a limb here and say that of a list of 900K malware, most of them aren't active anymore and are there for show. Taking it a step further, that means that the testing of definitions against an inflated list is iffy at best - what kind of AV is going to haul around a definition list of 900K malware? I'm betting none - Sophos, which is one of the top rated "corporate" versions and very fast on the draw according VirusTotal, only carries 240,880 definitions as of this writing.

Another interesting tidbit - according to www.viruslist.com - "However, in today’s wired world, there’s a higher risk of being hit by new malware, with around 80% of new malicious programs being found in the field, not just in so-called ‘zoo’ collections." Now they are lumping the Wildlist in with this, but I'd argue that if 80% of malware out there aren't in zoo collections, then is there much value in testing definitions at all?

Of course, the bottom line is this: If your AV is working, great - but the only way to know it's working is to scan with three or four other great AVs.

T

-{ Quote: "You know, part of this debate reminds me of a recent conversation I had with someone about anti-x
Him: Well, I've been running Trend Micro for the past two years, and it's found everything that I've gotten.
Me: No, it found everything it found...
Arguing that personal experience with a product didn't yield a detection and thus you've been protected is a bit optimistic. I run Trend Micro too and have never found an active infection. Check any test web site; Trend is the worst performing mainstream A/V out there. Should I feel safe?
/jab" }-

Boy, did you nail this on the head. I had the same conversation while teaching a class about computer security. One of the gurus who had come apparently to show everyone how smart he was, announced that AVG Free was the way to go - it's free, blah blah blah, AND he has NEVER had a virus since he put it on. I said, "Don't you mean you haven't found a virus since you put it on?" We agreed to a challenge, he brought his computer into the shop and I did a full scan (with more than just NOD32, btw) and found 309 pieces of malware. He bought NOD32.

T

-{ Quote: "Does it really matter?" }-

Why ask me ? I play "a game" started not by me , a "game" supported by other people . They like putting down an excellent product for nothing and rely on test , I play their game here . So not ask them "Does it really matter" , does this test really matter?

Here's mine with NOD32 at idle.

nod32krn.exe - current: 19,528K - peak: 40,524K
nod32kui.exe - current 2,380K - peak: 5,328K

Zero CPU load when not scanning.

What is your peak mem usage?

T

I can't understand why people are still fighting about which ONE AV is good enough or "best"?

None!

If you are a risky user, you need a multi-AV engine solution regardless of what you use as your primary scanner.

That's why I'm using NOD32+KAV+Bitdefender myself. NOD32 resident and KAV+BD as on-demand scanning automatically everything I download.

And even that is far from being sufficient, but it is decent enough for me and doable on two pieces of software (NOD32+AVK2006) for now (until AVK2006 runs out).

In fact, considering one can get AVS for free (KAV engine), imho most risky NOD32 users should consider putting AVS as resident and NOD32 as on-demand and get the best of both worlds (KAV+NOD32). Unless of course you run HIPS, sandboxes and whatnot.

i dont agree with that,

any high risk surfer just needs ONE av solution,

but if your av keeps failing to catch threats, it clearly isnt good enough so switch to another, i dont believe for 1 second ANYONE needs more than one AV.

regardless of the latest review testing, nod32 is still a great AV that will protect its users, people should not be sooo quick to jump ship.

I am sorry I made 2 mistakes with my previous post.

1. I forgot to mention that the ram I use is DDR2 800

2. When I said June 07, I ment June 2007. i was not told an exact date within that month.

Sorry..

-{ Quote: "Here's mine with NOD32 at idle.

nod32krn.exe - current: 19,528K - peak: 40,524K
nod32kui.exe - current 2,380K - peak: 5,328K

Zero CPU load when not scanning.

What is your peak mem usage?

T" }-

28,036
56,712
36,636

Hasn't this been beaten up enough already on that other thread? ???

[OK, now I see that this thread was moved from the NOD32 forum but still...]

-{ Quote: "
Please remember this is the NOD32 Support Forum, we have other forums available on this site to discuss KAV and any other antivirus." }-This ain't the NOD forum though. Oh wait, did this get moved?

-{ Quote: "I think PC World is getting a little like PC Magazine who will rate an app Best Buy one month and trash it a few months later. I think PC Magazine gives the rating job to the office boy. I subscribe to PC World and I think it is slowly becoming more like PC Magazine as time goes by. As a former Norton AV user, I am glad for the day I uninstalled it and installed NOD32. It was like getting a new computer less the errors and BSOD's.;D" }-

I used to subscribe to PC World in the past but did not renew it (it was a free subscription for answering online surveys). Some of the issues were useful, but I think over the years, the information tended to repeat itself. I have used Norton AV on a laptop for over 3 years and the machine has never had a BSOD. There is 512 MB on a 2.4 Ghz processor on it and the system has never ever froze.:thumb:

-{ Quote: "i dont agree with that,

any high risk surfer just needs ONE av solution,

but if your av keeps failing to catch threats, it clearly isnt good enough so switch to another, i dont believe for 1 second ANYONE needs more than one AV.

regardless of the latest review testing, nod32 is still a great AV that will protect its users, people should not be sooo quick to jump ship." }-

Well, if you want 100% coverage, you need more than one AV. I didn't see any solution that etected 100%. Of course, I only run one AV and think that most users only need one AV. But I could envision a scenario where some users might need more than one.

