www.av-comparatives.org have just released their latest retrospective/proactive test and NOD32 comes out as the Number One. Congratulations to Eset!

49%... best result.. but is that really good? :-\

{QUOTE-> 49%... best result.. but is that really good? :-\ <-QUOTE}
100% of In The Wild is damn good in my opinion, nearest competitor was a mere 25%

Cheers ;D

I totally agree!

And I think it is not so often that KAV is beaten in honest tests ;)

By the way: the NOD32 version that was tested was older than the one we have now. So I guess that tested with the lastest version the rates would have been evebn higher, because Eset has added quite a few nasties in the latest signature-versions.

{QUOTE-> I totally agree!

And I think it is not so often that KAV is beaten in honest tests ;)

By the way: the NOD32 version that was tested was older than the one we have now. So I guess that tested with the lastest version the rates would have been evebn higher, because Eset has added quite a few nasties in the latest signature-versions. <-QUOTE}Yes it will be interesting to see the next set of tests, this should use the latest version 2.12.3 and would also use the latest improvenment with Heuristics for Trojans, added last week.

Cheers ;D

ITW stands for 'In the wild'.

I am not sure if I understand excatly what that means.. Are that 'unknown' viruses ?

And look how much ESET has improved now for zoo Trojan detection, I'm impressed :)

{QUOTE-> ITW stands for 'In the wild'.

I am not sure if I understand excatly what that means.. Are that 'unknown' viruses ? <-QUOTE}ITW indeed stands for In the Wild, it is determinded according to standards found here: http://www.wildlist.org/wild_desc.htm


{QUOTE-> And look how much ESET has improved now for zoo Trojan detection, I'm impressed :) <-QUOTE}So am I ;D

Cheers ;D

The problem, with retrospective tests is in the interpretation

On the face of it NOD did much better than the others BUT when you read the small print you see that the test was done with "new" viruses that were not around when the original tests were done and they use the viral databases fromm the date several months previously

NOD has very good heuristics so I assume that it was the heuristics that detected the new viruses and I'm very pleased that NOD can do this whereas KAV & other rely on signatures and NO antivirus can possibly detect by signature of a virus that didn't even exist when the original database was issued

I am not knocking Nod's acheivement in this but the test results need careful looking at and a fairer comparison is the standard tests on that site not the retrospective ones

If the tests were done with "todays" databases and it was a retest to see what was improved in the AV's since the original test then I would be over the moon with NOD's results as it is I take them with a pinch of salt as they have little or no relevance to the real world and the protection of your computer

I think this needs moving to other antiviruses rather than the NOD forum as it will no doubt result in a discussion of all antiviruses rather than a NOD support issue so I will move it accordingly

Ate a lemon or two before writing this "oh so not biased piece"?

And I wrote this for the NOD32 Forum because it is the latest result of NOD32 that i was pointing too. Strange that any mod can do this...

{QUOTE-> I totally agree!

And I think it is not so often that KAV is beaten in honest tests ;)

By the way: the NOD32 version that was tested was older than the one we have now. So I guess that tested with the lastest version the rates would have been evebn higher, because Eset has added quite a few nasties in the latest signature-versions. <-QUOTE}
Edwin024,

I agree, an exceptional test result by NOD32 and a couple others.

But remember this is the retrospective test that, by design, uses signatures/program updates that date from the start of the retrospective period, which should be August (can only access the online results - getting a decrypt error for the pdf files).

So, using an August update, malware samples collected between August and October (for ITW) and November (for zoo) were scanned. The test is basically saying that NOD32 correctly flagged 49% of the samples presented to it in this test - all of which were unknown to NOD32 at the time the update used was created.

This is a basic test of ability to handle day zero situations - new malware. Improvements seen in a newer test of this type would reflect improvements in the heuristic analysis.

The complete view of an AV really comes by looking at both the retrospective and demand style tests published by av-comparatives.org/ (http://www.av-comparatives.org/). They quantify different aspects of AV performance. For all of us, both traits are important. NOD32 is a very solid performer on both counts

Blue

{QUOTE-> Ate a lemon or two before writing this "oh so not biased piece"?

And I wrote this for the NOD32 Forum because it is the latest result of NOD32 that i was pointing too. Strange that any mod can do this... <-QUOTE}

From previous experience any comparastive test is not suitable for a support forum because 9 times out of 10 it denegerates into a slanging match saying oh but XXX missed this one and so on

I use NOD and am very happy with it and am pleased taht if those malwares were around in the previous months then NOD would have detected and protected me but on this forum we have a reputation for straight talking and pointing out the facts in an unbiased and fair manner

It is unfair to anybody just looking at the results and by having a quick glance saying Oh NOD is perfect and found 100% but the others didn't

When you have pointed out that it is a retropective test and pointed out what that implies then the viewer is able to compare more fairly and your commments in post #4 suggest that you had mis-interpreted the results as anybody having a casual look at them could do that is why I felt I had to point out the way that a retrospective/proactive test works and am sorry if you feel offended by pointing out the truth

To make it very clear the test used an antivirus database dated 8th JUNE 2004 to detect malware that was FIRST discovered between 6th August and 6th November 2004

Once that part is pointed out yes NOD did very well but it doesn't mean that the others failed the test just that they didn't recognize malware that didn't exist at the time

NOD's advanced Heuristics are to be congratulated on this as IF the malware had been around then NOD users would have been protected

Dvk01, I know exactly what you are saying, but at the end of the day if Nod32 wins by the use of Heuristics or a fly swatter, it is just getting the job done, and in doing so, it's that little bit better. The others I think will eventually have to follow suit, or find a way like Process Guard does with preventing dll injections of Trojans...

Cheers ;D

{QUOTE-> Dvk01, I know exactly what you are saying, but at the end of the day if Nod32 wins by the use of Heuristics or a fly swatter, it is just getting the job done, and in doing so, it's that little bit better. The others I think will eventually have to follow suit, or find a way like Process Guard does with preventing dll injections of Trojans...

Cheers ;D <-QUOTE}

I am extremely happy with NOD and use it on one of my computers, I have KAV on the other and they are networked so both can scan each other and cross check

NOD is absolutely brilliant on the Heuristic front whereas KAV is better on getting out detections for new malware very quickly

I rarely see NOD making any errors in Heuristic detection, but it can and does happen, so to rely solely on heuristics to keep ahead of the rest is dangerous

Unfortunately many of the new malwares cannot be detected heuristically as they are so similar to genuine legitimate applications that if any AV set the heuristic detection to grab them all we would be unable to use our computers at all.

What all the AV's need is an unknown process block like PG has so nothing new is allowed to run without the user allowing it

That would stop all new baddies, however that has it's own problems and we all know the user who just blindly allows everything or turns off that part to stop the "annoying" warnings and complains that his firewall/antivirus let the virus through

Use NOD32 with a good AT program and it is probably the very best around. I have NOD32 with Giant anti-spyware, Ewido and Ad-Aware. Still no slow down of the system.

Which was different by the way when i used this quartet with TDS-3 instead of Ewido.

