On recent tests NOD32 has dropped in detection rates. Is this caused by the development of ESET smart security?

It dropped on AV-Comparatives and ...
http://www.sunbelt-software.com/ihs/alex/marx/detections_2007q2.htm

http://news.softpedia.com/newsImage/Kaspersky-NOD32-Symantec-Going-Down-2.png

http://bp1.blogger.com/_JNaO8YWc9rQ/Ro0tnMqeQPI/AAAAAAAAAgE/7HK7IbJkA8k/s1600-h/antivirus_comparison_en_20070628.png

I think fit you will be the best,I don't like to read any test reports.

Thanks for this information, I find it somewhat useful as I am debating whether I should upgrade from the trial copy to an actual licensed copy. If Eset is indeed falling behind here, it does make me wonder. Sure, I know about the advanced heuristics (or at least have heard about them), nevertheless the things about taking a while to add updates once some threats are known about and now this does make me wonder.

Sorry to ramble. Anyway, thanks.

psych1610

personally, i dont find it very useful at all.

the first two links are for the results of the same test, 'AV-Test' and the third is for the much ridiculed 'Malware-test'.

See the 'Other Anti-virus software' forum for threads on both tests.

you can believe all or some of the results from all or some of the tests, it's entirely up to you. i myself prefer av-comparatives, but even those i take with a pinch or so of salt.

i find nod32 fairs better in the real world that it does in tests, which i believe is down to the way eset keep the signature database lean and mean and dont add every corrupt and non-functioning sample that comes their way, which many other AVs do.

as a final response to the links posted: http://www.infoworld.com/article/07/06/26/accuracy-of-AV-tests_1.html

{QUOTE-> as a final response to the links posted: http://www.infoworld.com/article/07/06/26/accuracy-of-AV-tests_1.html <-QUOTE}

Very good article :thumb: I think Moderators should consider putting it Sticky in the "Other AVs forums" :D

{QUOTE-> Very good article :thumb: I think Moderators should consider putting it Sticky in the "Other AVs forums" :D <-QUOTE}
it had some discussion here recently: http://www.wilderssecurity.com/showthread.php?t=178545

I think they are starting to slow down with updates.

My corporate network was hit by some W32/Spybot.Worm virus that NOD32 couldn't pick up. I had everything enabled, including "advanced" heuristics.

The worm spread across several clients, and many of our data servers. I was up to 1:00 AM in the morning in our NOC cleaning the infection off with Symantec.

{QUOTE-> I think they are starting to slow down with updates.

My corporate network was hit by some W32/Spybot.Worm virus that NOD32 couldn't pick up. I had everything enabled, including "advanced" heuristics.

The worm spread across several clients, and many of our data servers. I was up to 1:00 AM in the morning in our NOC cleaning the infection off with Symantec. <-QUOTE}

It's a matter of fact that no AV is perfect. We are still improving the heuristics so that it's able to catch much more threats without update. When comparing two products, bear in mind that what one misses may be easily detected by the other and vice-versa. So resorting to changing the AV just because it has missed a threat is not wise, I could give you tons of examples where NOD32 detects a threat whilst the other big AV players miss it. Please always submit any undetected threat to samples[at]eset.com or email support[at]eset.com in urgent cases.

I understand what Marcos is saying, but most tests have indicated a slight decline in overall detection from NOD32 lately. I just think most posters want Eset to stay on the ball. They aren't saying that it's impossible to be infected with a different AV.

And if someone's network was infected, I'd say sorry that happened.

I think the development of new products by ESET is causing them to reduce support on definitions. This is the same reason why I stay away from most Symantec products when I can. They are juggling so many products, they are no longer specialists.

It's best not to turn into a jack of all trades, master of nothing.

Eset keeps adding signatures and, according to the statistics from Virus Total, more and more samples are detected when those non-functional are removed from the statistics.

The virus we are currently fighting is hardly "benign."

It's a new variant of the W32.SpyBot.Worm virus. It spreads fast, and tries to communicate back to a server in the Czech repulic.

All technician's just spent 9+ hours in overtime mode trying to stop this thing. We have only slowed it.

I keep sending samples to ESET, but they seem to think it's a non-threat. I haven't heard anything back, and this is why I can't convince the executives to switch to such a product from say something more mainstream.