-{ Quote: "This ain't the NOD forum though. Oh wait, did this get moved?" }-
Yes, it got moved....

-{ Quote: "Well, if you want 100% coverage, you need more than one AV. I didn't see any solution that etected 100%. Of course, I only run one AV and think that most users only need one AV. But I could envision a scenario where some users might need more than one." }-
even multi AV engines dont offer 100%, far from it in my opinion, they just create a hogged system and usually, conflicts.
but i understand what your trying to say. :)

-------
this thread is just proof that people jump ship on one test result, been saying this all the time with av-comparatives aswell, where the tests can be used as propaganda, they can also reflect in loss of sales, so are they are good thing?

av-comparatives and av-test are independent though, and try to make tests as fair as possible. So although the potential for different configurations and so forth can still significantly alter results, its as close to serious av testing as you'll get. So its an interesting dilemma.

However I think this would be a very different discussion if avira was tested by pc-world, everyone might not be praising kaspersky or norton or bitdefender so much :) And nod32 wouldn't really be as much discussed.

-{ Quote: "av-comparatives and av-test are independent though, and try to make tests as fair as possible. So although the potential for different configurations and so forth can still significantly alter results, its as close to serious av testing as you'll get. So its an interesting dilemma.

However I think this would be a very different discussion if avira was tested by pc-world, everyone might not be praising kaspersky or norton or bitdefender so much :) And nod32 wouldn't really be as much discussed." }-NOD will always be discussed more than it might merit because it's forum is here and some people like to pop in like their behind the wheel at a drive by shooting to stick out their tongues and shout that their Av program is better and NOD is crap and then speed off. :dry:

-{ Quote: "NOD will always be discussed more than it might merit because it's forum is here and some people like to pop in like their behind the wheel at a drive by shooting to stick out their tongues and shout that their Av program is better and NOD is crap and then speed off. :dry:" }-
So, are you saying Ewido will discussed more than it might merit for the same reasons, because Ewido's official forum is here? I see a quite different situation with Ewido, there is dissatisfaction with the product due to lack of a Vista version and the problems with updating but the outcry is still nowhere near as bad as it is with NOD32. We don't see "Ewido sucks" rants daily do we?

This probably isn't the reason, Hammer....No offense intended towards you. :)

-{ Quote: "NOD will always be discussed more than it might merit because it's forum is here and some people like to pop in like their behind the wheel at a drive by shooting to stick out their tongues and shout that their Av program is better and NOD is crap and then speed off. :dry:" }-
Hmm, I think that was meant for me and deserved.:-\ I am sorry. :( I will say that beta 1a is kicking ass.;)

-{ Quote: "Hmm, I think that was meant for me and deserved.:-\ I am sorry. :( I will say that beta 1a is kicking ass.;)" }-No it was not meant for you because I know that if you hate NOD today, you'll love it tomorrow. ;) But as far as Firecats comments go, well , just let me say that Anti trojan/spyware products etc. do not evoke the same passions that Av products do for whatever reason. Also Ewido users aren't as exuberant as NOD users are concerning their program so that figures into it as well.

-{ Quote: "I used to subscribe to PC World in the past but did not renew it (it was a free subscription for answering online surveys). Some of the issues were useful, but I think over the years, the information tended to repeat itself. I have used Norton AV on a laptop for over 3 years and the machine has never had a BSOD. There is 512 MB on a 2.4 Ghz processor on it and the system has never ever froze.:thumb:" }-

Actually, if by repetetive you mean general subjects like comparing AVs, ASs, browsers, etc. you're right. The only saving factor is that computer technology changes so fast, it is still kind of new info. As for Norton, some folks will find it works well with their computer, and others will have trouble, but I think generally speaking (in my experience) it can be more trouble than it's worth. :)

To be quite honest, I don't know what to make of the last test by Av-test.org.
Am I thrilled by the results of this test for NOD32? No. Questions to ask: Are all 900,000 samples of malware, really malware? Why are the results of AV-test different than those of Av-Comparatives? Should I discount the results of Virus Bulletin?

Why I stay with NOD32:

1. I have used NOD32 for four years plus without an infection.
2. No problems with updating definitions.
3. Low resource use.
4. Program is very stable.

-{ Quote: "
Why I stay with NOD32:

1. I have used NOD32 for four years plus without an infection.
2. No problems with updating definitions.
3. Low resource use.
4. Program is very stable." }-

Same here. :thumb:

-{ Quote: "Should I discount the results of Virus Bulletin? " }- Virus Bulletin is just another set of tests. They do enjoy a good reputation among antivirus vendors and their logo is often seen on the various vendors sites. Whether you agree or disagree with the tests in general is a personal matter.
Virus Bulletin did reverse a failure to a pass in the latest set of tests.

http://eset.com/threat-center/blog/?p=62

-{ Quote: "To be quite honest, I don't know what to make of the last test by Av-test.org.
Am I thrilled by the results of this test for NOD32? No. Questions to ask: Are all 900,000 samples of malware, really malware? Why are the results of AV-test different than those of Av-Comparatives? Should I discount the results of Virus Bulletin?