{QUOTE-> To make it very clear the test used an antivirus database dated 8th JUNE 2004 to detect malware that was FIRST discovered between 6th August and 6th November 2004 <-QUOTE}

Uff, no not 8 June! 6/8/2004 is english date format! all 8.August of course ;-)

{QUOTE-> Uff, no not 8 June! 6/8/2004 is english date format! all 8.August of course ;-) <-QUOTE}LOL finely a website that uses the true format ;) ;D Ohhhh I'm liking it even more ;D

;D ;D ;D

{QUOTE-> ItW stands for 'In the wild'.

I am not sure if I understand excatly what that means.. Are that 'unknown' viruses ? <-QUOTE}No, ItW is just the opposite of unknown viruses, they are all collected to one report made each month and they are spreading (mostly in corporate environment!).

Best regards,
Firefighter!

{QUOTE-> Uff, no not 8 June! 6/8/2004 is english date format! all 8.August of course ;-) <-QUOTE}

My apologies but on the online results page it gives an antivirus database date as varying between 02.05.2004 to 02.06.04 and in the pdf it states 6th August

So I accept the 6th August

{QUOTE-> My apologies but on the online results page it gives an antivirus database date as varying between 02.05.2004 to 02.06.04 and in the pdf it states 6th August

So I accept the 6th August <-QUOTE}Did you read the right test?

* = new ITW-samples appeared during the 6. August and the 6. October

http://www.av-comparatives.org/seiten/ergebnisse_2004_11.php

Cheers ;D

{QUOTE-> And look how much ESET has improved now for zoo Trojan detection, I'm impressed :) <-QUOTE}Av-Comparatives used the same scanning engines in BitDefender, DrWeb, McAfee, and NOD also in their 05-2004 test, so how can some product make improvents in heuristics tests or were the samples just now more or less different in their character?

PS. BitDefender and NOD raised up the scores when DrWeb and McAfee dropped down after the 05-2004 test. KAV had a new engine. Summary, the both tests of Av-Comparatives, 05 and 11-2004 are both right in their own way concerning these products mentioned above, just the rankings varies as everything in real life.

Best regards,
Firefighter!

yep http://www.av-comparatives.org/seiten/ergebnisse_2004_11.php

Version of engine / signature 6.26.0.10 0432-2 N/A 4.30.0 3.15.1 7.100 (951) N/A 4.3.20 / 4383 1.835 60804ah N/A 8.11 2.20
Date of signature 08/06/2004 08/04/2004 08/06/2004 08/06/2004 08/06/2004 08/04/2004 08/06/2004 08/04/2004 08/06/2004 08/04/2004 08/06/2004 08/05/2004 08/06/2004


It just gets confusing for us poor Europeans when we are confronted by the American way of expressing dates

Everywhere else in the world puts the day before the month except the Americans and it is extremely confusing
That is why I always write the date in words now when dealing with international forums

{QUOTE->
Everywhere else in the world puts the day before the month except the Americans and it is extremely confusing
That is why I always write the date in words now when dealing with international forums <-QUOTE}

Yeah, initially it was confusing also for me ;-). I had to change it to this style because most AV companies said that the month/day/year is the standard format. Now the problem are the users that bombards me with mails telling me about why all AV have different signature dates :-P, but after some time they understand it like all the others.

Can I ask a stupid question? If NOD32 did well with just using heuristics, why didn't it do as well in the previous test, August 2004, where I assume heuristical and signature based techniques were employed? Were heuristics turned off during those tests? Please, don't get me wrong, I think NOD32 is a fantastic AV! ;)

OT: BTW, I agree that the most logical way of stating the date is day-month-year.

No, the settings are the same (best possible). Heuristics/generic detection can not find everything. E.g. KAV is fast in releasing signatures for samples they receive, so if samples are known or old, KAV scores in August test better. I understand your question, but atm I am busy with finishing a document so I dunno how explain it better in english in a short time. (If others can, your are welcome ;). In some hours another additional document will be on the website...

{QUOTE-> Can I ask a stupid question? If NOD32 did well with just using heuristics, why didn't it do as well in the previous test, August 2004, where I assume heuristical and signature based techniques were employed? Were heuristics turned off during those tests? Please, don't get me wrong, I think NOD32 is a fantastic AV! ;)

OT: BTW, I agree that the most logical way of stating the date is day-month-year. <-QUOTE}


OK to summerize

This isn't a full test but it is a quick test that looks at some samples of new malware that was discovered between 6th August and 6th November 2004

It uses the viral databases and Antivirus programs from 6th August even though the test was actually performed in early November

So the idea of the test is to see if any of the antiviruses using the old virus definition files and old program versions that were actually used in the original August tests would have detected these new malwares if they had been circulating at the time that the original tests were done

The goal of the test is e.g. to see the pure proactive detection capability; how scanners are reliable to discover virus/malware before they are known to the AV companies (before they have released a signature for them).

Andreas

When you do the next set of tests will you consider a few additional antiviruses
I would suggest AVG as it is the most popular free one and that would make very interesting comparison between the well established paid for AV's and a free one whether it actually does protect as well as many people think it does

Not to hijack this thread but we use for example today's date as 30 NOV 04 or 30NOV04. Any question on which is what?

{QUOTE-> Andreas

When you do the next set of tests will you consider a few additional antiviruses
I would suggest AVG as it is the most popular free one and that would make very interesting comparison between the well established paid for AV's and a free one whether it actually does protect as well as many people think it does <-QUOTE}

Yes, AVG will be very probably included in the tests of 2005 (like you can read on the website). I was not tested before because some conditions were not filled and I also missed e.g. the permission from Grisoft.

I just hope we will be finally able to see complete comparison between free AVs.

{QUOTE-> The goal of the test is e.g. to see the pure proactive detection capability; how scanners are reliable to discover virus/malware before they are known to the AV companies (before they have released a signature for them). <-QUOTE}Is it possible to scan with NOD by using that without signatures but Advanced Heuristics enabled option also, just to check how many hidden not published infections there are in av:s database?

I don't want to attack against NOD now in this case but because only with NOD it's possible to check? It's sad, that only NOD has this option available in their GUI to check how heuristics works!

Best regards,
Firefighter!

Post no 28{QUOTE-> The goal of the test is e.g. to see the pure proactive detection capability; how scanners are reliable to discover virus/malware before they are known to the AV companies (before they have released a signature for them). <-QUOTE}
So the latest test produces pure heuristic results, yes?
hmm. Nice.

{QUOTE-> Post no 28
So the latest test produces pure heuristic results, yes?
hmm. Nice. <-QUOTE}

no. generic techniques also.

Is there an underlying difference? On the surface they appear to be same.

the difference is little, but I would not call it a pure heuristic test. Some scanners claim to have a heuristic, but in reality they mean generic detections; generic detection is some kind of heuristic, but not a real heuristic like e.g. norman, mks_vir, drweb, nod32, etc. has.

I just want to inform everyone that since some minutes there is a new link on the website: http://www.av-comparatives.org/forum
I hope you like it.

{QUOTE-> generic detection is some kind of heuristic, but not a real heuristic like e.g. norman, mks_vir, drweb, nod32, etc. has. <-QUOTE}
I'm afraid I don't understand.
Does it mean limited heuristics based on past experiences with signatures? While heuristics means full blown attempts to discover all remote possibilities of *virus-like* activities?

I cannot read the test because the .pdf documents won't open on my machine. I have tried two .pdf viewers called Jaws and Foxit. I will not install Adobe because of certain well-known security problems.

