How come if you watch the statistics on http://virusscan.jotti.org/ NOD32 only finds like 1 of 10. If you follow Kaspersky it finds 9 of 10. I dont understand..

You better not to. Forget about statistics,because you don't see everything. Besides,everything is running on Linux machine so results will be different as on Windows machines (not much,but there are differences).

KAV is the best!!!

Hi,

It also appears to me that KAV is catching much more than NOD32 in these online samples. Of course, eyes can be deceiving. But, assuming that KAV is doing much better than expected, it may be that KAV's on-demand scanner is better than NOD32's (especially with packed files), while their real-time packers have greater parity.

I would like to note that recently, while cleaning a machine, KAV's on-demand scanner missed malware that was hidden in ADS files, but was picked up by their real-time scanner. So there are differences in scan detection, even within Kaspersky's own products.

Rich

Look at this guys! KAV or NOD ?? :P

Let 10 people take a look at different times and you may get 10 different results. ::)

I could have posted 10 or more screenshots of NOD missing in the last day or so. You can't base a decision on a single scan from Jotti's.

I Agree,

I just clicked on Jotti scanner and saw

AntiVir X
Avast X
AVG Antivirus Win32/Small.A
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 probably unknown WIN32
Norman Virus Control X
VBA32 X


May be AVG is the best LOL! What KAV did not detect this???

The lesson to be learn't is that no AV is 100% perfect.

What I like about KAV is they activivlty get all failed detections sent to them and you can bet a couple of updates later they will be detecting it.

Again Nod32 excellent AH caught this one with out defs!

I have licences for Nod and KAV and like both very much for different reasons.

Cheers

Jlo

I hope you don't expect 100% detection from KAV...
And this detection is by normal heuristics,not AH...

Hi.Since from 21 May,i do exactly that,i mean keeping random statistics of some avs that interest me from the results of Jotti,here's what i have till now (although the last few days i ve been busy).I don't keep the absolute number of scans,so i don't know how many samples i ve kept.So these are relative differences.Nothing sicentic,just for my curiocity.NOD 32 is impressive for the fact that uses very often the heuristics (i could almost say that from the times i remember,half of them were caught by heuristics).

AntiVir 23
Avast 18
AVG 11
BitDefender 29
ClamAV 15
Kaspersky 45
NOD32 25

Last piece of malware found was Trojan-Clicker.Win32.Agent.db in qwinnta.exe, detected by:

Scanner Malware name
AntiVir TR/Click.Agent.DB
Avast Win32:Adan-032
AVG Antivirus Clicker.9.V
BitDefender Trojan.Clicker.Agent.DB
ClamAV Trojan.Clicker.Agent-31
Dr.Web Trojan.Click.357
F-Prot Antivirus W32/Agent.NL
Fortinet W32/Agent.DB-tr
Kaspersky Anti-Virus Trojan-Clicker.Win32.Agent.db
mks_vir Trojan.Clicker.Agent.Db
NOD32 X
Norman Virus Control W32/Agent.CTA
VBA32 Trojan-Clicker.Win32.Agent.db



Hmm even Fortinet finds this one and NOD32 doesnt.....how come the heuretics doesnt find this one????

-{ Quote: "Hi.Since from 21 May,i do exactly that,i mean keeping random statistics of some avs that interest me from the results of Jotti,here's what i have till now (although the last few days i ve been busy).I don't keep the absolute number of scans,so i don't know how many samples i ve kept.So these are relative differences.Nothing sicentic,just for my curiocity.NOD 32 is impressive for the fact that uses very often the heuristics (i could almost say that from the times i remember,half of them were caught by heuristics).

AntiVir 23
Avast 18
AVG 11
BitDefender 29
ClamAV 15
Kaspersky 45
NOD32 25" }-

Interesting to not see DrWeb and MKS stats, from my observations both find more trojans than NOD32.

Hi Hyperion,

Do you know how many actual observations you made? In other words, how many KAV missed? Thanks.

Rich

I don't get it why people expect that NOD32 heuristics should pick everything!? C'mon,they are best on market,but you cannot expect them to be almighty ::)
Also there is no point of calculating anything based only on random visits of page and reading results. You can view page at wrong times and you'll miss potential detections of specific AV,thus resulting in lower "score".

Hi RejZor,

I agree. Heuristics are an "extra" level of protection. A good implementation will not give too many FPs while still getting those nasties that the signatures are picking up.

The results that Hyperion reveals is essentially my own non-scientific experience. I visit Jotti several times in the week just to check on what is going on, and I would rank the top AVs very similarly in terms of "Jotti detection rate". However, it is tough to say what this means, especially since this is on-demand scanning as opposed to real-time scanning, and for me real-time scanning is by far an away more important. My guess is, based upon what I have seen on Wilders over the past two years, that KAV (with its very frequent and comprehensive signature updates) and NOD32 (with its heuristics) are in rough parity nowadays.