Why I stay with NOD32:

1. I have used NOD32 for four years plus without an infection.
2. No problems with updating definitions.
3. Low resource use.
4. Program is very stable." }-

You speak the truth.

-{ Quote: "i dont agree with that,

any high risk surfer just needs ONE av solution,
" }-

Please explain why?

My argument:

- All AVs have failed to catch 0-day exploits, some of them implementable as part of web page views. It is very difficult to protect against those type of attacks (unless one has HIPS+Sandbox+ultra-harderning+very limited user accounts, something which is really not an average user manageable process, unlike multi-engine AV is).

If you can get the best of heuristics and the best of signature updates (by the use of two different engines) and do this with the price of 1 software (both as in money and in system slow down), then why not take it?

-{ Quote: "but if your av keeps failing to catch threats, it clearly isnt good enough so switch to another, i dont believe for 1 second ANYONE needs more than one AV.
" }-

Exactly my point! Not switch (XOR), but add (AND).

Besides, ALL av, including KAV/NOD fail to catch exploits.

-{ Quote: "
regardless of the latest review testing, nod32 is still a great AV that will protect its users, people should not be sooo quick to jump ship.
" }-

Completely agree: NOD32 is great (but not sufficient for a high risk user, imho). And no point in jumping ship (i.e. changing to another, but no harm in ADDITIONAL free security, which doesn't bog the system down or is very difficult to use/manager like most HIPS/sandbox solutions are).

I do not understand what is so difficult to understand about that.

But of course, anybody should implement the kind of security (both products and policy) that fits their situation.

My recommendation for a non-expert user who doesn't want to complicate his life (and spend his time) on HIPS/sandbox/whitelisting, is that a multi-av engine solution does improve the situation, esp. when combined with on-line free file scanner tools.

NOD32 for me is part of this portfolio, but it could just as well be BD+AntiVir+Kaspersky (if such a combo was somehow easy to install/manage).

-{ Quote: "Kaspersky Anti-Virus 6, Symantec Norton AntiVirus 2007, and BitDefender Antivirus 10 all stuff the PC up so badly, they virtually halve the processor speed. So there's a balance between PC performance and amount of protection - a point which PCW have wholly overlooked." }-

This just isn't true about Kaspersky's and Norton's latest versions, my friend. Those remarks are from the past and should not be used anymore.

bitdfender 10 shouldnt slow your pc down eiether.
lodore

-{ Quote: "bitdfender 10 shouldnt slow your pc down eiether.
lodore" }-
Depends upon the system. Even with a high spec machine here, I have found it relatively heavy in real-time.

-{ Quote: " this thread is just proof that people jump ship on one test result, been saying this all the time with av-comparatives aswell, where the tests can be used as propaganda, they can also reflect in loss of sales, so are they are good thing?" }-

Well...what you say may very well be true. But I thiink the concern with NOD32 right now is stemming from 2 test results and the recent beta suite. If I am not mistaken, NOD's performance fell in the latest AV Comparatives from Advanced + to Advanced. Couple that with the PC Mag review and the fact that the beta of the suite has had some issues...I think all that together is shaking people's confidence in NOD32 just a tad.

Mind you, I think most people realize that NOD32 is still an excellent AV. I just happen to think that there is a perception that it is starting to slide just a tad from the elite status is has maintained for so long.

-{ Quote: "Kaspersky Anti-Virus 6, Symantec Norton AntiVirus 2007, and BitDefender Antivirus 10 all stuff the PC up so badly, they virtually halve the processor speed. So there's a balance between PC performance and amount of protection - a point which PCW have wholly overlooked." }-

-{ Quote: "This just isn't true about Kaspersky's and Norton's latest versions, my friend. Those remarks are from the past and should not be used anymore." }-


Haven't used Norton but I absolutely agree with this when it comes to Kaspersky. I have tried NOD32 (the build previous to the latest) and for me KAV 6.0.321 was just as light.

I have used NOD, Kaspersky and now Norton. So that's why i made the remark :)

I don't know about Norton (I have this hangup about Symantec products), but KAV6 & KIS6 are 'top-flight'. I base that on the many machines at the office that have them and it's never been brought to my attention that either one is a resource-hog.

That said, I've never had a problem with NOD32 on my personal systems, so I'm not about to jump ship unless I do!

-{ Quote: "I have used NOD, Kaspersky and now Norton. So that's why i made the remark :)" }-

We should move forward. ;D

-{ Quote: "Well...what you say may very well be true. But I thiink the concern with NOD32 right now is stemming from 2 test results and the recent beta suite. If I am not mistaken, NOD's performance fell in the latest AV Comparatives from Advanced + to Advanced. Couple that with the PC Mag review and the fact that the beta of the suite has had some issues...I think all that together is shaking people's confidence in NOD32 just a tad.