Please help, IBK.

TIA, ntl

This time the PDF's are encrypted with Adobe Acrobat 6.0, so you will need the lastest version in order to open the PDF (reason: also for security reasons :-P). I did not have time to check, but I think it should be possible to open it with Acrobat if you install the lastest version. Install Adobe and then uninstall it if there is no other possibility :-(
If any other persons have solutions ready, post it!

@IBK

I do not believe that this inconvenient encryption will solve your security problems. It is still possible to make a screenshot of your report. (And if you have not disabled "printing" the entire encryption is worthless.)

I do not understand why you are so terribly afraid of being copied by someone. Isn't it more important to maximize the number of your readers?

Also the following "security measure" seems a little bit harsh:

"there is a huge list of IP addresses and IP ranges on a blacklist ...
Due this long list, it can sometimes happen that even if you are totally innocent you are banned from this forum ... In that case you could try to change your IP, but if the problem persists, forget this forum - sorry. Please do not bother me about this and do not ask me for unbans, as such mails etc. will be (most probably) ignored."

Anyway, would love to read your interesting test...

ntl

{QUOTE-> I cannot read the test because the .pdf documents won't open on my machine. I have tried two .pdf viewers called Jaws and Foxit. I will not install Adobe because of certain well-known security problems. <-QUOTE}
weren't there s'posed to be online PDF conversion tools???
What *well known* problems?

PDF can be only opened with Adobe Reader (its the best known PDF viewer anyway). I don't know where did you hear about Adobe Reader security risks.

http://channels.lockergnome.com/news/archives/20040713_adobe_reader_60_filename_handler_buffer_overflow_vulnerability.phtml

“Exploitation of a buffer overflow vulnerability in Adobe Reader 6.0 could allow remote attackers to execute arbitrary code….Successful exploitation allows an attacker to execute arbitrary code under the privileges of the local user. Remote exploitation is possible by sending a specially crafted e-mail and attaching the malicious PDF document….iDEFENSE has confirmed that Adobe Acrobat Reader version 6.0.1 is vulnerable. It is suspected that other versions of Adobe Acrobat Reader are vulnerable as well. Adobe Acrobat may also be vulnerable.”

Another typical post from the NOD users appreciation society.

{QUOTE-> http://channels.lockergnome.com/new...erability.phtml

“Exploitation of a buffer overflow vulnerability in Adobe Reader 6.0 could allow remote attackers to execute arbitrary code….Successful exploitation allows an attacker to execute arbitrary code under the privileges of the local user. Remote exploitation is possible by sending a specially crafted e-mail and attaching the malicious PDF document….iDEFENSE has confirmed that Adobe Acrobat Reader version 6.0.1 is vulnerable. It is suspected that other versions of Adobe Acrobat Reader are vulnerable as well. Adobe Acrobat may also be vulnerable.” <-QUOTE}
I think a firewall would help.

Now will some one get us back on topic?
{QUOTE-> {QUOTE-> generic detection is some kind of heuristic, but not a real heuristic like e.g. norman, mks_vir, drweb, nod32, etc. has. <-QUOTE}

I'm afraid I don't understand.
Does it mean limited heuristics based on past experiences with signatures? While heuristics means full blown attempts to discover all remote possibilities of *virus-like* activities? <-QUOTE}

Yes, no13, I think you can say something like that, correct. ;)

{QUOTE-> I'm afraid I don't understand.
Does it mean limited heuristics based on past experiences with signatures? While heuristics means full blown attempts to discover all remote possibilities of *virus-like* activities? <-QUOTE}

As far as I see it with various antivirus applications Heuristics are checking for virus like activity and behaviour which is why there is normally a high risk of false positives


Whereas Generic detections is signature based but but rather than a specific signature for as an example AGOBOT.aa it will detect all agobot versions based on a wide ranging signature but wouldn't be able to tell which version of agobot, just that it is agobot as KAV does with certain malwares until it gets copies to include

So similar but not the same

I would say that NOD32 did extremely well on this test. It would be nice to see the programs tested against non-viral situations in order to determine the extent they are sensitive to false positives. Pest Patrol is an example of a program that is very painful to use because of FPs.

However, it is nice to know that NOD32 can detect new viruses with a good amount of reliability and I probably will use it as a backup scanner to KAV. I still like KAV's overall coverage based upon what I have experienced on my own machine and what appears on viruscan.jotti when I vist it from time to time. Still, the site proclaims that there are viruses that get by all of the scanners on any given day, so a complete solution may be out-of-reach. I am hopeful that the combination of KAV, NOD32, and ProcessGuard is more than enough. However, I would feel even better if I could finally find a reliable image copy program for XP. ;) I am confounded there are so many ATs, and AVs yet it is so difficult to find a good image copy program. Well c'est la vie.

Rich

KAV, NOD32, and PG seems to me a very powerful combination. PG would block most trojans, rootkits, and keyloggers and KAV and NOD32 would perform mop up duty. That is not the combination on my computer but it would be good enough for me.

Only other thing that might be good is something to monitor the registry.

Starrob

{QUOTE-> I would say that NOD32 did extremely well on this test. It would be nice to see the programs tested against non-viral situations in order to determine the extent they are sensitive to false positives. Pest Patrol is an example of a program that is very painful to use because of FPs.

However, it is nice to know that NOD32 can detect new viruses with a good amount of reliability and I probably will use it as a backup scanner to KAV. I still like KAV's overall coverage based upon what I have experienced on my own machine and what appears on viruscan.jotti when I vist it from time to time. Still, the site proclaims that there are viruses that get by all of the scanners on any given day, so a complete solution may be out-of-reach. I am hopeful that the combination of KAV, NOD32, and ProcessGuard is more than enough. However, I would feel even better if I could finally find a reliable image copy program for XP. ;) I am confounded there are so many ATs, and AVs yet it is so difficult to find a good image copy program. Well c'est la vie.

Rich <-QUOTE}

{QUOTE-> 100% of In The Wild is damn good in my opinion, nearest competitor was a mere 25%
Cheers ;D <-QUOTE} 8 samples doesn't prove very much, there were also 8 macro viruses, where NOD scored 0. When I scanned my 236 macro viruses, NOD scored without signatures, but Advanced Heuristics on, 209, it was 88.6 %.

Best regards,
Firefighter!

but the difference is that those 8 are officially on the Wildlist while the 8 macros not. There are only 8 because only 8 new ITW samples appeared. I think it is clear enough.

{QUOTE-> but the difference is that those 8 are officially on the Wildlist while the 8 macros not. There are only 8 because only 8 new ITW samples appeared. I think it is clear enough. <-QUOTE}If I made a scan with NOD by using Advanced Heuristics only, without signatures at all, what's the difference to this heuristics test? Aren't those all files new to this program in this option used?

Best regards,
Firefighter!

I think I or you miss' the point. Or at least I am now to tired to understand how you mean it. I do not understand why you want to use AH only for example. I mean, what is the question?
_Maybe_ I understood now what you mean: dunno what the difference would be, I did not tried to use only the AH. Probably no difference yeah. But the other programs does not have this option, so what is the purpose of your questoipn?

{QUOTE-> I think I or you miss' the point. <-QUOTE}Just read my post 52 again! 8 isn't so much to make further conclusions, detected or not, as I showed in my own scan without signatures against 236 macros.