Certainly I would have no problems recommending either of them, but I am more likely to recommend an AT (like Ewido or BOClean), if someone is running NOD32. For some reason, I feel that KAV probably is more of a stand-alone product. Maybe I am misreading the situation a bit.

Rich

-{ Quote: "Interesting to not see DrWeb and MKS stats, from my observations both find more trojans than NOD32." }-

I don't keep stats for them too,because they don't interest me,since i will definitely not be running them on my PC anytime soon (never saw them on sale in Italy and i avoid internet sales when i can.).That's why i said that i keep for those that "interest me".I had all of the above except NOD32,which i might try though if it is as light as they say.Right now i have AVG resident.



-{ Quote: "Hi Hyperion,

Do you know how many actual observations you made? In other words, how many KAV missed? Thanks." }-

No,as i said,i don't keep the absolute number of scans.I ve simply started an xls and each time i add a point to every AV that has catched the malware.Since it's not scientific observation,i m more interested on relative performance.Actually i included KAV as a point of reference ,for obvious reasons.I d say,that more or less i ve logged about 55 scans.
You know what?Even if i m late i ll add yet another line in the Excel file and start noting the bumber of samples too.I ll be off by about 55-60 that are the ones i havent logged till now,but more or less,when the number grows,it ll become negligible.I ll note 55 (say KAV lost 10) and continue counting from there.

-{ Quote: "Also there is no point of calculating anything based only on random visits of page and reading results. You can view page at wrong times and you'll miss potential detections of specific AV,thus resulting in lower "score"." }-

Of course you can miss potential detections.I don't pass all my day at Jotti's.When i remember it ,i go and pick the malware i find and as i said,i wanted to have relative results,not absolute.I started this,because i have my doubts of what is "ITW" for the pro testers and what is "ITW" for the simple PC user and wanted so see in real-life (as that can be) conditions,what the tendencies would be.
I consider this as a poll.Just like when you go at the street and ask people randonly.Of course you ll miss many,you might meet more of the same opinion in a quarter than another because of different social-economical level,but at the end,as the sample becomes bigger,the error should decrease and at least,the tendencies should become quite stable.


For example,this is what i had posted 2 days after i had started this thing:

AntiVir 11
Avast 9
AVG 5
BitDefender 14
ClamAV 7
Kaspersky 22
NOD32 12

http://www.wilderssecurity.com/showthread.php?t=79135

The relative order,although the sample was small,has continued immutated untill now.What happened is that as the sample became larger,some of the differences were made more clear,for example AVG has lagged behind even more with AntiVir,Avast and secondarily Clam getting clearer distance from it.

I quite happy about it actually and even if it's not scientific,i know it's free of tester bias,since i m not in any way related to internet security,i m a univ student studying completely different thing than informatics.This is only a hobby for me.

Certainly I would have no problems recommending either of them, but I am more likely to recommend an AT (like Ewido or BOClean), if someone is running NOD32. For some reason, I feel that KAV probably is more of a stand-alone product. Maybe I am misreading the situation a bit.

I agree with your assessment as when I ran KAV or KAV clone, I was not concerned with a B/U scanner. But with other AV's I will use a back-up scanner (usually KAV engine) and AT.
I do not decide my AV choice based on Jotti's, but do observe it often when in the office during the weekdays. I like the fact that it is a more real world test versus a lab test.

Just FYI, the linux version of avast (used by Jotti) does not currently support any Win32 unpackers (not even UPX) -- and since many scum is now constantly being (re)packed, I reckon this is making avast perform considerably worse than would its Windows counterpart.

We will provide Jotti with a version that supports exe unpackers soon - I'm curious if there will be any visible detection boost then...

Vlk,you want to say that avast! detected so much stuff without ANY unpacking?
Well,then i have no doubt that avast! will score better.
How can AV work without any unpacking anyway (unless you make hundred signatures for just one sample)?

Well,

1. we do have not hundreds, but tens of thousands of signatures ;D
2. even though I THOUGHT the linux version of avast has at least some limited number of exe unpackers (at least upx, aspack etc - i.e. the basic set from avast 4.1). But - I was told that I was wrong. :)

If the Jotti can make a service based for Windows, was better to evaluate the AV's detections rate...

Another thing:

What is the interest to use Linux to test AV's detections rate!?

-{ Quote: "Another thing:

What is the interest to use Linux to test AV's detections rate!?" }-
I guess Jotti's probably uses Linux to reduce costs.