This incident doesn't help ESET's product any.

{QUOTE-> I keep sending samples to ESET, but they seem to think it's a non-threat <-QUOTE}
Hello !
There is a sticky thread here explaining how Eset deals with samples . In short here (http://www.wilderssecurity.com/showpost.php?p=860087) . I already wrote you something in a newly started by you thread here (http://www.wilderssecurity.com/showthread.php?t=179713) :thumb:

In urgent cases you can drop an email to support[at]eset.com. We receive thousands of samples on a daily basis (most of them via ThreatSense which means they are detected heuristically) so we must set some priorities for analyzing samples and adding detection. In urgent cases your samples would be prioritized, but you must notify us at the aforementioned email address. If you do, also enclose the suspicious file (zipped in an archive protected with the password "infected") and as much information about the threat as possible (e.g. its location and file name, results from Virus Total, etc.)

{QUOTE-> I think the development of new products by ESET is causing them to reduce support on definitions... <-QUOTE}
Yet here it is July 11th and I just counted the number of updates to the signature database since the 1st; 28 to be exact as of the time of this message.

So, if they're reducing support, it's certainly not evident by the update frequency.

{QUOTE-> Yet here it is July 11th and I just counted the number of updates to the signature database since the 1st; 28 to be exact as of the time of this message.

So, if they're reducing support, it's certainly not evident by the update frequency. <-QUOTE}

You can add all the definitions you want; as many have said, including mods, the number of definitions does not correlate to a products ability to perform.

{QUOTE-> You can add all the definitions you want; as many have said, including mods, the number of definitions does not correlate to a products ability to perform. <-QUOTE}

That's right, you can repack a particular sample with tons of packers and calculate/add a crc signature for each of the files automatically. Taking into account the number of current threats, you would easily end up with several million signatures in the database.

{QUOTE-> You can add all the definitions you want; as many have said, including mods, the number of definitions does not correlate to a products ability to perform. <-QUOTE}
I think I might have attributed the wrong quote earlier. You previously stated that you thought they are 'starting to slow down with updates'. My point was that, based upon the number and frequency I've been getting, that does not, at all, appear to be the case.

I get updates at least once a day. If there is a really bad bug running around ESET seems to respond in plenty of time. Long post, a little longer. I see no problem with their updateing program at all.

{QUOTE-> Yet here it is July 11th and I just counted the number of updates to the signature database since the 1st; 28 to be exact as of the time of this message.

So, if they're reducing support, it's certainly not evident by the update frequency. <-QUOTE}
I'll second that. I get regular updates starting with bootup.;)

{QUOTE-> I keep sending samples to ESET, but they seem to think it's a non-threat. I haven't heard anything back, and this is why I can't convince the executives to switch to such a product from say something more mainstream. <-QUOTE}
Has anything come of this yet?

{QUOTE-> Has anything come of this yet? <-QUOTE}
i think this is the same subject: http://www.wilderssecurity.com/showthread.php?t=179713

{QUOTE-> Yet here it is July 11th and I just counted the number of updates to the signature database since the 1st; 28 to be exact as of the time of this message.

So, if they're reducing support, it's certainly not evident by the update frequency. <-QUOTE}

Update frequency does not say anything about additional number of threats found. So I don't think this is too relevant.

{QUOTE-> In urgent cases you can drop an email to support[at]eset.com. We receive thousands of samples on a daily basis (most of them via ThreatSense which means they are detected heuristically) so we must set some priorities for analyzing samples and adding detection. In urgent cases your samples would be prioritized, but you must notify us at the aforementioned email address. If you do, also enclose the suspicious file (zipped in an archive protected with the password "infected") and as much information about the threat as possible (e.g. its location and file name, results from Virus Total, etc.) <-QUOTE}

The sheer fact that Eset has to "prioritize" shows that there are some ressource problems. How come that you can send almost anything to e.g. Kaspersky Labs and it will be added within 2 hours while sending to Eset sometimes shows no addition even after weeks (this is based on what I read in forums like Wilders)?

Evidently, Kaspersky puts more effort in the administration of their signature database. I wonder if a small company like Eset will be able to keep up with the big players. Kaspersky licenses its technology to so many other vendors, surely they have more ressources at hand. On the other hand, what about Avira, which shows constantly highest detection rates and yet is also only a fairly small company.