Best regards,
Firefighter!

I think now I probably understood what you mean. But I still remain to the opinion that the detection of the 8 itw samples is more important than the detection of 8 macro samples that are not itw. The 8 samples ITW were really spreading out there and those that used e.g. NOD32 would even if they did not update their AV since long time or in a day zero situation be safe against them. The 8 macros are so far not spreading and most probably only in the zoo, so if they are not detected proactivly who cares. Detection failures in a retrospective test are not up for discussion. It does only show the pure proactive detection capability of the scanners.

{QUOTE-> But I still remain to the opinion that the detection of the 8 itw samples is more important than the detection of 8 macro samples that are not itw. <-QUOTE}I totally agree that. But still the real detection rate against forthcoming ItW stuff can be between 30 - 80 %, anybody can't make conclusions from 8 samples. Besides, also TrojanDownloaders and TrojanDroppers are very, very ItW nowadays, but they don't fill your PC up like viruses do. They aren't in ItW list at all.

Best regards,
Firefighter!

{QUOTE-> Besides, also TrojanDownloaders and TrojanDroppers are very, very ItW nowadays, but they don't fill your PC up like viruses do. They aren't in ItW list at all.

Best regards,
Firefighter! <-QUOTE}

Yes I agree with you. I think I also wrote this (or something similar) in the report (or maybe in the PDF with the FAQ's).

{QUOTE-> I think I also wrote this (or something similar) in the report (or maybe in the PDF with the FAQ's). <-QUOTE}Yes, I have seen that too.

Btw, NOD is quite good performer against (zoo) trojan like malware too nowadays, who believed that about a year ago?

Best regards,
Firefighter!

Could someone explain to me why this topic is not moved to the proper NOD section?
Some time ago I dropped a remark about Panda being a great AV scanner in the NOD section and was asked to place that kind of remarks in the proper section.

I find this very irritating......NOD in front, NOD in the back, NOD sideways......
This is a great forum, but once again......it just smells like NOD32 and nothing else and I find that a great pitty.

??? Putin

I was surprized about the results too. This is something that I like when testing: I never know how the results will be before the test is not completly done :-)

BTW: the forum on the website is currently a bit quiet. I would like to see more people in it, If anyone has not registered yet, please do it and welcome! http://www.av-comparatives.org/forum


Edit: yes, the title is a bit to much NOD32 oriented. Next time when you talk about test results of my site plz use a more "neutral" title ;-) I was not fast enough to post here in the forum, otherwise I would had put a topic here in this subforum where the talk would be only about the test like in the past. Well next time I will be faster :P

{QUOTE-> Could someone explain to me why this topic is not moved to the proper NOD section?
Some time ago I dropped a remark about Panda being a great AV scanner in the NOD section and was asked to place that kind of remarks in the proper section.

I find this very irritating......NOD in front, NOD in the back, NOD sideways......
This is a great forum, but once again......it just smells like NOD32 and nothing else and I find that a great pitty.

??? Putin <-QUOTE}
I agree 100%
Here.s another NOD32 topic in "Other AntiVirus Forum" http://www.wilderssecurity.com/showthread.php?t=56029

@ putin & TAG97,

This thread was moved early on to the Other Anti-Virus Software forum (see post #9) since the content was very likely to move beyond NOD32 due to the subject matter of the test and it's neither a NOD32 specific topic or support issue - despite the title of the thread.

It was not moved capriciously, but rather to encourage general discussion since the subject of the test is one of general interest in the AV community. While much of the comment has focused on NOD32 thus far, it is not the only AV that, in my opinion, performed extremely well in this test. Also, while we tend to focus on the final tally of malware flagged, there's a lot of information in that test that really needed to be digested to comprehend the full picture. I really wouldn't want that on-going discussion artificially restricted to NOD32 due to the original posting location of the thread.

This IS the proper venue to discuss, disect, comment and speculate on this most recent effort by the folks at www.av-comparatives.org (http://www.av-comparatives.org/).

Finally, while much of the discussion has centered on the AV subjects of this test, I believe that we would all be remiss not to send a message of thanks to IBK and everyone else involved in this effort for an absolutely first rate job! Well done, once again!

Blue

Fellow Creatures,
I seldom visit the NOD Forum because I do not use NOD. However, that does not mean I am totally uninterested in NOD. A discussion which includes NOD in the general context of comparisons with other AV products, even if it results in a turn to focus on NOD I think is appropriate.

I find these forums to be well managed. Just my 2 cents. ;)

Note: I will make no further comment on this as I think we would stray off topic. :)

I for one would like to see mks_vir on that list with its heuristics. I use this and and find it to be as close to NOD32 as possible, which I also use.

EDITED** I will correct my wording and say the heuristics are on a level with or above NOD32. I am not saying NOD is not the best, just that they now have company up there or possibly have been dethroned. No testin head to head has been done. I just notice that it nails everything NOD32 does on my pc's. :o

{QUOTE-> Could someone explain to me why this topic is not moved to the proper NOD section?
Some time ago I dropped a remark about Panda being a great AV scanner in the NOD section and was asked to place that kind of remarks in the proper section.

I find this very irritating......NOD in front, NOD in the back, NOD sideways......
This is a great forum, but once again......it just smells like NOD32 and nothing else and I find that a great pitty.

??? Putin <-QUOTE}As Blue said, as well I will add that the very first post was tagged onto the end of another thread, it was totally off topic, and as such I split it away into it's own thread. In doing so I gave it the title that you now see, given that at that point in time it was in the Nod32 forum and had this as it's subject:
{QUOTE-> www.av-comparatives.org have just released their latest retrospective/proactive test and NOD32 comes out as the Number One. Congratulations to Eset! <-QUOTE}The Nod32 support forum is just for that, "Support issues relating to Nod32", thus if a thread wanders off into a comparison of other AV's then rightly so it will be shifted to a more appropriate forum such as this, where further discussion can be explored to everyone’s hearts content...

Hope this helps...

Cheers ;D

@IBK...
wait around man.
People are already into full fledged discussions of your research, and I don't think net users (the lazy b*****ds we are) will move from already started threads onto a new forum.
Patience, o great master!
BTW: I did sign up. I'll post soon. Most users ever online was 13...Enjoy~!!!

OK I''ve amended the topic title to make it clearer what it is about

{QUOTE-> This time the PDF's are encrypted with Adobe Acrobat 6.0, so you will need the lastest version in order to open the PDF (reason: also for security reasons :-P). I did not have time to check, but I think it should be possible to open it with Acrobat if you install the lastest version. Install Adobe and then uninstall it if there is no other possibility :-(
If any other persons have solutions ready, post it! <-QUOTE}


I have Acrobat Reader 5.0.5 and will never install 6.0 not even so I can read this test. You should make it available by some other method. There are many users who have chosen to remain with Acrobat Reader 5.0.5.

Also may I ask why do I have to use IE in order to see the results on line? I hate using IE. But Firefox and Mozilla display your tests with text on top of text so that I cannot read anything.

I thought the results for Bit Defender were quite interesting. I just downloaded the free version a couple of days ago.