-{ Quote: "If the Jotti can make a service based for Windows, was better to evaluate the AV's detections rate..." }-

http://virusscan.jotti.org/ is not designed to evaluate AV detection rates.

-{ Quote: "http://virusscan.jotti.org/ is not designed to evaluate AV detection rates." }-
What you do with statistics?

This service is to see if a file contain a virus and after, if is a supiscious file sent that file to the AV companies, right?

Not quite right - the samples are likely to be untypical 'cos a lot of putative malware writers like to test their latest efforts by uploading them to see if they get detected!

Hi everyone!

Scanner Malware name
AntiVir X
Avast X
AVG Antivirus X
BitDefender HTML.MediaTickets.A
ClamAV Trojan.Downloader.JS.IstBar.A-2
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
mks_vir X
NOD32 Win32/Adware.MediaTickets.downloader Application
Norman Virus Control X
VBA32 X

What do u say to this?
Well u can never say which AV will detect what. And NO AV is perfect!

Regards,
Kalpik

Kalpik, how long did you have to wait for that one? :D Don't tell me you didnt see at least 10 samples that KAspersky did find and NOd32 didn't.

Hi Bitz!

Its not that i waited for the particular result! It happens many times! My posting the result does not mean i was trying to show down on KAV.

Consider the following case:
If i were to have KAV and suppose that there is only ONE virus out there that KAV does not detect. But if i get infected by that VERY virus, what good is KAV for me?

My point was that NO AV is perfect. What KAV detects, is based on its definitions, not heuristics. And as far as i believe, heuristic detection is FAR FAR better than detection via definitions. Not that im comparing!! KAV is a VERY good AV no doubt! But as far as i can see, there is no "best" AV.

Regards,
Kalpik

No AV is perfect that is true. For me Jottis virusscan is IRL, it shows what viruses are out there and infecting computers as we speak. What I react to is the difference between KAV and the other ones. Nod32s heuretics is good but a working uptodate sign def works better IRL as you can see on the page. I wouldnt react if to a difference if it wasnt so avious.

Hi Bitz!

-{ Quote: "Not quite right - the samples are likely to be untypical 'cos a lot of putative malware writers like to test their latest efforts by uploading them to see if they get detected!" }-

Hehe nothing more to say! ;)

-{ Quote: "Not quite right - the samples are likely to be untypical 'cos a lot of putative malware writers like to test their latest efforts by uploading them to see if they get detected!" }-
Correct. :)

We should also consider the possibility of people repacking existing malware and uploading them at Jotti's to see which AV detects them (naturally, the AVs with better unpack engine will perform better in this case).

True, but in that case it also means that NOD32 is really easy to fool. If some repacking makes the virus invisible to NOD thats even worse.

I wonder who's testing bunch of old stuff on Jotti today. It's like 4 hours and i keep seing old DOS viriis or other older malware.

-{ Quote: "
Consider the following case:
If i were to have KAV and suppose that there is only ONE virus out there that KAV does not detect. But if i get infected by that VERY virus, what good is KAV for me?
" }-

This is not good reasoning. Similar would be: what if you get fever and take medicine, but when you get better meteorite hits you in the head and kill you...what good was anti-fever medicine for you?

So, even from this statistics you can see that you have less chances to be infected with KAV, than with any other listed AV...therefore, to be best possible protected, you install AV with best statistics - KAV, ofcourse :)

-{ Quote: "Hi Bitz!

What KAV detects, is based on its definitions, not heuristics. And as far as i believe, heuristic detection is FAR FAR better than detection via definitions. " }-
KAV detects viruses with signature update and with generic detection.

From: http://www.viruslist.com/en/analysis?pubid=153595662

-{ Quote: "Traditional antivirus solutions - are they effective against today's threats?

Oct 17 2004 19:46
David Emm
Senior Technology Consultant, Kaspersky Lab UK

It's clear that the nature of the threat to PC users has changed significantly over the years. Today's threats are more complex than ever before. Much of today's malware, and this includes Trojans, backdoors and spammers' proxy servers as well as viruses and worms, is purpose-built to hijack users' machines; and a single Trojan can easily be found on many thousands of infected PCs. Malicious code may be embedded in e-mail, injected into fake software packs, or placed on 'grey-zone' web pages for download by a Trojan installed on an infected machine. The scale of the problem, in terms of numbers alone, has also continued to increase - the Kaspersky Lab antivirus databases now contain close to 100'000 records.

.
.
. " }-

-{ Quote: "Hi Bitz!

Consider the following case:
If i were to have KAV and suppose that there is only ONE virus out there that KAV does not detect. But if i get infected by that VERY virus, what good is KAV for me?" }-
That's a very bad point to make, kalpik. Since no technology covers everything including heuristics, they are nice to have though, for finding new malware to add to the definitions.