Anyway, I wish Eset would keep up with the rest as Nod is by far the most "easy-going" anti-virus program. But all you read from Eset fanbase and officials is that there is nothing wrong at all with the way it is currently. Don't know if this is the right approach. You should always strive to improve, unless you're detecting 100%.

{QUOTE-> The sheer fact that Eset has to "prioritize" shows that there are some ressource problems. How come that you can send almost anything to e.g. Kaspersky Labs and it will be added within 2 hours while sending to Eset sometimes shows no addition even after weeks (this is based on what I read in forums like Wilders)?

Evidently, Kaspersky puts more effort in the administration of their signature database. I wonder if a small company like Eset will be able to keep up with the big players. Kaspersky licenses its technology to so many other vendors, surely they have more ressources at hand. On the other hand, what about Avira, which shows constantly highest detection rates and yet is also only a fairly small company.

Anyway, I wish Eset would keep up with the rest as Nod is by far the most "easy-going" anti-virus program. But all you read from Eset fanbase and officials is that there is nothing wrong at all with the way it is currently. Don't know if this is the right approach. You should always strive to improve, unless you're detecting 100%. <-QUOTE}

Again? From the FAQ: http://www.wilderssecurity.com/showpost.php?p=198429&postcount=18 and http://www.wilderssecurity.com/showpost.php?p=1028952

Perhaps the definitions are behind, but Shadowserver shows them consistently at the top when catching zero days, so I'm not sure if it's relevant.

T

Definitions that are behind not relevant? When you're infected the relevancy will become clear very quickly.

Let's say, for arguments sake, that the definitions are behind (I doubt it, but let's say this.) If NOD32 is still catching most of the 0days (today, for instance, NOD32 caught 97.21% of the new 0days whilst Kaspersky caught only 13.14%.) Which is better? Even if (and it's big if) Kaspersky's definitions are more up to date, you'll be more likely to be infected if you're running Kaspersky (and just so I'm not picking on Kaspersky, McAfee caught 11.07%, and Avast caught 0%.)

With enough computers, you can always find one AV that "failed" on one computer or one network, but that proves nothing - the original poster claimed he cleaned things up with Symantec - but if he had been running Symantec, there's a good choice it would have missed something that NOD32 caught - there is no perfect AV out there - there are some very good ones, and NOD32 is one of them, but it's a game of catch up, so AV vendors will alway be behind - defense in depth is the only answer.


T

The question wasn't which is better. The question was if it's relevant and I say it is which of course isnt' a bold statement but simple truth.

If the heuristics are catching 96%+ of the new viruses, are the definitions relevant? I'd say they aren't very. As the power of the heuristics go down, the relevance of the definitions goes up.

Perhaps I worded my first comment incorrectly.

T

{QUOTE-> Let's say, for arguments sake, that the definitions are behind (I doubt it, but let's say this.) If NOD32 is still catching most of the 0days (today, for instance, NOD32 caught 97.21% of the new 0days whilst Kaspersky caught only 13.14%.) Which is better? Even if (and it's big if) Kaspersky's definitions are more up to date, you'll be more likely to be infected if you're running Kaspersky (and just so I'm not picking on Kaspersky, McAfee caught 11.07%, and Avast caught 0%.) <-QUOTE}

Where's this data coming from?

Shadowserver

http://www.shadowserver.org/wiki/

{QUOTE-> http://www.shadowserver.org/wiki/ <-QUOTE}

The stats are really hard to believe. For example, out of 482,146 samples scanned during the last month, BitDefender detected ZERO?? ???

Isn't BitDefender known for pretty strong heuristics?


Maybe I just don't know how to interpret the results...:-\

Cheers
Vlk

BitDefender detecting none out of 480.000 samples? Pretty much impossible.
With number of updates they perform and level of their scan engine (and B-HAVE heuristics which are top tier btw), i just can't belive it hasn't detected at least one sample, let alone more. Same goes to avast!, even though it's scan engine isn't as complex. The number of objects to scan is just to big for such results really...

It is just for 0 day viruses and exploits. yes Bitdefender does seem to have strange results, for the year they average over 40% but daily, weekly and monthly all show 0.