As for the OT date display, if Americans were to write the date with the day first and then the month and then the year think how much more trouble it would be to speak that. Instead of saying "March fourth 2004" one would have to speak it " The fourth of March 2004" to be grammatically correct. That is a mouthful and is unnecessarily awkward. The American way makes more sense. ;)
I never know what the date is when I search on dslreports because that site uses the European method and I cannot get that straight in my head. Consequently, I don't pay attention to dates there.

I do very much appreciate all the work you do on these tests. I have a lot of respect for your tests and eagerly await the next set. (I don't want it to sound like I don't since I griped about a couple of things). :)

Ok...
on user request, PDF's were adapted in order that they can be read also with Adobe Acrobat Reader 5.x

About Firefox, read now the PDF with the FAQ's, it contains the solution ;-)

{QUOTE-> As Blue said, as well I will add that the very first post was tagged onto the end of another thread, it was totally off topic, and as such I split it away into it's own thread. In doing so I gave it the title that you now see, given that at that point in time it was in the Nod32 forum and had this as it's subject:
The Nod32 support forum is just for that, "Support issues relating to Nod32", thus if a thread wanders off into a comparison of other AV's then rightly so it will be shifted to a more appropriate forum such as this, where further discussion can be explored to everyone’s hearts content...

Hope this helps...

Cheers ;D <-QUOTE}

Does not really help that much. I appreciate your comments, but I still feel that NOD is being lifted to heaven far too much........No matter what topic is being started, NOD is always put on the top shelve by most of the Mods and Higher Ranked people and that's annoying.
I've stated this before and I was even asked why I was even bothering visiting this forum by a high ranked Nod mod!!!!! Just beacause I said that I liked Panda Platinum because of it's easy configuration, compared to Nod.
I don't think this is right, everybody has the right to visit and read and get wiser about security, but all I ask........don't push NOD 24 hours around the clock in all topics started.

Cheers also!!!! ;) Putin

Hi IBK,

I have several questions about the testing procedure. After
reading the testing procedure, I concluded that av-comparatives.org
considers that a sample is new/unknown to a scanner according
to the name given by the AV to the sample :
- If it is not recognized, it is new/unknown ;
- If it is recognized and that the name contains, e.g.
the strings "heuristics", "NewHeur", "Bloodhound", ".gen",
"behaves like", "generic" etc. it is also considered as
new/unknown.

A sample is included in the test set only if :
- It is new/unknown (according to the above definition) to every
scanner.
- It has been sent to av-comparatives.org after the latest
update of the scanners (6th of August for this test).

Last but not least, samples are sent to av-comparatives.org
by users/collectors/on-line scanner operators and various AV
companies, that anyway do share some of their samples. It is
specified somewhere on the site that the proportion of samples
sent by the AV companies is increasing.

Now, the questions :

1/ Could the test results be affected by the way the AV companies
manage their backlog (proactive tests) ?

More precisely, some companies may give a lower priority to samples
that are already detected by heuristics with respect to fully
undetected samples. Your tests might give a small advantage to
such companies with respect to the companies that do not practice
this kind of distinction.

Moreover, the heuristic/generic scanning capabilites might be improved
independantly from the signatures. Typically, I'm not completely sure
that all the AVs that do detect a sample as, let say, "Gaobot.gen" do
really want to include specific detection capabilities for this sample.
And I'm not even sure that this sample were not used for designing the
"gaobot.gen" generic signature.

Actually, the influence of the backlog management policy on the test
results could be tested. Since you provide all the samples to the AV
companies after the tests, you can consider that now, they are known
to them. You can therefore re-scan the same dataset with up-to-date
versions of the scanners and see if there is a statistically
significant difference between the identification results (i.e.
detection using signatures) for samples that were previously detected
heuristically and samples that were not. If the proportion of
identified samples is higher in the subset of samples that were not
detected heuristically, then, this could mean that the test was
slightly biased in favor of the considered scanner.

2/ Would it be easy to pervert your dataset ?

Some worms are adding random data at the end of the file they create
in order to fool simple detection engines based on a MD5 hash of the
file. A lot of trojan horses can be edited for specifying the IP
of the server of the attacker, the password of the backdoor server,
etc (the same may apply to IRC server/channel name/password for
som Agobots/Spybots, the URL that is pointed to by a webdownloader...).
Many dialers exist in several flavors, the main changes concerning
the phone number that are called depending on the victim's country.
Usually, When an AV scanner detects one of these samples, it will
detect all of them. How can you be sure that there are not a lot of
such very similar samples in your database (that could even be added
intentionnaly, for example through the use of on-line scanners) ? In
my opinion this would screw any subsequent statistical measures.

Do you verify that all the test samples are unique by (non-generic)
name for at least one scanner* (excepted for _known_ true polymorphic/
metamorphic ones - there are not that much). This applies also to
proactive testing.

* Preferably one that features an unpacker.


3/ Could the fact that AV vendors provide some of the samples influence
the test results ?

AV vendors could choose to provide you only with samples that were
detected heuristically before they have added specific signature.
This would guarantee a 100% proactive efficiency for their scanner amongst the samples
they submit. Depending on the distribution of your malware sources,
this could greatly influence the results.

Once again, this can be tested to some extent: does an AV vendor
performs significantly better in proactive tests on the sample that
he submitted himself than on the samples coming from other sources.
If the answer is yes, you may consider that this vendor intentionally
introduced a bias in the test dataset. I consider this as a serious
issue.

These are just questions and remarks. This is not for criticizing your
tests, I do appreciate it and I know that it requires a lot of work.

--
Tweakie

{QUOTE-> I don't think this is right, everybody has the right to visit and read and get wiser about security, but all I ask........don't push NOD 24 hours around the clock in all topics started.

Cheers also!!!! ;) Putin <-QUOTE}Hey Putin, you are on a Website that hosts the Official Nod32 Forum, thus you would expect to see it praised, as well as the many problems that people come across, wouldn’t you think ;) ;D

You are more than welcome to discuss Panda and any other Antivirus product out there, it’s just the Nod32 support forum is just that, for Nod32 support and related issues, all other antivirus discussions are posted in this particular forum ;D

All the best…

Cheers ;D

Hello Tweakie,

no, it is not so easy as it maybe looks like. There is no way to influence the test-set/test-results by the AV companies, because I also use other methods to determine which samples are new; but I do not tell everything ;)
It can also happen that a file is detected as "apparently" exact detection but it is new. I know how to know if it is new or not, but I do not tell everything in order to avoid influences. Anyway it would be probably still impossible for single companies to influence the test on purpose, as various methods are used were they can not have influence. So I can assure you that all the used samples were really unknown/new and that they appeared within the last 3 months.
I understand your fears, but I can really assure you that they can not influence my tests. I give very much attention to keep the tests fair and indepedent.

Once again my freind Blackspear wins the Noddy award for the second year running , of continued excellent support for Nod. you may download your prize now @ http://www.noddy.com/fun/fun.htm

{QUOTE-> 8 samples doesn't prove very much, there were also 8 macro viruses, where NOD scored 0. When I scanned my 236 macro viruses, NOD scored without signatures, but Advanced Heuristics on, 209, it was 88.6 %.