-{ Quote: "My point was that NO AV is perfect. What KAV detects, is based on its definitions, not heuristics. And as far as i believe, heuristic detection is FAR FAR better than detection via definitions. Not that im comparing!! KAV is a VERY good AV no doubt! But as far as i can see, there is no "best" AV." }-
Saying that "heuristic detection is FAR FAR better than detection via definitions", is at best a very entusiastic statement, it would have been nice with a little proff. I do agree that there is no perfect AV for everyone though. :)

Helloooo...heuristics enthusiasts!

Do you look at this site before you make comments?

In real life you have more chances to be protected with KAV than with NOD, even if we agree that NOD has better heuristics.

Just look frequently on that site and make statistics...no AV offers 100% protection, but with some of them you have more chances to "survive" than with others...and everyone who get statistics from that site can conclude that KAV offers much more overall protection than NOD

-{ Quote: "Helloooo...heuristics enthusiasts!

Do you look at this site before you make comments?

In real life you have more chances to be protected with KAV than with NOD, even if we agree that NOD has better heuristics.

Just look frequently on that site and make statistics...no AV offers 100% protection, but with some of them you have more chances to "survive" than with others...and everyone who get statistics from that site can conclude that KAV offers much more overall protection than NOD" }-
Heuristic analysis (that is, DECENT heuristic analysis) is a very powerful weapon against new viruses ... 90% success for NOD32 in the recent
av-comparitives.org retro test ... but it's not 100% perfect and it's not the be-all and end-all of antivirus detection.

"Signature" scanning CAN be 100% perfect ... but the delay between a new virus appearing on the horizon and the required signature update appearing on your PC can prove fatal.

According to INDEPENDENT statistics over the past 7 years, most of the time you have a much better chance of survival with NOD32 than with any other antivirus program in the world.

from what i have heard, not all the options available in nod32 2.5 are enabled at jotti. scanning for riskware, spyware and dangerous applications are not enabled in NOD.

i cant confirm this 100%, but can anyone other than the guy who operates jotti.org? and if it's true, then its hardly fair to compare the products based on what happens over at jotti

-{ Quote: "Heuristic analysis (that is, DECENT heuristic analysis) is a very powerful weapon against new viruses ... 90% success for NOD32 in the recent
av-comparitives.org retro test ... " }-

And 71% success with Backdoors and Trojans, as well as 62% success with Worms - which gives a lot of space for infection if signature is not put very fast for every new malware arround.

-{ Quote: "
"Signature" scanning CAN be 100% perfect ... but the delay between a new virus appearing on the horizon and the required signature update appearing on your PC can prove fatal. " }-

Can be 100% only if author of malware put signature in the exact the same moment as it let it in the wild...so, you cannot speak about 100%.
But, if one vendor put signature into base within 15min, only badluck guys will be infected...which is less number than other bad luck guys who will relly on heuristics on product whose base will be updated several hours later...and with NOD heuristics you have 29% chances to miss trojan, for example...if signature for this particular trojan is not put in base for several hours, you will have more chances to "colide" with this trojan with fatal consequences :)
With KAV, fact is that you have 49% chances (according to that latest test you quote) to miss the same trojan, but within 15 minutes signature will be in base and generally speaking there is less chance for you to collide with this trojan with fatal result...

-{ Quote: "
According to INDEPENDENT statistics over the past 7 years, most of the time you have a much better chance of survival with NOD32 than with any other antivirus program in the world." }-

We can also speak how good TBAV performed in DOS and early Windows age, but this will not lead us to conclusion that TBAV is good now...so, 7 years statistics could be valid to see how vendor performed in pass...but for this moment protection you should compare existing products in order to evaluate which level of protection is given by any of them

-{ Quote: "But, if one vendor put signature into base within 15min, only badluck guys will be infected...which is less number than other bad luck guys who will relly on heuristics on product whose base will be updated several hours later...and with NOD heuristics you have 29% chances to miss trojan, for example...if signature for this particular trojan is not put in base for several hours, you will have more chances to "colide" with this trojan with fatal consequences :)
With KAV, fact is that you have 49% chances (according to that latest test you quote) to miss the same trojan, but within 15 minutes signature will be in base and generally speaking there is less chance for you to collide with this trojan with fatal result...

" }-

Even if a vendor adds a signature in 15 minutes it may still be an hour or more before a great number of PCs are updated. Better to have as much zero-hour protection as possible.

It is good to see AVs like NOD, BitDefender, etc. continue to improve their Heuristic proactive detection rather then just relying upon reactive detection no matter how fast it is.