Mind you, I think most people realize that NOD32 is still an excellent AV. I just happen to think that there is a perception that it is starting to slide just a tad from the elite status is has maintained for so long." }-
So you expect an early beta version to have no problems?:lurking:

I'm not really concerned (or alarmed!) by this review/test. Eset's history has shown that they're not slackers. Of all of the AV programs that I hold active licenses for (way too many, it's an issue that I'm working on :wacko:), I always seem to gravitate back to NOD32. I know it and trust it. These people are in it to stay, so I would fully expect Eset to "be on it".

where is Avira antivir in the pcworld's result?
now i am using it,and I think it is no worse than Kaspersky indeed.

-{ Quote: "Kaspersky killed NOD32 when it came to definitions. NOD32 killed Kaspersky when it came to heuristics. " }-

And both have considerably high FP rates compared to Norton. You can't trust an AV product no matter how proactive their signatures are or how good their heuristics are if they have too many FPs. Its unacceptable that both have so many FPs even though their customer base is so much smaller compared to Norton.

There is a very disturbing trend that beginning to emerge: Every AV vendor is monitoring the defs being released by its competitors, and when such is release it will scan its incoming file set with that competitors defs. If a file is flagged, they will immediately push out a def for that file without actually analyzing it all in the name of fast response time. This leads to a ripple effect. If the original AV vendor has a false positive, a lot of the others do as well except the really big names that can't afford to blindly release a new def without actual analysis. Mark my words, in the near future there is going to be a lot of focus on FPs by AV testers.

-{ Quote: "And both have considerably high FP rates compared to Norton. " }-Do you have a link to the data that supports that statement?

http://www.av-comparatives.org/

page 6

Whether 5 or 6 false positives out of that many samples is really a problem is another matter. Personally, I'm willing to accept some false positives, if that's price of good heuristics.

/jab

Note: "Considerably higher" is also open to interpretation. In the above, Symantec had zero false positives, making Kaspersky and NOD infinitely higher... :)

-{ Quote: "Do you have a link to the data that supports that statement?" }-

Yes.. stay tuned, lates results are not public yet, but look at any of the reports on av-comparatives.

Retrospective 2006/11
Symantec - none
Kaspersky - few
NOD32 - few


Retrospective 2006/5
Symantec - none
Kaspersky - few
NOD32 - few

Thanks JAB. Modified the link a bit to point to the site rather than the tables.

-{ Quote: "
Yes.. stay tuned, lates results are not public yet, but look at any of the reports on av-comparatives." }-

Are you working for an AV vendor or testing website? Because the way you said about the latest test results of AV-Comparatives which are not public yet makes me think....???

As for the comments regarding FPs, you seem to be correct. I remember reading something in Norman's forum where a guy complained about rising number of FPs in Norman and a Norman representative said that every AV is rising in terms of FPs and it could be deduced from the post that a trade off was being made to ensure higher detection rates...:-\

Symantec has a good record about FP :thumb:
But in 2006/5: Rank nr 11, 8 and 11. and in 2006/11 : Rank nr 9,10 and 8.

Kaspersky has proven to be an excellent piece of software. However, people must remember that the tests were used with the maximum settings. For Kaspersky to feel usable (at least for me) I must put it on the recommended settings which won't scan every file. With NOD32, I have everything checked and everything is scanned and I still don't feel a slowdown. Since I am on Vista, I also have Windows Defender on access scanning, and it is still usable.

The only other faster scanners are Panda and AVG, while good, not as great as the top performers.

I think people like to see NOD32 fail because of its rabid fan community, which I never knew existed until recently.

Sometimes I think NOD32 V2.x is getting a bit long in the tooth, but its still good. Anyway, why wasn't Avira's AntiVir tested? It get's better results in AV-Comparatives than NOD32 / Norton AV 2007 and BD. :-\

-{ Quote: "Sometimes I think NOD32 V2.x is getting a bit long in the tooth, but its still good. Anyway, why wasn't Avira's AntiVir tested? It get's better results in AV-Comparatives than NOD32 / Norton AV 2007 and BD. :-\" }-
I'll repeat it again, Avira AntiVir was not tested because PC World and AV-test were too far along with the testing by the time AntiVir had a Vista compatible version. Due to Avira not releasing a Vista version on time, it was not included. PC World had every intention of including it though, and will probably include it in future tests. ;)

-{ Quote: "considerably high FP rates" }-

I can live with few FP and don't expect a 100% score. Nothing is perfect and no AV will have the optimum benefit with respect to all expectations. False FP are a relevant issue but this should be seen in context - how often does this happen, how likely is a user being affected by this. At this stage I don't think either KS or Nod users have a reason to complain about this.;)

Someone said NOD32 can be used as an "on-demand" scanner. So I guess it doesn't have any active drivers when it's shut down? In which case it would be compatible with KAV?? How would this work... to download updated NOD32 signatures I'd have to exit KAV, open NOD32/download signatures, then exit NOD32, and then reopen KAV??

Thanks in advance!

Disable Amon,Imon,Dmon and Emon, Or just hit the quit button which unload the module drivers complete

edit: I use this with avira PE not Kaspersky.