Best regards,
Firefighter! <-QUOTE}Firefighter, my post was in relation to Nod32 passing a series of tests and coming in 1st place, at the point in time when I posted, it was in the Nod32 forum. Now that this thread has been shifted out into other antivirus software and given the same start of the thread in this forum, I would not have made such a comment. I will add, if it is not that hard, then why do we not see all others in the same position that Nod32 finds itself within this test.

On a final point, I’m not here for a debate, just to comment on why my post was presented in the manner that you see it.

Hope this helps…

Cheers ;D

http://www.boredmofo.com/index.php?option=content&task=view&id=15&Itemid=2
How come NO one has tested Rising AV (from china, I think) ? http://www.rising-global.com/

{QUOTE-> ...I believe that we would all be remiss not to send a message of thanks to IBK and everyone else involved in this effort for an absolutely first rate job! Well done, once again! <-QUOTE}Apologies IBK, yes very well done on a such a fine job, I like your approached to the testing, maintaining a beyond reproach stand.

I'm looking forward to the next round to see how the latest update to Nod32's Heuristic Trojan component tallies up...

Cheers ;D

{QUOTE-> Once again my freind Blackspear wins the Noddy award for the second year running , of continued excellent support for Nod. you may download your prize now @ http://www.noddy.com/fun/fun.htm <-QUOTE}Thank you Solarpowered Candle, I think ;) ;D

Cheers ;D

{QUOTE-> On a final point, I’m not here for a debate, just to comment on why my post was presented in the manner that you see it.

Hope this helps…
Cheers ;D <-QUOTE}I'm not here to debate either, unfortunately the difference between debate and discussion is sometimes only a thin line on the water. Especially, when the other part writes an other language as his own native one. It's so hard to indicate all possible nuances with totally foreign language, but there is only one answer, just keep on trying.

Best regards,
Firefighter!

{QUOTE-> I'm not here to debate either, unfortunately the difference between debate and discussion is sometimes only a thin line on the water. Especially, when the other part writes an other language as his own native one. It's so hard to indicate all possible nuances with totally foreign language, but there is only one answer, just keep on trying.

Best regards,
Firefighter! <-QUOTE}LOL, that's ok Firefighter, I'm bad enough with English as my first language, you are doing exceedingly well using 2 languages ;D

All the best…

Cheers ;D

The two retrospective tests you've done have been the most interesting (and eye-opening) AV tests I've seen in a while.

Nice job, Andreas...

:D

Just clarifying a bit how many samples we really have to collect those ItW samples (ItW list just now 393 viruses) if we want to have 90 % Reliability/Confidence Level for that the heuristics detecting rates have the Precision/Accuracy Level of 5 % (= max % error in the detecting rate). The result will be about 160 samples.

In the long run, there were about 21 new ItW viruses per month. It takes with the median growth of 21 new ItW viruses per month about 8 months to wait that the whole sample collection is finished and the test is available to run.

Of course NOD doesn't need to wait so a long time, just disable the signature scanning and scan the already known ItW list of files.

Best regards,
Firefighter!

Thx JimIT. :)

BTW: the forum on www.av-comparatives.org/forum can now be also read by guests. In order to post there etc. a registration is required.

{QUOTE->
Of course NOD doesn't need to wait so a long time, just disable the signature scanning and scan the already known ItW list of files.

Best regards,
Firefighter! <-QUOTE}

Is it possible to just remove or zero out the signature file in some of the others AVs to test their heuristics detecting rates?

{QUOTE-> Of course NOD doesn't need to wait so a long time, just disable the signature scanning and scan the already known ItW list of files. <-QUOTE} It isn't that easy. Remember that heuristics are updated, too... ;)

Nice test. :)

Although F-Prot which i'm currently trialling did rather crap. :'(

muf

Let me guess... Eset proposed this test, because it's the only way they could ever beat Kaspersky?

If nothing else, it should give NOD32 users comfort, in the event that they go for several months without updating their signatures.

{QUOTE-> Of course, hopefully no user would use a three-month-old scanner on his PC, so the retrospective test isn't a test intended to show a reality situation. <-QUOTE}{QUOTE-> The retrospective test isn't a pure heuristic test as some of the samples were already known to some companies. <-QUOTE}Grrrrrrrreat... I wish I'd read that before bothering to look at the test results.

Thanks for the laugh.

{QUOTE-> Is it possible to just remove or zero out the signature file in some of the others AVs to test their heuristics detecting rates? <-QUOTE}I tried to zero out those files with DrWeb but no success.

Best regards,
Firefighter!

{QUOTE-> Let me guess... Eset proposed this test, because it's the only way they could ever beat Kaspersky?

If nothing else, it should give NOD32 users comfort, in the event that they go for several months without updating their signatures.

Grrrrrrrreat... I wish I'd read that before bothering to look at the test results.

Thanks for the laugh. <-QUOTE}
So you are suggesting that IBK has become an advertising spokesman for Eset? I hardly think so. He has spent a lot of effort and time doing this research. No one complains that the On-Demand comparative could seem to be biased towards KAV, and yet KAV has scores highly in them, I would also say that KAV did rather well in this retrospective/pro active test. I am currently using KAV as a backup on demand scanner and it has never found anything that NOD "missed"

{QUOTE-> Let me guess... Eset proposed this test, because it's the only way they could ever beat Kaspersky? <-QUOTE}In an honest battle, the winner changes. So far that has been in Av-Comparatives heuristic's tests too, the first "winner" was McAfee, the second was NOD.

Best regards,
Firefighter!

{QUOTE-> Let me guess... Eset proposed this test, because it's the only way they could ever beat Kaspersky?

If nothing else, it should give NOD32 users comfort, in the event that they go for several months without updating their signatures.

Grrrrrrrreat... I wish I'd read that before bothering to look at the test results.

Thanks for the laugh. <-QUOTE}
nameless,

Given the direction of a number of AV vendors, it seems in hindsight a rather obvious test.

From your second comment, I believe you're still missing the point of the test. It doesn't matter how often you update signatures, only that the new form of malware strikes before you update to a signature version level that will handle that virus. It could be months, days, or hours. It doesn't matter, the final outcome is the same. This test seems to be the best practical implementation of a field test to see how well you are covered in that scenario. Is it perfect? Maybe not, but if you feel it's deficient - what type of objective testing protocol would you suggest in it's stead?

In terms of performane metrics, I would agree that it misses one critical feature for a consumer - and that's the mean time from when a virus goes active in the wild to when it is handled by a given AV package. Part of KAV's power is to make the vulnerability period quite short via frequent updates and a staff focusing on culling out the latest malware. Another approach is to flag on the programmatic behaviorial characteristics of the code - use a heuristic approach. The vulnerability period is zero if the heuristics recognizes the malware, unfortunately the vulnerability period can be quite long if pure heuristics fails and signature updates are less frequent. There is a clear trade-off in the time dependence of the vulnerability profile between the two approaches. There are other tradeoffs as well.

Blue

{QUOTE-> Just clarifying a bit how many samples we really have to collect those ItW samples (ItW list just now 393 viruses) if we want to have 90 % Reliability/Confidence Level for that the heuristics detecting rates have the Precision/Accuracy Level of 5 % (= max % error in the detecting rate). The result will be about 160 samples.

Best regards,
Firefighter! <-QUOTE}Unfortunately this may not be so simple in the future. There are already 1065 samples more in the official Supplemental (ItW) List just waiting for to be real ItW in the near future.