-{ Quote: "Even if a vendor adds a signature in 15 minutes it may still be an hour or more before a great number of PCs are updated. Better to have as much zero-hour protection as possible.
" }-

There is still no Warhal-worm in the wild, so even with one hour delay you have better chances than if you have to wait several hours for signature, which is now fair enough time for epidemy to spread.

Well, NOD32 is quite fast in releasing signatures when an outbreak does occur, I remember that recently an update was released for the sole purpose of detecting two new Mytob worms. It was the second update for that day.

-{ Quote: "Well, NOD32 is quite fast in releasing signatures when an outbreak does occur, I remember that recently an update was released for the sole purpose of detecting two new Mytob worms. It was the second update for that day." }-

So, mighty heuristics faild and base needed signature? ;)

Be honest, maybe THAT time NOD base was updated faster than usuall? :)

I guess you just don't like NOD. Good... that's your perogative then :)

It's not about liking or disliking, its about the facts.

Facts or no facts, Kav users will not convince NOD users and NOD users will not convince Kav users, that their antivirus is the best.

I suggest users trial and run the antivirus program that they like the most, including any other antivirus programs.

I totally agree Ron ... when will this ad nausium ever end. :-\

~Common Sense is still the best protection ... and it will always be~

-{ Quote: "It's not about liking or disliking, its about the facts." }-For the purposes of this discussion, it would be useful to understand the difference between isolated observations, extrapolated inferences, and facts.

Any of us can visit virusscan.jotti.org/ (http://virusscan.jotti.org/) and observe the latest results. Occasionally, we'll see an AV which does not flag a file while others do (see example screenshot). That's an observation - Group A flags this file, Group B does not, no more, no less. It is a fact that Group A flags and Group B doesn't. Anything beyond that steps outside the domain of fact unless additional evidence is brought to bear.

It's an extrapolated inference to state that Group B missed flagging some malware. If it's a nonfunctional code fragment in a temporary directory, so what? If it is similar to some perfectly fine software and therefore given a free pass if examined in isolation, so what? Maybe it's riskware and not flagged under the specific settings employed. A disparity in results is only the starting point of determining whether there has been a failure in one product or another, not the end point as is so casually presumed.

Facts? Well this depends on what the claim is, but too many folks are confusing inference (which is occasionally very reasonable) with fact. They are different and you do yourself a disservice to not appreciate the distinction.

Blue

-{ Quote: "I totally agree Ron ... when will this ad nausium ever end. :-\" }-soon i hope, i cant see this thread going anywhere, seems a good place to stop...

-{ Quote: "For the purposes of this discussion, it would be useful to understand the difference between isolated observations, extrapolated inferences, and facts.

It's an extrapolated inference to state that Group B missed flagging some malware. If it's a nonfunctional code fragment in a temporary directory, so what? " }-

Ofcourse, but one can visit this site very frequently in some longer period of time and find pattern - which is (just check yourself and you will conclude the same):

NOD fails more than KAV, even with its "superior" heuristics...fact might be that NOD has better heuristics as one component of antivirus system, but in real situation NOD as system performs worse than KAV as system - this is what should be counted, how system performs - not its separate components.

-{ Quote: "Ofcourse, but one can visit this site very frequently in some longer period of time and find pattern - which is (just check yourself and you will conclude the same):

NOD fails more than KAV, even with its "superior" heuristics...fact might be that NOD has better heuristics as one component of antivirus system, but in real situation NOD as system performs worse than KAV as system - this is what should be counted, how system performs - not its separate components." }-bre1,

You still don't get it.

Let's take it as a given that you believe NOD32 performs worse than KAV. Fine. Lot's of controlled tests will support this contention. Some other tests point to conditions where NOD32 performs better. Examples of both are at av-comparatives.org (http://www.av-comparatives.org/). I assume you are aware of the differences in the two basic test protocols and what they are designed to probe. Regardless of which side of the discussion you're on, causal inspection of results at sites such as jotti's simply do not provide objective and factual information on performance. That's why running statistical trends don't appear. They are inferred qualitative indicators. The difference is not a polite nicety.

Before you dismiss the findings at av-comparatives.org (http://www.av-comparatives.org/) out of hand, how about providing a conceptual outline of how it should be done? As with any test protocol, if it's not controlled and can be reproducibly executed, it's not a test - it's winging it. What you are discussing thus far is precisely that - winging it. If you choose to make you decisions on that basis of that, fine. I don't.

Blue

-{ Quote: "NOD fails more than KAV, even with its "superior" heuristics...fact might be that NOD has better heuristics as one component of antivirus system, but in real situation NOD as system performs worse than KAV as system - this is what should be counted, how system performs - not its separate components." }-further to what Blue has explained, i have been led to believe from reading posts on this forum, that the nod32 scanner at jotti is not configured to its maximum settings, therefore another example of why we cant draw any real conclusions based solely on the statistics provided there.

the option for scanning for 'potentially dangerous applications' is not available as it is running on a linux platform, and also the spyware/riskware options are not enabled. this is just what i have read elsewhere, and without knowing for sure how the AVs are configured, its pointless comparing.