{QUOTE-> It is just for 0 day viruses and exploits. <-QUOTE}

Define Zero Day.

I sent them an email, asking them to enlighten the results little bit.

My guess is that the files are not unique, i.e. it is possible that the 482,146 samples are in fact only e.g. 10 unique files...;D

In other words, they're testing the same file over and over again - and guess what, the results are always the same...

Cheers
Vlk

{QUOTE-> I think they are starting to slow down with updates.

I was up to 1:00 AM in the morning in our NOC cleaning the infection off with Symantec. <-QUOTE}

Hell just froze over..;D

{QUOTE-> Again? From the FAQ: http://www.wilderssecurity.com/showpost.php?p=198429&postcount=18 and http://www.wilderssecurity.com/showpost.php?p=1028952 <-QUOTE}
The problem with the links you supply above are that they mention the addition of irrelevant samples (i.e. non-threats and those from VX collectors). But it seems that codpet had quite a problem and delay getting Eset to add detection for W32.SpyBot.Worm. W32.SpyBot.Worm is not irrelevant, and codpet is not a VX collector. S/he may not have had any success at all had s/he not posted here in the forum and asked for advice (something a customer should not have to do). So, from my perspective, while rhetorical arguments in defense of Eset's "prioritization" system may placate the credulous, this experience still shows that it's problematic.

{QUOTE-> As the power of the heuristics go down, the relevance of the definitions goes up. <-QUOTE}

Heuristics isn't 100% by a long shot (whatever shadowserver say) so definitions are very relevant in my opinion. Heuristics have always been a strong point of NOD32, but for some time now the definitions are going down so per balance it's going down. When Nod32 scored good in tests it was "great" or "we are the champions :D" and now they fall behind it's "the tests aren't good" or "these figures aren't relevant". I don't like that :-\.

Well, if i hear that BitDefender hasn't detected a single sample, i'd doubt in such tests too...

I am impressed w/all the updates received from Eset, sometimes 2 and 3 per day. Instead of worrying about whatever someone else's test results are, I'm satisfied that no virus/s has infected my machine in over 2 years and just recently renewed for 2 years more. 8)

{QUOTE-> I am impressed w/all the updates received from Eset, sometimes 2 and 3 per day. <-QUOTE}

Update frequency does not impress mé as it says nothing about the quality of the updates. An AV with just 1 update per day but significant higher number of detections added would always be my preference.

{QUOTE-> The stats are really hard to believe. For example, out of 482,146 samples scanned during the last month, BitDefender detected ZERO?? ???

Isn't BitDefender known for pretty strong heuristics?


Maybe I just don't know how to interpret the results...:-\

Cheers
Vlk <-QUOTE}

Yes, they are. I believe their heuristics are better than NOD's currently. They picked up several items a day or two before NOD did.

Not to say they are better in all aspects, just this one. I am sure that will change when NOD32 v3.0 comes out.

Much of this thread reminds me of the anxious postings a few weeks ago when NOD32 lost its 'ADVANCED+' rating at Av-comparatives.org and was merely rated as 'ADVANCED' (Shock, Horror!).

If you have a product that works for you and hasn't let you down, what are you going to do. Spend hours scanning all the available tests and 'reviews' and switch to the one that some self appointed 'expert' decides is the best (this week) or just relax until you have a reason (based on personal experience) to change?.

I actually like the GUI, and the modular setup didn't give me any great problems when installing or using it, so I shall be sticking with NOD until some substantive reason turns up to force me to reconsider my choice.

I've given up with NOD32 2.5 - the signatures do not update properly here in London, UK. I'm sticking with the non-signature-based MJ Registry Watcher (http://www.jacobsm.com/mjsoft.htm#rgwtchr) which caught a trojan downloader the other day, when I clicked a link to a php page in Hungary from an email (something about Britney Spears). Note this was not an email attachment, just a simple http url (which I won't cite here for obvious reasons). Here is the log from MJRW :-