-{ Quote: "Are all 900,000 samples of malware, really malware? Why are the results of AV-test different than those of Av-Comparatives? Should I discount the results of Virus Bulletin?" }-

All 900,000 samples are really malware, just like AV-comparatives sample set. Every sample is verified to be malware, don't worry about that. I have seen this "are they really malware" statement being bandied about many times, and IMO this statement is only valid if the testing site is not reputable.

AV-test's results have always showed NOD32 differently than AV-comparatives. But then, AV-test releases tests at random, not at scheduled dates like AV-comparatives. This means that Eset cannot release huge updates to "prepare" themselves for AV-test.org's tests. Besides, Eset adds many samples only during specific times of the year and AV-test doesn't necessarily test at that time of the year. ;)

So this should give you a picture of why AV-test's results are different for NOD32 compared to AV-comparatives. ;)

@firecat,
what is the removal rate of avg in the 7.5 versions like?
is the 7.5 version better at removing malware than the 7.0 version?
lodore

-{ Quote: "@firecat,
what is the removal rate of avg in the 7.5 versions like?
is the 7.5 version better at removing malware than the 7.0 version?
lodore" }-
I never tried the 7.0 version so I am not sure. I've never had anything infect my PC so I can't really tell about removal rates. But from what I see, yes it is better in version 7.5 than version 7.0. :)

im just wondering if i could use avg antimalware on my sister's computer when her antivir license runs out.
it is just as easy to use.
lodore

Back on topic please. There is another thread with AVG vs NOD.

-{ Quote: "im just wondering if i could use avg antimalware on my sister's computer when her antivir license runs out.
it is just as easy to use.
well avg antimalware or drweb.
the problem with antivir is that in student acomodation the internet speed is very slow and sometimes antivir cant update.
so im trying to seek a program with a decent detection rate with smaller update file and a light on resources.
i know the drweb update files are tiny.
lodore" }-


Since you mentioned "student accommodation"... Does her school provide an AV for students and faculty to use for free? I know at my old university the IT department provided McAfee Enterprise 8.5 and Kerio firewall free of charge to all students and faculty. Might want to check into it.

-{ Quote: "Since you mentioned "student accommodation"... Does her school provide an AV for students and faculty to use for free? I know at my old university the IT department provided McAfee Enterprise 8.5 and Kerio firewall free of charge to all students and faculty. Might want to check into it." }-

i dont know her UNI might.
lodore

-{ Quote: "AV-test's results have always showed NOD32 differently than AV-comparatives. But then, AV-test releases tests at random, not at scheduled dates like AV-comparatives. This means that Eset cannot release huge updates to "prepare" themselves for AV-test.org's tests. Besides, Eset adds many samples only during specific times of the year and AV-test doesn't necessarily test at that time of the year. ;)" }-

Where can you see the AV-test.org results? I can't find them on their web site?

Thanks.

/jab

-{ Quote: "Where can you see the AV-test.org results? I can't find them on their web site?

Thanks.

/jab" }-
You won't find it on the website. AV-test's tests are only published in certain websites and magazines from time to time. :)

I can hardly believe this thread. The reviewers gave 1st place KAV an 85 and the next three an 84 rating. Hardly anything to get excited about. Someone around here has too much emotional energy invested in their commitment to their AV scanner. No software is perfect, nor is any test of software perfect.

-{ Quote: "I can hardly believe this thread. The reviewers gave 1st place KAV an 85 and the next three an 84 rating. Hardly anything to get excited about. Someone around here has too much emotional energy invested in their commitment to their AV scanner. No software is perfect, nor is any test of software perfect." }-
The thread is centered around the malware detection rates of NOD32 in the PC World test which was performed by AV-Test and not the overall rating of NOD32 given by PC World. :)

-{ Quote: "The thread is centered around the malware detection rates of NOD32 in the PC World test which was performed by AV-Test and not the overall rating of NOD32 given by PC World. :)" }-

Thats the problem. The focus is on one number that is being taken out of context and not the result as a whole. There is obviously some explanation in the testing methodology, about which everyone does speculate.

-{ Quote: "Someone said NOD32 can be used as an "on-demand" scanner. So I guess it doesn't have any active drivers when it's shut down? In which case it would be compatible with KAV?? How would this work... to download updated NOD32 signatures I'd have to exit KAV, open NOD32/download signatures, then exit NOD32, and then reopen KAV??

Thanks in advance!" }-
Someone also said that it's a bad idea to have two AV's on your pc. If you have KAV or Nod there is no reason for another AV to be installed on your pc. If you're that paranoid use a limited account with a SRP.

-{ Quote: "To be quite honest, I don't know what to make of the last test by Av-test.org.
Am I thrilled by the results of this test for NOD32? No. Questions to ask: Are all 900,000 samples of malware, really malware? Why are the results of AV-test different than those of Av-Comparatives? Should I discount the results of Virus Bulletin?

Why I stay with NOD32:

1. I have used NOD32 for four years plus without an infection.
2. No problems with updating definitions.
3. Low resource use.
4. Program is very stable." }-
Same for me :)
And honestly, 90% detection rate and common sense keeps my computer safe.

Are NOD's less-than-stellar results in these past tests due to limits in its scanning engine or only to missing definitions?