Best regards,
Firefighter!

Well said BlueZannetti, much more eloquent than I was. BTW on an OT note I finally got KAV to co exist with NOD on my system, I just had to roll back to 4.5.0.49 and now it works like a charm.

{QUOTE-> BTW on an OT note I finally got KAV to co exist with NOD on my system, I just had to roll back to 4.5.0.49 and now it works like a charm. <-QUOTE}Good to see FF ;D

Cheers ;D

Thanks buddy!! But now I wonder if it is needed at all, I have been with Nod for almost 9 months now and KAV for the last few weeks and it hasn't found anything Nod missed thouh. Did I really need a backup? Anyway sorry for taking this OT.

{QUOTE-> Did I really need a backup? <-QUOTE}My pleasure. It depends on your surfing habits, I run Ewido once a month, so far so good, Nod has been doing it's job. I have a younger male in the household that likes to test out how well the security is on my system, and still it is holding up, even though he thinks I don't know where he wanders off to, treating my little sedan like a 4WDrive ;) ;D

{QUOTE-> ...sorry for taking this OT. <-QUOTE}Tis only for a moment, it will go back on course any moment now ;) ;D

;D ;D ;D

{QUOTE-> Thanks buddy!! But now I wonder if it is needed at all, I have been with Nod for almost 9 months now and KAV for the last few weeks and it hasn't found anything Nod missed thouh. Did I really need a backup? Anyway sorry for taking this OT. <-QUOTE}
Flyrfan111,

This isn't really OT if you think about it. Taking the retrospective and demand testing all together, the comment that I made regarding potential variable lenths of windows of vulnerability above, and most peoples desire to have minimal system impact with maximal protection does emphasize the balancing act that we all negotiate in selecting our personal approaches to malware coverage.

A configuration based on a very light approach - NOD32, F-Prot, or any of the other consensus low resource utilization packages - may benefit from occasional second opinions. These products are getting a lot better, but they still lag some of the heavier solutions out there. To me, having a very comprehensive solution available to periodically confirm that the system is clean, or if a heuristically flagged sample is potentially malware, makes sense. Sometimes the gap is due to a genuinely missed chance, sometimes it will be connected to the specific set of configuration options employed - remember, the mental starting point for me here is low resource realtime solutions backed up with an insurance policy. Certainly, using one of the on-line scanning solutions is also an option.

If you accept this type of approach, and look at the either the av-comparatives.org (http://www.av-comparatives.org/) test results or the more informally presented assessments posted in this forum by Firefighter!, combintions such as NOD32(main)/KAV(backup) make a certain amount of sense, while others, for example even the simple reverse configuration of KAV(main)/NOD32(backup), would seem to provide less benefit. In arriving at this setup some clear goals have been articulated (for example - the speed/low resource utilization) and some specific mitigating measures have been deployed to address potential gaps (e.g. KAV as a final comprehensive demand arbiter). You can also partially achieve this end result with KAV alone by opening up the realtime monitor to maximize speed, and buttoning down the demand scanner to handle things that the higher speed settings have let through.

Do you need a backup? You might as well ask if you need insurance given that you haven't experienced a medical or property loss problem in the past. If you go on past history, the answer would be no. But you're not doing this to deal with history, the insurance is there to deal with unforeseen future events and minimize your personal risk in the future situation. This type of software application is no different than insurance, nor is the logic behind the final configuration.

Note, some configurations that wouldn't make sense from my starting assumptions, do make sense if the initial assumptions are altered. A specific example would be someone requiring freeware solutions all around. In general, these tend to be a bit less comprehensive than payware solutions, so partial duplication of coverage to mitigate the less extensive single application coverage is certainly more understandable.

Finally, while it's popular to go with all sorts of measures to deal with malware realtime - having working monitors to handle malware/spyware/pop-ups/trojans/worms/etc. - I personally prefer to go with a lighter scheme realtime and augment it with a dose of scheduled demand treatment off-hours. I generally use an AV/BOclean/ProcessGuard/software firewall/NAT-SPI router. A second AV may be present as demand only or installed on a backup boot partition for occasional system checks. Spyware is dealt with using Giant Antispyware/Adaware Pro SE as needed without any of the realtime monitors enabled on either application. TDS3 is available for demand scanning/debugging as required. Total process count is generally 35-40 while working with roughly half of RAM utilized on average. This scheme meets my requirements of lightness - although I have to admit that even a configuration stripped KAV 5.0 WS is pushing any reasonable definition of lightness (and I really wish that they hadn't gone with an integrated package in 5.0 - 4.5's modular approach is more consistent with the direction that I prefer) and I'm still figuring out how I want to proceed with respect to KAV. The NOD32/BOClean combo is almost equivalent to KAV with a lot better performance (IMHO).

Back your question - do you need a backup? Look at you goals, potential exposures, and implemented solutions. Do you have a consistent approach? If you want lightness with high coverage available as needed - you have a good, internally consistent, solution implemented.

Blue

{QUOTE-> Unfortunately this may not be so simple in the future. There are already 1065 samples more in the official Supplemental (ItW) List just waiting for to be real ItW in the near future.

Best regards,
Firefighter! <-QUOTE}I want to add. If the ItW list is after some months about 600 samples, you have to collect almost 190 samples to have Precision/Accuracy Level = 5 % in detection rate when the Reliability/Confidence Level remains the same as 90 %. So it will take propably the same 8 months to make this test, because the average new ItW infections may rise to 25 per month.

Best regards,
Firefighter!

{QUOTE-> Ok...
on user request, PDF's were adapted in order that they can be read also with Adobe Acrobat Reader 5.x

About Firefox, read now the PDF with the FAQ's, it contains the solution ;-) <-QUOTE}

Sorry to be tardy in my response, but I've been sick all week. Thank you so much! I have been able to read all the details about your testing (fascinating) in Acrobat Reader 5.0 and I learned how to mostly fix the Fire Fox problem. I still see a bit of text on top of text but only with the first three AVs which have longer names. I would never have thought to go looking for "obscure" character encoding to fix the problem. I had tried the more obvious encoding choices none of which helped.

Thank for being so responsive. :)

Hi,you may be interested in this.Cheers

http://www.av-comparatives.org/index.html?http://www.av-comparatives.org/seiten/overview.html

Another 2 weeks and we ll know the final result.My hint is:1.Mcafee 2.kav 3.Symantec(I am surprised :o )

{QUOTE-> Hi,you may be interested in this.Cheers

http://www.av-comparatives.org/index.html?http://www.av-comparatives.org/seiten/overview.html <-QUOTE}

1st place: Kaspersky (1.40)

2nd place: McAfee (2.20)

3rd place: Panda (4.00)

3rd place: RAV (4.00)

4th place: F-Prot (5.60)

5th place: Symantec (6.60)

6th place: Dr.Web (7.80)

6th place: Sophos (7.80)

7th place: BitDefender (8.80)

8th place: NOD32 (9.00)

9th place: Avast (9.80)

10th place: TrendMicro (11.0)

10th place: H+BEDV (11.0)

{QUOTE-> It’s forbidden to make thoses tables available on other sites. <-QUOTE}I think some editing is in order.

Well, he didn't post the table...he linked to the AV-Comparatives website which I'd think is ok.