=======================================================
** Thursday 5/7/2007 17:21:09 **
Run Keys and Startup Files
Registry Key hkey_local_machine\software\microsoft\windows\currentversion\run
Value erwghjjrjt (S) will be a new value with data
c:\windows\system32\drivers\ucbcg.exe
=======================================================
** Thursday 5/7/2007 17:21:22 **
Change Rejected
=======================================================
** Thursday 5/7/2007 17:21:22 **
Run Keys and Startup Files
Files Added :-
c:\U.exe - Size=19,968 Date=Thu Jul 05 17:21:08 2007 Attributes=---A-

Files Deleted :-
c:\*.exe - No Files Found
=======================================================
** Thursday 5/7/2007 17:21:27 **
MJRW Quarantined File c:\U.exe
=======================================================
** Thursday 5/7/2007 17:21:28 **
General Explorer Settings
Registry Key hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects
Subkey {040FA520-78C6-41ce-81D0-9E733ABC1A29} has been added
Subkey {3F08996E-0A3D-456c-BEEC-9F51B6F614BC} has been added
=======================================================
** Thursday 5/7/2007 17:21:34 **
MJRW Quarantined Subkey {040FA520-78C6-41ce-81D0-9E733ABC1A29}
=======================================================
** Thursday 5/7/2007 17:21:34 **
MJRW Quarantined Subkey {3F08996E-0A3D-456c-BEEC-9F51B6F614BC}
=======================================================
** Thursday 5/7/2007 17:21:35 **
Low-level Drivers and Services
Registry Key hkey_local_machine\system\ControlSet001\services
Subkey runtime has been added
Subkey runtime2 has been added
=======================================================
** Thursday 5/7/2007 17:21:38 **
MJRW Quarantined Subkey runtime
=======================================================
** Thursday 5/7/2007 17:21:38 **
MJRW Quarantined Subkey runtime2
=======================================================
** Thursday 5/7/2007 17:21:39 **
Run Keys and Startup Files
Registry Key hkey_local_machine\software\microsoft\windows\currentversion\run
Value startdrv (S) will be a new value with data
C:\WINDOWS\Temp\startdrv.exe
=======================================================
** Thursday 5/7/2007 17:21:42 **
Change Rejected
=======================================================
** Thursday 5/7/2007 17:26:37 **
Important Executables and Driver Files
Files Added :-
c:\windows\system32\comi.dll - Size=44,167 Date=Thu Jul 05 17:21:11 2007 Attributes=---A-
c:\windows\system32\wetde1.dll - Size=19,541 Date=Thu Jul 05 17:21:11 2007 Attributes=---A-
=======================================================
** Thursday 5/7/2007 17:29:27 **
MJRW Quarantined File c:\windows\system32\comi.dll
=======================================================
** Thursday 5/7/2007 17:29:27 **
MJRW Quarantined File c:\windows\system32\wetde1.dll
=======================================================
** Thursday 5/7/2007 17:29:29 **
Important Executables and Driver Files
Files Added :-
c:\windows\system32\drivers\ucbcg.exe - Size=19,968 Date=Thu Jul 05 17:21:08 2007 Attributes=---A-
=======================================================
** Thursday 5/7/2007 17:29:36 **
MJRW Quarantined File c:\windows\system32\drivers\ucbcg.exe
=======================================================

I submitted ucbcg.exe to VirusTotal (http://www.virustotal.com), and it was not recognised by about half the scanners, including Microsoft, Norman, NAV, AVG and Bitdefender! NOD32 reported it as a possible trojan downloader, and others, like the impressive Sophos detected it despite having signatures that were 2 weeks out of date at the time of the scan. When submitted today, AVG, Bitdefender, and NAV now report it. However, Microsoft and Norman still do not report it. This shows how important the latest signatures are to most signature-based scanners. Since I am not the only one with NOD32 clients who are having trouble getting signature updates, I am no longer recommending NOD32, and am just plugging my own MJRW software.

Odd, iv never had any issues getting NODs updates... that registry watcher looks interesting though :)

{QUOTE-> Since I am not the only one with NOD32 clients who are having trouble getting signature updates <-QUOTE}

Perhaps your ISP has problems or your computer itself . Millions of people worldwide use NOD32 and very few complain , especially about updating.
Eset servers are working very well now:
http://status.nod32usa.com

{QUOTE-> NOD32 reported it as a possible trojan downloader

Since I am not the only one with NOD32 clients who are having trouble getting signature updates, I am no longer recommending NOD32, and am just plugging my own MJRW software. <-QUOTE}

This sounds to me like a contradiction. You say that NOD32 has reported a trojan downloader and then you ceased recommending NOD32 ;) I've always thought that the primary task of an antivirus is to catch and block malware, and not to let it in.