I have been a happy NOD32 user for the last 2 years. But with each AV review I read, I am slowly starting to have doubts as to whether or not it is worth paying for. When the free programs like AOL AVS, Antivir, and Avast are producing similar if not better detection rates, why pay for NOD?

In the past, I have paid for NOD32 because I felt it was the best or at least one of the 2 best. But I can't say that I still feel that way. I still think it is good, but it appears to have slipped from the elite. If I pay for an AV next year it will probably be made by Kaspersky or I may simply go with one of the many very good free options.

That's really kind of disappointing because I am a NOD fan. It's light on resources and has been very effective. It is exactly what I look for in a security program. And ESET seems like the "underdog" to me. I enjoy pulling for the non mass marketed, smaller but high quality products. But if free AV products have caught up, I can't justify the expense. And if I am going to justify the expense by buying the very best, I can't say that NOD still meets that criteria. I am hoping that ESET rebounds this year.

-{ Quote: "...When the free programs like AOL AVS, Antivir, and Avast are producing similar if not better detection rates, why pay for NOD?..." }-
Is that based on one or more of the current tests that have been the subject of a lot of discussion around here lately? The reason I ask is because I wasn't aware that any of those tests included *free* versions of the AVs tested.

-{ Quote: "...And if I am going to justify the expense by buying the very best, I can't say that NOD still meets that criteria..." }-
Okay, so you "buy the very best", I assume based upon the latest tests and/or reviews, and you're content, for the time being. *Now* what do you do if several months later the most recent testing reveals that the new AV you purchased has slipped?


Bottom line is if you don't want to pay, then don't pay.....use one of the free AVs. OTOH, if you are going to pay, switching from a product that, apparently, has served you well for a couple of years to another, based solely on tests/reviews, *could* prove to be a mistake. The problem is *you* will have no way of knowing for sure *until* you get infected and/or have issues with the new AV *and* all the testing in the universe can't guarantee either/or won't happen.

I don't know if before me someone sad already this, but i must say that..
When I was using NOD32 on my old machine, I was downloading specially some number of exe. viruses to test my AV. In these tests testers only scan viruses with AV's but nobody executes them right?
So I had often cases when some viruses wasn't detected by all AV's in virustotal list including NOD32, but when I was executing these viruses, my NOD32 detected them with his great Heuristic! So if someone will tests AV's and executing viruses, I think NOD32 will be one of the first detecting them 8) and of caurse tests result will be diferents and NOD32 will be higher in the list.
Yes always good detect viruses by signatures before executing them, but in other case AV's scoring highet in this test having especially signature detection will unused in these cases (I mean after executing undetected viruses).
So I think NOD32 is still great AV !

-{ Quote: "

Bottom line is if you don't want to pay, then don't pay.....use one of the free AVs. OTOH, if you are going to pay, switching from a product that, apparently, has served you well for a couple of years to another, based solely on tests/reviews, *could* prove to be a mistake. The problem is *you* will have no way of knowing for sure *until* you get infected and/or have issues with the new AV *and* all the testing in the universe can't guarantee either/or won't happen." }-

Well...I got infected using NOD too. A trojan slipped right by NOD, then disabled it and my firewall. No program catches everything and no program can compensate for end user error. Still, with as good as free AV's have gotten to be, I will only pay for the very best and am simply no longer convinced that NOD32 falls in that category.

-{ Quote: "So I had often cases when some viruses wasn't detected by all AV's in virustotal list including NOD32, but when I was executing these viruses, my NOD32 detected them with his great Heuristic!" }-
Unfortunately, there is no such thing.

NOD32's heuristics are just that - heuristics. Not a behavior blocker. Unless the on-access and on-demand modules use different scanning engines, or they're using different settings, there is no way the on-access scanner is going to heuristically detect a file that the on-demand scanner missed.

-{ Quote: "Unfortunately, there is no such thing.

NOD32's heuristics are just that - heuristics. Not a behavior blocker. Unless the on-access and on-demand modules use different scanning engines, or they're using different settings, there is no way the on-access scanner is going to heuristically detect a file that the on-demand scanner missed." }-
Maybe such a situation can happen with NOD32 if the file was not packed by a known packer, or there was a self extracting archive of a format Eset does not scan (not sure). :-\

I don't know why but I often had such cases, trust me NOD32 was detected nearly 100% executet viruses, undetected before!

Most likely this happens with embedded files. Many scanners (avast! and KAV appear to be notable exceptions) are unable to detect files embedded within the main "body" of the malware itself. NOD32 might be able to detect these files when they're released upon the execution of the malware, but the same easily applies to any antivirus software, not just NOD32, and this is not the same case as flagging the main body of the malware itself, which might have been already up to further mischief.

And no, tsilo, I don't trust your claims. Not unless you can back them up, because to the best of my knowledge this is just not the way how scanners work (much less the "nearly 100%" part). Nothing personal, of course. ;D

executable malware,

hmm, an argument ive used myself before, but with no clarification of any of this from the testers themselfs, its pointless for me to keep arguing the case. :wacko:

-{ Quote: "Maybe such a situation can happen with NOD32 if the file was not packed by a known packer, (..)" }-

I think there would be no difference in this case. The situation where the on-access scanner can perform better is when a dropper is not detected while the dropped file is.