Independent tests carried out by people who know what they are doing and who provide details of testing conditions, scanner settings, etc. are informative and can be used to draw conclusions and make comparisons. Hanging out at jotti and adding a point to the scanners that flag potential threats is a pointless exercise, and only seems to be a pastime for users of KAV.

i said earlier that i think this thread has exhausted itself, and no matter how long it is kept open there is never going to be any agreement between the NODers and KAVers.

...next week: my car is faster than your car.

-{ Quote: "further to what Blue has explained, i have been led to believe from reading posts on this forum, that the nod32 scanner at jotti is not configured to its maximum settings, therefore another example of why we cant draw any real conclusions based solely on the statistics provided there.

the option for scanning for 'potentially dangerous applications' is not available as it is running on a linux platform, and also the spyware/riskware options are not enabled. this is just what i have read elsewhere, and without knowing for sure how the AVs are configured, its pointless comparing.

Independent tests carried out by people who know what they are doing and who provide details of testing conditions, scanner settings, etc. are informative and can be used to draw conclusions and make comparisons. Hanging out at jotti and adding a point to the scanners that flag potential threats is a pointless exercise, and only seems to be a pastime for users of KAV.

i said earlier that i think this thread has exhausted itself, and no matter how long it is kept open there is never going to be any agreement between the NODers and KAVers.

...next week: my car is faster than your car." }-

KAV is better product than NOD32 and my car is faster and better than your car. :D :) ;) 8)

-{ Quote: "So, mighty heuristics faild and base needed signature? ;)" }-

Not sure, but I think at least one of the two worms were heuristically detected.

Anyway, the update was released to provide disinfection for those worms

-{ Quote: "Be honest, maybe THAT time NOD base was updated faster than usuall?" }-

I sure wasnt expecting that update; because I had got one update already.

Even one update a day is good enough for me because I can only spend 3-4 hours on the PC anyway (except for holidays) because of school and other classes.

-{ Quote: "further to what Blue has explained, i have been led to believe from reading posts on this forum, that the nod32 scanner at jotti is not configured to its maximum settings, therefore another example of why we cant draw any real conclusions based solely on the statistics provided there.
" }-

Could be worldwide spread conspiracy to discredit superior heuristics in order for Government to be able to spy us? :)))))))

-{ Quote: "
...next week: my car is faster than your car." }-

I am eager to see episode "My father is stronger than yours"...please let know when you plan to post it.

-{ Quote: "i cant see this thread going anywhere" }-.....

-{ Quote: "....." }-

It went to total offtopic...

-{ Quote: "I don't get it why people expect that NOD32 heuristics should pick everything!? C'mon,they are best on market,but you cannot expect them to be almighty ::) " }-

This is what I was saying about NOD users talking up NOD 32 too much and in the end doing it far more harm than good because people are expecting, by the way it's hyped up that it'll pick up 'everything' and no AV is that good, so it would be in the interests of NOD users to be a bit more realistic and use less rhetoric and references to awards and tests when promoting NOD 32 as these are inconclusive and result in unrealistic expectations from prospective customers who exhibit 'great disappointment' even if it misses 1 infection. This is the result of too much hype.

Dave

-{ Quote: "This is what I was saying about NOD users talking up NOD 32 too much and in the end doing it far more harm than good because people are expecting, by the way it's hyped up that it'll pick up 'everything' and no AV is that good, so it would be in the interests of NOD users to be a bit more realistic and use less rhetoric and references to awards and tests when promoting NOD 32 as these are inconclusive and result in unrealistic expectations from prospective customers who exhibit 'great disappointment' even if it misses 1 infection. This is the result of too much hype.

Dave" }-
The user of NOD32, like me, can only say that NOD32 have the best heuristics but any AV, including NOD32, can't catch anything...
It's just impossible...

-{ Quote: "This is what I was saying about NOD users talking up NOD 32 too much and in the end doing it far more harm than good because people are expecting, by the way it's hyped up that it'll pick up 'everything' and no AV is that good, so it would be in the interests of NOD users to be a bit more realistic and use less rhetoric and references to awards and tests when promoting NOD 32 as these are inconclusive and result in unrealistic expectations from prospective customers who exhibit 'great disappointment' even if it misses 1 infection. This is the result of too much hype.

Dave" }-
To be very honest - I am not a NOD32 fanboy. I have used many AVs and I just find that NOD32 is great for my PC which is primarily meant for games.