{QUOTE-> This sounds to me like a contradiction. You say that NOD32 has reported a trojan downloader and then you ceased recommending NOD32 ;) I've always thought that the primary task of an antivirus is to catch and block malware, and not to let it in. <-QUOTE}

I dont think he is doubting NODs detection ability, he is stating that he - and others - have had problems obtaining updates. Whilst I, myself, have not had any problems, an issue does obviously exist somewhere.

Apologies if this is a bit off topic, but there has been a big spamming of Trojan Small/Tibs last week with links to download ecard.exe (and as of this weekend now new patch.exe) see castlecops discussion (http://www.castlecops.com/t193968-Ecard_exe_Malware.html).

When accessing most of these links, if I click to download the file IMON jumps in saying "Probably a variant of Win32/Statik trojan" but if you tell IMON to ignore, or have IMON switched off, neither AMON or on-demand show any detection of the file, even with Advanced Heuristics enabled.

I was wondering why IMON is detecting these but AMON/on-demand is not. FWIW, I submitted one of the first I received in my inbox to samples @ eset.com last week (still not detected - File size: 133963 bytes. MD5: c43175ea2aa792c15e655775c79b9c06) and IMON also warns about this but once downloaded AMON and on-demand remain silent.

Does IMON receive same definitions as AMON and on-demand?

I guess the reason is because the file is somehow packed , AMON and the on-demand scanner cannot unpack this upon create and that's why they cannot see what there is in the file . IMON can because it is scanning bit per bit while downloading . I'm sure if you run the file AMON will pop-up immediately

{QUOTE-> I dont think he is doubting NODs detection ability, he is stating that he - and others - have had problems obtaining updates. Whilst I, myself, have not had any problems, an issue does obviously exist somewhere. <-QUOTE}

I was stating how important signature updates obviously are for signature-based virus detection. When the updates are not coming through (for whatever reason) then it is of paramount importance that alternative methods for acquiring the updated signatures are available. With Eset NOD32, I am in the dark as to what to do to get these updates. Any ideas anyone? A link to a manual download place perhaps?

So, all of this begs two questions: What is the difference between trojan, worm and virus? Along with using NOD for almost four years, two years ago, when trojans and worms seemed to be some new kind of malware, I purchased ewido (now AVG A-S) and continue to renew it. I also run Spy Sweeper and freewares BOClean and Windows Defender, all running processes with no conflicts or performance loss that I can discern. Second question: are any of these "late" definitions to NOD perhaps being downloaded to my anti-spyware products or are we dealing with a competely different set of malware than NOD is supposed to be protecting my pc from? By the way, I've never had any kind of malware!

{QUOTE-> What is the difference between trojan, worm and virus? <-QUOTE}
See here (http://www.viruslist.com/en/virusesdescribed) :)

{QUOTE-> By the way, I've never had any kind of malware! <-QUOTE}
As far as you know ;D

This truism was pointed out to me (here, I think) when I made a similar boast having used NOD for over six years.

{QUOTE-> I was stating how important signature updates obviously are for signature-based virus detection. When the updates are not coming through (for whatever reason) then it is of paramount importance that alternative methods for acquiring the updated signatures are available. With Eset NOD32, I am in the dark as to what to do to get these updates. Any ideas anyone? A link to a manual download place perhaps? <-QUOTE}

There are no known problems with the update servers, if you are having a problem I'd suggest that you contact your local NOD32 distributor or directly Eset's support at support[at]eset.com

I'll ask again. Is there a site I can download the latest signatures from so I can install them manually? If not, then I am at the mercy of a faulty updater embedded in NOD32 itself.

Virus definitions can only be downloaded via the NOD32 Control Center. The administrator version of NOD32 allows the user to create a so-called mirror which can be transfered to other computers by any means (e.g. a USB key, CD, etc.). If you are having a problem downloading virus definitions via the Control Center, please contact Eset's support as advised above.