Actually, this is a bit more complex than that: it all depends on the kind of signature (is it a simple CRC, like in ClamAV, or is it located at a fixed offset ?), on the type of the dropper (are the dropped files encrypted ?), on the technology used by the scanning engine (XRAying ? Does it look for embedded PE headers ?) and on the capability of the heuristics (Norman and Bitdefender for example are able to drop & scan files inside their VM).

A more or less similar example concerns webdownloaders, in case of a "harmless" undetected downloader and a malicious detected payload (excepted that, of course, in case of a webdlownloader the payload can change at any time).

Edit: ooops, didn't see solcroft post before posting...

No at all, I don'y say that NOD32 can detect 100% of executed viruses, but NOD32' s detection will much higher if you will execute viruses. It means that iven if you scan sample in virustotal.com and it shows NOD32 see nothing, keep in the maind that NOD32 may detects this sample after executing :)

The same holds true for all scanners, not just NOD32. ;D

-{ Quote: "The same holds true for all scanners, not just NOD32. ;D" }-

Are you sure? because NOD32 detected these viruses after executing especially with Heuristic!

-{ Quote: "
Most likely this happens with embedded files. Many scanners (avast! and KAV appear to be notable exceptions) are unable to detect files embedded within the main "body" of the malware itself. NOD32 might be able to detect these files when they're released upon the execution of the malware, but the same easily applies to any antivirus software, not just NOD32, and this is not the same case as flagging the main body of the malware itself, which might have been already up to further mischief." }-

Regarding this "embedded" malware thing, I will add that BitDefender is the third notable exception. I've noticed it scan embedded files, I've noticed it detect multiple malware variants in the same embedded file, and most VXers may also have noticed it, but thats another story :P ;D

Even AVG (Anti-Malware/Internet Security) sometimes reports some files as "Infected, Embedded object" (I put some malware into a temporary folder and scanned it with AVG to prove this, see the attached screenshot). HOWEVER, AVG for some reason detects such files only on-demand and not on-access, the reason being that such files are deemed as being ARCHIVES by the AVG scanner, and the real time monitor skips scanning archives. In such cases, the threat will be detected on-execution or on-demand. Since all AV-tests use the On-Demand scanner only, I doubt the detection rates of AVG or any other AV should be any higher than what has been seen. Besides, most AV-tests also include the dropped/downloaded files separately in their collection. :)

{The file in the screenshot I've marked has two detections, both detections are of the same file. AVG detects instmkt38.exe embedded inside exactofferd8.exe as infected, and in the next cycle declares exactofferd8.exe as an infected ARCHIVE. This could be true for other AVs as well}.

So basically, the most common way tsilo's situation can happen is in the case of a downloader, where the downloaded file will be detected as malware, but simply scanning the downloader itself by the on-demand scanner will not yield any result.

-{ Quote: "
Actually, this is a bit more complex than that: it all depends on the kind of signature (is it a simple CRC, like in ClamAV, or is it located at a fixed offset ?), on the type of the dropper (are the dropped files encrypted ?), on the technology used by the scanning engine (XRAying ? Does it look for embedded PE headers ?) and on the capability of the heuristics (Norman and Bitdefender for example are able to drop & scan files inside their VM)." }-

Interesting info, thanks! :)

-{ Quote: "and on the capability of the heuristics (Norman and Bitdefender for example are able to drop & scan files inside their VM)" }-
NOD's Advanced Heuristics isn't able to drop and scan files inside its VM? :wacko:

-{ Quote: "NOD's Advanced Heuristics isn't able to drop and scan files inside its VM? :wacko:" }-
As far as I've been able to tell, the only thing NOD32 seems to use its emulator for is unpacking purposes. This is pure conjecture based on personal observation, of course. But no, NOD32 doesn't scan embedded files.

-{ Quote: "Even AVG (Anti-Malware/Internet Security) sometimes reports some files as "Infected, Embedded object" (I put some malware into a temporary folder and scanned it with AVG to prove this, see the attached screenshot)." }-
Were you scanning an archive file, by any chance?

Again AFAIK AVG cannot detect embedded objects until the main body is executed and drops its component files onto the system.

-{ Quote: "Are you sure? because NOD32 detected these viruses after executing especially with Heuristic!" }-
Yes, I'm sure. Unless someone from ESET comes and tells us that the on-demand and on-access scanners use different engines/settings. ;D

-{ Quote: "Were you scanning an archive file, by any chance?

Again AFAIK AVG cannot detect embedded objects until the main body is executed and drops its component files onto the system." }-

Well, the file had a .exe extension, and inside it was another .exe file which was the actual file that AVG detected as malicious. So, maybe its a self extracting archive, maybe not. ???

"Real" droppers cannot have their files seen or extracted via "normal" means (which is why so many scanners can't detect them). If you can extract the files inside the main body using WinRAR, 7-zip or some such, then it's not a "real" dropper, just a compressed archive.

-{ Quote: ""Real" droppers cannot have their files seen or extracted via "normal" means (which is why so many scanners can't detect them). If you can extract the files inside the main body using WinRAR, 7-zip or some such, then it's not a "real" dropper, just a compressed archive." }-
I tried extracting the file with my archiver program and it gives me a message "Extract not supported for this file type". So that probably means its a "real" dropper.