The only surprise I see in the chart is that Symantec got the Advanced+ rating. Along with scoring in the top 3, I believe this means they achieved a detection rate of ~97% or higher.

Gyuri, do you know that those are the top 3 in order? Or do you mean "guess" instead of "hint"?

{QUOTE-> Gyuri, do you know that those are the top 3 in order? Or do you mean "guess" instead of "hint"? <-QUOTE}

Make that: "guess" ;)

regards,

paul

{QUOTE-> Well, he didn't post the table...he linked to the AV-Comparatives website which I'd think is ok.

The only surprise I see in the chart is that Symantec got the Advanced+ rating. Along with scoring in the top 3, I believe this means they achieved a detection rate of ~97% or higher.

Gyuri, do you know that those are the top 3 in order? Or do you mean "guess" instead of "hint"? <-QUOTE}

Yeah Norton detects much stuff On-Demand but missen nearly half of the stuff with On-Access,especially "Possibly dangerous application".
Thats a big minus which no one will know (especially not because this is a On-Demand only test)

Sorry for my English,I meant:guess. :-[

Thanks for clearing that up Paul and Gyuri. I thought maybe Gyuri had some inside knowledge :)

RejZoR, yes I've heard that before. But still...even in on demand comparatives I've never seen Norton score at the top of the pack. It usually does ok, but it's always Kaspersky (and its clones) and McAfee that come out on top.

I can't wait to see the official breakdown by category.

Yeah but On-Access (Realtime) is first line of defense. Cleaning stuff when it's already installed on your PC can never be perfectly cleaned.
And why make any difference between On-Access and On-Demand?
avast!,AntiVir,AVG,Kaspersky,NOD32...
These AVs don't make any difference between these two modes.
I don't use NAV2005 just because of this and i have a 1 year subscribtion laying in my cabinet closet... (ok now it's not 1 year anymore...).
So in such case you cannot really judge AV only by On-Demand test because On-Access art will let all the "riskware" garbage to your hard drive without even notifying you...

I want GData in that test! wahhhhhhhhhhhh! :'(

Your wish may come true; http://www.av-comparatives.org/surveys/index.php

{QUOTE-> www.av-comparatives.org have just released their latest retrospective/proactive test and NOD32 comes out as the Number One. Congratulations to Eset! <-QUOTE}


Maybe I'm on crack or something, but I am not seeing the new online results. That last one listed is for November and I saw that one quite awhile ago. Am I missing something? Thanks :)

{QUOTE-> Another 2 weeks and we ll know the final result.My hint is:1.Mcafee 2.kav 3.Symantec(I am surprised :o ) <-QUOTE}
- general view -
it needs to change as follows;
1. McAfee
2. F-Secure
3. Kaspersky

Different story from www.virus.gr (top tens)

A. 10-25 August 2004

1. Kaspersky Personal Pro version 4.5.0.58 - 99.09%
2. F-Secure 2004 version 4.71.5 - 98.77%
3. Extendia AVK Pro version 11.0.4 - 98.68%
4. AVK version 14.0.7 - 98.50%
5. Kaspersky Personal version 5.0.149 - 97.88%
6. eScan 2003 Virus Control version 2.6.484.8 - 96.75%
7. McAfee version 8.0.41 - 93.59%
8. Norton version 2004 Professional - 93.38%
9. RAV version 8.6.105 - 93.14%
10. F-Prot version 3.15 - 91.85%

B. 2-12 October 2003

1. F-Secure version 5.41 - 99.63%
2. Kaspersky version 4.5.0.49 - 99.35%
3. AVK version 12.0.4 - 98.67%
4. McAfee version 7.03.6000 - 97.24%
5. RAV version 8.6.105 - 94.26%
6. F-Prot version 3.14a - 93.40%
7. Norton version 2004 Professional - 92.35%
8. Titan version 2003 - 90.41%
9. BullGuard version 3.5 - 88.34%
10. BitDefender version 7.1.110 - 88.28%

C. 4-12 May 2003

1. F-Secure version 5.40 - 99.67%
2. Kaspersky version 4.0.5.37 - 99.55%
3. e-Scan Pro version 2.5.181.5 - 97.66%
4. McAfee version 7.00.5000 - 97.14%
5. RAV version 8.6.104 - 95.18%
6. F-Prot version 3.13 - 92.92%
7. PC-Cillin version 2003 10.01.1039 - 90.59%
8. Norton version 2003 Professional - 90.01%
9. Sophos Sweep version 3.69 - 89.37%
10. Dr. Web version 4.29c - 89.23%

D. 5-10 November 2002

1. F-Secure version 5.40.8232 - 99.44%
2. Kaspersky version 4.0.5.35 - 99.38%
3. McAfee version 7.00.5000 - 97.23%
4. RAV version 8.6.104 - 94.52%
5. e-Scan Pro version 2.5.181.5 - 94.50%
6. Command version 4.74.0 - 92.82%
7. F-Prot version 3.12b - 92.47%
8. PC Cillin 2002 version 9.02.1255 - 91.74%
9. Sweep version 3.62 - 89.22%
10. Norton version 2003 - 88.76%

E. 10-12 May 2002

1. F-Secure version 5.30.7262 - 99.73%
2. Kaspersky version 4.0.5.0 - 99.52%
3. McAfee version 6.0 - 95.39%
4. e-Scan Pro version 2.5.181 - 93.35%
5. Command version 9.64.0 - 93.07%
6. PC-Cillin version 2002 - 92.80%
7. RAV version 8.5.80 - 90.54%
8. Dr. Web version 4.27b - 90.37%
9. F-Prot version 3.12 - 89.22%
10. Sophos Sweep version 3.57 - 89.16%

are these tests trustworthy ?

{QUOTE-> are these tests trustworthy ? <-QUOTE}

Some are - due at least to independicy and vast knowledge needed for testing. www.av-comparatives.org is a perfect example in this context.

On the other hand, www.virus.gr has a questionable reputation. For sure they are doing there upmost - but (still) do fail the knowlegde to compete with solid guys ;)

regards,

paul

{QUOTE-> Maybe I'm on crack or something, but I am not seeing the new online results. That last one listed is for November and I saw that one quite awhile ago. Am I missing something? Thanks :) <-QUOTE}Well, not really, but the main page does note that test results will be posted on March 1 and September 1 for the on-demand tests and June 1 and December 1 for the proactive/retrospective tests. My recollection is that they are quite prompt with respect to posting on the listed dates, so you have a week and a half wait to go...

Blue

{QUOTE-> Some are - due at least to independicy and vast knowledge needed for testing. www.av-comparatives.org is a perfect example in this context.

On the other hand, www.virus.gr has a questionable reputation. For sure they are doing there upmost - but (still) do fail the knowlegde to compete with solid guys ;)

regards,

paul <-QUOTE}
First of all, thanks for reply.

I saw similar results with VTC scanner tests of university of hamburg computer science department.
http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm
Top three antiviruses were mcafee, f-secure and kaspersky.

By the way, the "overview of the comparatives" of Av-comparatives was the same way. The top two performers were kaspersky and mcafee. All results were "advanced+".
http://www.av-comparatives.org/index.html?http://www.av-comparatives.org/seiten/overview.html

The results are very similar. McAfee, F-Secure and Kaspersky seem to be winners and top three.

Regards