{QUOTE-> Perhaps your ISP has problems or your computer itself . Millions of people worldwide use NOD32 and very few complain , especially about updating.
Eset servers are working very well now:
http://status.nod32usa.com <-QUOTE}

Actually frequent updating was one of the main reasons I switched to NOD32. My previous AV only updated every few days. Now I usually get an update on boot up, and then periodically throughout the day.:)

{QUOTE-> I guess the reason is because the file is somehow packed , AMON and the on-demand scanner cannot unpack this upon create and that's why they cannot see what there is in the file . IMON can because it is scanning bit per bit while downloading . I'm sure if you run the file AMON will pop-up immediately <-QUOTE}

Actually thats not true. Even if you scan the file bit per bit you still have to wait till the very end for last bits of file and then finish scanning and show final summary. This only works for pure signatures, for emulations and stuff you need entire file. And scanning bit per bit won't make scaning any more thorough.
File is still the same you just don't have it in one piece. So technically scanning is actually LESS thorough this way (if you don't wait till the end which would be quiet stupid thing to do). NOD32 doesn't do that anyway as it always scans the file when browser or downloader actually finishes it (this means it recieved all the file bits).

I am very big ESET fan and I want to help them.


I send to ESET ---> samples[at]eset.sk several samples. E.g. Generic5.HJF (AVG); TR/Radar.C (Avira); a variant of Win32/TrojanDownloader.Small.NUS (NOD32); Trojan-Downloader.Win32.Agent.avr (Ikarus); Generic5.ILD (AVG); Generic5.CKH (AVG) and some possible threats detected by heuristic of another products (they can be false alert). It was from 18th to 25th of July. I wrote "urgent cases" and date of sending these samples. I added Virus Total logs to each file. Sorry, but at first I send clean files too ( .txt and .nfo), because they were in archives and I forgot to delete them. And some of files are in archives more than once.


When will you add this samples to database? You only add Win32/Adware.Virtumonde and Win32/TrojanDropper.Small.NGC from my threats, but these samples was detected by heuristic as a variant of Win32/TrojanDownloader.Small.NUS, before. I think that at first you should add unknown threats and less some threats detected by heuristic.


(sorry, i am only student of english:) )

@aviro901

Dealing with new samples
http://www.wilderssecurity.com/showthread.php?t=178177

:thumb:

I too am disappointed in NOD32's detection rates these days, especially considering I just upgraded our company to it.

In the past couple of weeks, three trojan viruses have slipped right by it even though my signatures are up-to-date. This morning bsaver.scr slipped by which is the Agent.brk trojan downloader. Luckily we are small enough that I have personally trained our users not to touch attachments like that. I verify my results by uploading the viruses to sites like virustotal.com. Admittedly, I am not actually executing these viruses, but NOD32's heuristic scanner is not detecting them.

I appreciate the need for getting samples but I thought I was paying for ESET to do this work? It's easy to set up a virus sample shop. Just get a website that ranks well in Google and put several e-mail addresses on it. Monitor those e-mail addresses for spam and you'll soon be getting fresh virus samples.

Honestly, I would hesitate to recommend NOD32 to people anymore just based on my recent experiences. I really like its speed and efficient design, but ultimately all that matters is whether it stops the newest viruses sooner and better than the competition, even if it costs me extra CPU cycles. It does not appear to be doing that lately.

Hi !

{QUOTE-> In the past couple of weeks, three trojan viruses have slipped right by it even though my signatures are up-to-date <-QUOTE}

In case you suspect malware not detected by NOD32 , contact Eset Technilcal Support for help
Eset HQ Slovakia support@eset.com
Eset Worldwide http://www.eset.eu/partners :thumb:

{QUOTE-> I too am disappointed in NOD32's detection rates these days, especially considering I just upgraded our company to it.
<-QUOTE}

Well, NO AV is 100% PERFECT and my experience is different. For instance, we are receiving thousands of rootkit variants on a daily baisis that are, besides NOD32, detected only by Antivir ;)

Bear in mind that we receive dozens of thousands samples on a daily basis so we must set priorities for adding signatures or making improvements to AH. You cannot expect an AV to detect even 99% of all threats in a day, needless to say that 100% detection is simply impossible.

Having explained this and to prevent further bashing/ranting, I'll draw this thread to a close now.