I never said that the heuristics are the best, that they will save the world from all dangers.

Its just good enough for me, thats all.

I bet you dont know about my great "struggle" deciding between BitDefender and NOD32 ;D. KAV, BD and NOD32 all have their own special qualities, and at the end of the day, its the protection offered that counts ;)

Waddup!!!

Man,do you noe sub7 virus not antivirus im the subseven owner but im suffer cuz it will crush all ur computer but lucky i have PC cillin trend micro n AVG anti virus their both is good n remove virus easily.But if u all wan to be hacker u all go [url]<Removed>/url] n see on ur left then u download but remember not to open ani of virus subseven file,it has a many file but u mus do it focusly if not ur computer will crush n the virus will sent me note that ur computer hve beencursh so i adbicednot to download ppl who ar stuborn i gona get crush my subseven so BEWARE OF SUBSEVEN!!!!!!!!!!!!!!

No links to malware on Wilders -- Ron

@Ajim Rudies

um...........what?

Q: Where are the statistics?
A: I removed them because they started causing too much commotion. And I got tired of
explaining why these results were different from other tests. This service
receives a lot of very, very new malware and most people fail to realize that signature
scanners require an actual signature for these new malware variants, which some AV
companies provide faster than others. Approximately 2 malicious programs pass this
scanner, without any AV product noticing anything, every day!

Somebody, probably from this forum went crying to Jotti and now he had to take the statistics away :D Well I saw what I saw and that was that KAV is superior to any AV by far. :D

Damn jerks ::) If people would actually read his FAQ we'd still have percentage statistics. Argh. >:(

On Jottis site the total statistics are usually always around those:
Kaspersky ~83%
VBA32 ~65%
BitDefender ~63%
Dr.Web ~63%
NOD32 ~56%
AntiVir ~54%
ArcaVir ~52%
Fortinet ~48%
ClamAV ~40%
Norman ~39%
AVG Antivirus ~36%
F-Prot ~35%
Avast ~34%

Jotti's heavily favors Kaspersky because many malware sites use KAV to validate their libraries. In addition, KAV detects improper files as malware. For example if a particular malware is a DLL, but also has a 1 byte text file, KAV detects the text file as the malware as well (incorrectly). Other AV's ignore this useless file. (correctly).

These are a couple reasons, there are others.

-{ Quote: "Jotti's heavily favors Kaspersky because many malware sites use KAV to validate their libraries. In addition, KAV detects improper files as malware. For example if a particular malware is a DLL, but also has a 1 byte text file, KAV detects the text file as the malware as well (incorrectly). Other AV's ignore this useless file. (correctly).

These are a couple reasons, there are others." }-

I would think that Jotti would not use KAV for validation since the malware comes from outside sources (internet users) for scans. His library is provided by people submitting malware, then he passes it on to vendors.
So why would he need to have them validated by KAV when in essence they are being validated by the many scanners?

There are many reasons why KAV statistics is so good at Jotty's. For example KAV is also able to scan inside of quarantine of some other AV programs. So it gets a bit more points because of this when such files are submitted for online check.

Also Jotti's seems to favour signature detection. For example, in the case when no antivirus provides exact detection, the result is not taken into account at all in the statistics, though some programs could have correctly flagged this submitted malware with heuristics. After that, this sample is distributed to different AV companies and the one, who updates virus databases faster, has the advantage (and KAV seems to update virus databases very fast). The next time when the same sample is submitted, KAV usually already detects it and earns points (other scanners who still detect it with heuristics get points too, but they have no chance to beat KAV in statistics). I really don't know how Jotti's engine works, so it is only my guess. But if that is true, the better heuristics of other AV engines, the more KAV benefits from it at Jotti's :)

-{ Quote: "For example, in the case when no antivirus provides exact detection, the result is not taken into account at all in the statistics, though some programs could have correctly flagged this submitted malware with heuristics. " }-

This is compleat BS, when an AV finds malware with heuretics Jotti shows it in the statistics. I don't know why you have to lie about it. I know Jotti has hurt some antivirus distributors because it actually shows in realtime what viruses has infected REAL PEOPLE, not some viruscollection, REAL PEOPLE. So the AV companies that rely on heavy marketing and image falls flat on the floor, also some that has a good reputation and is tought to be good isnt as good as you might think. The statistics also shows which antivirus pics ups the malvare what which doesn't. The only way Kaspersky has benefitted from this is that Jotti shows that KAV finds the majority of the virus. You can come up with whatever explanations you want about why Jottis statistics doesnt favour your AV but its very simple, the files that is sent in are from people like you and me and the virus that their computers are infected is could infect us. The antivirus that finds the most viruses there will also find the most viruses for you in real life. Jotti can't be fooled and is not sponsored by AV companies like some of the tests that are made with viruscollection. Jottis statistics gave a glimpse from real life and that's whats the most important.