Which archiving tool did you use, btw?

-{ Quote: "Which archiving tool did you use, btw?" }-
IZArc....

I don't know the tool very well, so meh.

All the same, I've seen avast! and KAV detect embedded files where AVG and other scanners failed to do the same. Execute the main body inside a sandbox, pick up the dropped files for a scan on VT, and all of a sudden everyone is flagging them. ;D

I think will be good to hear point of someone of ESET. NO NOD32 on-demand and on-acces scaner aren't different, but maybe Heuristic better detects with behavior active threats ?

-{ Quote: "IZArc...." }-

Try Universal Extractor (http://legroom.net/software/uniextract). It can extract from many different archives (and supports a couple of runtime packers), and also many installers (which I think may be what solcroft is referring to?)

EDIT: By installers I mean like Gentee, Inno, Vise, Wise, NSIS etc. which I've seen been frequently used for malware.

This discussion has gone way over my head. It sounds like the implication is that NOD32 is better than it's detection rate due to it's heuristics.

I don't get that.

1. Don't all AV's that have active protection catch viruses as they execute?

2. Isn't NOD's heuristics merely part of it's scan function?

To me, an AV is all about detection rate. Whether it's by definition or by heuristics, them main thing is detection rate and removal rate as I don't really rely on my AV for zero day protection.

But can someone explain in layman's terms why many very pbviously knowledgeable posters seem to think that NOD is better than the detection rates it has been producing lately? I'd hate to switch products when my license runs out to learn that I am making a big mistake.

one reason could be, and ive experienced this myself yesterday with my own drweb is:

i downloaded a file, scanned it with my drweb.... its clean.

however i ran the file and it infected my O&O defrag, and when it did this... drweb detected it and removed it, now my O&O is clean and it works perfectly still.

strange and i aint sure why, but as long as my drweb got rid of it eventually, i still class this as a detection and in such tests... it would not have been.

other reasons people complain are, malware that cannot be executed ARE included in the tests (i dont know how much though..... but its there) and some av's like drweb do not add samples for un-executable malware, some people have stated it will only add 1-2% or so, but its still there.

more reasons are, the samples used are not malware in which people are likely to get, while some companys only add malware thats a real threat to its userbase,

or some companys only add malware signatures when the malware is malicious to a users computer etc.

there are many reasons, and i dont really look too much into them, as far as testing goes the av-test is the best out there as im told, but people should not look 'too much' into them, as it only states detection rates and not removal, everyone knows detection rates aint everything, there are other things to look into when deciding on an AV to purchase or use, which these tests definatly dont state or show.

-{ Quote: "one reason could be, and ive experienced this myself yesterday with my own drweb is:

i downloaded a file, scanned it with my drweb.... its clean.

however i ran the file and it infected my O&O defrag, and when it did this... drweb detected it and removed it, now my O&O is clean and it works perfectly still.

strange and i aint sure why, but as long as my drweb got rid of it eventually, i still class this as a detection and in such tests... it would not have been.

other reasons people complain are, malware that cannot be executed ARE included in the tests (i dont know how much though..... but its there) and some av's like drweb do not add samples for un-executable malware, some people have stated it will only add 1-2% or so, but its still there.

more reasons are, the samples used are not malware in which people are likely to get, while some companys only add malware thats a real threat to its userbase,

or some companys only add malware signatures when the malware is malicious to a users computer etc.

there are many reasons, and i dont really look too much into them, as far as testing goes the av-test is the best out there as im told, but people should not look 'too much' into them, as it only states detection rates and not removal, everyone knows detection rates aint everything, there are other things to look into when deciding on an AV to purchase or use, which these tests definatly dont state or show." }-

But don't you put detection/removal rates above all? For example, what if you had a software that was:

1. Light on system respurces
2. Inexpensive or even free
3. Supported well
4. Easy to use
5. Quick to update signatures
6. Played well with other applications and
6. consistantly only detected 80% of viruses

Would you use it? I wouldn't.

-{ Quote: "But don't you put detection/removal rates above all?..." }-
Nope --> http://www.wilderssecurity.com/showpost.php?p=1002346&postcount=3

-{ Quote: "Not at all, as mentioned, this is the NOD32 SUPPORT Forum, we have other areas within this site to discuss every AV to your hearts content.

Blackspear." }-

Actually this is the "Other anti-virus Software" forum, the NOD32 support forum is elsewhere ::)

-{ Quote: "Actually this is the "Other anti-virus Software" forum, the NOD32 support forum is elsewhere ::)" }-The thread was moved from the NOD32 Support Forum to its current location.

Blackspear.

-{ Quote: "But don't you put detection/removal rates above all?" }-

lol, no (http://www.wilderssecurity.com/showthread.php?t=174501) i dont ::)

also, take a look here (http://www.wilderssecurity.com/showthread.php?p=1002346#post1002346) at other peoples thoughts on this, including mine on post #3 (http://www.wilderssecurity.com/showpost.php?p=1002346&postcount=3)