-{ Quote: "This is compleat BS, when an AV finds malware with heuretics Jotti shows it in the statistics. " }-

Is it really? See here:


File: C3C772C3DAEFFE7B704C4F024DD33E79B3E2DC0D.zip
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged
as malware by heuristic detection(s). This might be a false
positive. Therefore, results of this scan will not be stored in
the database)

MD5 d5c7e8b7fec54b53d52214336d59428d
Packers detected:
-

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found Worm.Pikis.1 (probable variant)


That's a fresh piece of malware that came from Jotty today, it is currently being added to virus databases, but right now our scanner detects it only using heuristics. Some other AV can already detect it. In order to make this experiment and make the file only detectable using heuristics, it was packed in ZIP archive with BZIP2 compression method (luckily no other AV but VBA32 are able to unpack such archives yet :)). Result is here: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database.

So if i get it right, this result is not taken into account for Jotti's total statistics (it was previously posted by IBK and KAV has scored 83% in it) though this file is definitely a piece of malware. Well, this total statistics is not available for public anyway, so there is no point to complain or requite Jotty to fix it, or change anything :) KAV is an excellent antivirus, but the difference in detection percentage in the Jotti's total statistics between KAV and all the other AV 'might' not be that large if it was calculated a bit differently (not better, not more correctly, but using a different algorithm). As I said before, it is currently favorable towards signature detection and gives less 'points' for heuristics detection. That is neither good or bad, it is how it is calculated. Maybe because there is hard (or impossible) to find a perfect algorithm for the total statistics calculation, this statistics is not available to public at Jotti's page. But as the results were posted here, we are discussing them now :)

-{ Quote: "
I don't know why you have to lie about it..." }-

I don't think that I'm the guy who would have to lie or complain about that statistics ;)

I ahve found VBA32 will find some executables via heuristics that everyone else misses, mainly backdoors. It's all in the way it is trained.

As a side note has anyone else noticed that Jotti removed the last piece of maleware box from his page?

-{ Quote: "I ahve found VBA32 will find some executables via heuristics that everyone else misses, mainly backdoors. It's all in the way it is trained.

As a side note has anyone else noticed that Jotti removed the last piece of maleware box from his page?" }-


I think might have been because so many people are sent to jottis from all the forums and asked to scan suspicious looking files and quite a few of them uplaod then immediately see the last scanned entry & copy that rather than waiting for the proper result

+ the fact that on occasions it gets 20 or 30 files every minute so it's impossible to display the last one properly

-{ Quote: "In order to make this experiment and make the file only detectable using heuristics, it was packed in ZIP archive with BZIP2 compression method (luckily no other AV but VBA32 are able to unpack such archives yet :))." }-

Just out of curiosity - could you tell us more about this BZIP2 compression method in ZIP archive? (any descriptions, specifications, links, ...?)
Does any software support it, or is it just an internal VBA32 format maybe?

-{ Quote: "Just out of curiosity - could you tell us more about this BZIP2 compression method in ZIP archive? (any descriptions, specifications, links, ...?)
Does any software support it, or is it just an internal VBA32 format maybe?" }-
Here's some info about the BZIP2 compression algorithm:

http://www.answers.com/BZIP2

I know what BZIP2 is (as a standalone archive), but the original post implied using BZIP2 compression inside of an ordinary ZIP archive (i.e. some kind of ZIP format extension), if I understand it correctly.

-{ Quote: "Just out of curiosity - could you tell us more about this BZIP2 compression method in ZIP archive? (any descriptions, specifications, links, ...?)
Does any software support it, or is it just an internal VBA32 format maybe?" }-
http://www.pkware.com/company/standards/appnote/appnote.txt

The most easy way to create such archives to experiment with them is to use 7-zip (http://www.7-zip.org).

If you install and/or uninstall antivirus software and test it with samples you'll see that JOtti is right and NOD32 fails and Kaspersky is the best!

-{ Quote: "If you install and/or uninstall antivirus software and test it with samples you'll see that JOtti is right and NOD32 fails and Kaspersky is the best!" }-
Are you comparing KAV and NOD32 on Linux, right?

If no, you can't compare them...

-{ Quote: "JOtti is right" }-

That is exactly the kind of comment Jotti himself is referring to here (http://www.wilderssecurity.com/showpost.php?p=490986&postcount=20) that made him pull his statistics as they were being misused and people quoting HIM like you just did for something he has never said. Now that this poor subject has been beaten to death so many times only to be "bumped" like this again, thread closed.