Signature Update Notices

Signature Update Notices, and Frequency

Eset's NOD32 v4.0 Setup includes an option to "Ask before downloading program components" (Setup, Antivirus and Antispyware, Update, Advanced Update Setup), which I have selected (I think it was the default).

But apparently "program components" does not include signature updates, because --- unlike NOD32 v2.7 --- I have not received any signature update notices.

Is there any way to persuade NOD32 Antivirus Antispyware v4.0 to announce (and ask permission to download and install) signature updates? In NOD32 v2.7, those signature update notices --- typically three or four or even more times a day --- were comforting reminders that NOD32 was on the job, allowed easy permission to be given, and never caused any significant work delays. I miss them.

Also, is NOD32v4 relying more on heuristics and less on signatures, and updating signatures less frequently than in v2.7? It's hard to tell without any notices. I don't want version 4's improved heuristics to replace signatures; I want those improved heuristics to supplement frequently updated signatures.

Even a small decrease in signature development could partly explain jimwillsher's very unfavorable comparison of NOD32 with Kaspersky, message 3 in thread "usercashcom.dll is it a trojan ??" at https://www.wilderssecurity.com/showthread.php?t=242516

I had so much confidence in Eset that I upgraded from version 2.7 to 4.0 (Build 424) without bothering to check any testing websites. So now I checked AV-Comparatives (Virus Bulletin has gotten quite expensive for the occasional user). NOD32 v3 (and Kaspersky) both did very well in the latest test (February 2009); I hope that NOD32 v4 doesn't let me down.

Roger Folsom

 

No, engine updates as well as module updates (e.g. advanced heuristics, archive module, cleaner module, etc.) are downloaded automatically. The option you're referring to means program component updates (ie. the whole program, including help files). There have been no program component updates released for v3/v4 yet, but there will be one issued some time soon which will update v3 users to the latest v3 version 3.0.684.

 

Marcos:

I know that you are busy, so there's no need to reply to (aka debate) any of this message. I'm just hoping that the points below may be of some use to Eset.

Thanks for clarifying the changes about which the user is notified --- if I understand you correctly, the user has the option to be notified only when the "whole program, including help files" is updated. Why the "whole program" would be labeled "components" is a bit of a mystery, but English is a very (and often confusingly) flexible language. Admittedly, NOD32v4's setup options do use the plural "components" rather than the singular "component," but my guess is that few users would realize that "components" means the whole program.

By searching for "component" in both the NOD32v4 Help file and User Guide, I could find nothing to suggest that component download options always involve updates of or changes in the "whole program" or at least most of it. I'm not saying that you are wrong; I'm suggesting that the Help file and the User Guide may need some editing.

I was surprised that you said that "some time soon" there would be a program component update for NOD32 version 3, to update it to the "latest v3 version 3.0.684." I just now checked Eset's download page, and version 3 is already at version 3.0.684.

So I hope you meant that the upcoming NOD32 v3 program components update would move v3 builds earlier than 684 to build 684, and did not mean that the upcoming NOD32 v3 program components update would move all v3 versions (including the currently available v3 build 684) to something beyond the current build 684, without changing the build number to something larger than 684.

Long ago, when WordPerfect was the dominant wordprocessor, and WordPerfect was an independent and very successful firm, I think the only customer service mistake they ever made was "slipstreaming" bug fixes into their downloadable programs without changing the version number. That was "really annoying" because users had no way to know whether they had missed a program update.

My judgment is that slipstreaming component updates without updating the version number could be especially bad for users who chose the option to "Never update program components," or the option to "Ask before downloading [and installing updated] program components" and who then deny permission because they're in the middle of doing something that shouldn't be interrupted, and then forget that they were offered updated components. If component updates don't change the version number, those users may never realize that they missed an update.

Getting back to signature updates: The obvious frequency of NOD32 v2.x updates was something I often told friends about, and several (including a product manager at a very prominent Silicon Valley high technology firm) said that they thought that signature update frequency was the most important characteristic of any AV program. NOD32 v2.x's signature frequency, apparently much higher than any of the competition (especially Norton), tempted them to adopt NOD32 (until I told them that choosing options for each module and/or profile was an enormous time sink and that I didn't have time to talk them through that task).

Now NOD32 has a much better user interface --- especially for choosing setup settings --- but by hiding signature update frequency Eset has thrown away what likely would be a major "word of mouth" marketing tool.

Since you didn't address the issue of signature update frequency (with or without notice), I am guessing that NOD32v4 has reduced signature update frequency in favor of more reliance on heuristics. But I think that most people, like me, do very much appreciate having better heuristics but also want frequent signature updates. To a mere user, heuristics' effectiveness is not nearly as certain --- and not nearly as easy to describe to others --- as is signature effectiveness and update frequency.

Thanks again for clarifying what can and what cannot get a notice.

Cordially, Roger Folsom

 

Aint the notifications option your talking about in advanced update settings?

Try the advanced update settings (from GUI: F5 (advanced setup tree) --> update --> advanced update setup) and set the option ''Ask before downloading a update". Here you can set the size to 0kb and that way you should be asked every time a new update is ready to download and install. (never tried it myself)

And by default v3/v4 will notify you when a update has been downloaded and installed, so you can still see NOD32 doing its job (perhaps you disabled that?). As far I notice ESET only improved daily updates lately as you can see here: http://www.eset.eu/support/update-xy1 . Still 2/3/4 updates a day!

 

Is V4.0.314.0 supposed to update the program? For example will NOD update to v4.0.424.0? If so, how do you set it up to do so?

 

Brambb: The answer to that is Yes.

I tried your idea, and a 0kb entry doesn't stick --- that is, you can set it (I tried in my Administrator account as well as in my Restricted/Limited user account), exit, and then return, and the box isn't checked and the size field is blank.

So I used the same procedure with an update size of 1kb, and that did stick. It will be interesting to see if that generates any signature update notifications.
But I don't think it will report signature update notifications, even for signature updates larger than 1kb, because I think this entire settings section is about components rather than signatures.
I think that Marcos' message to me (number two in this thread), means that everything in "update --> advanced update setup" pertains only to components, and apparently a signature update isn't a component.

No I didn't disable it; it's still enabled. But given my understanding of Marcos' message, I think your statement needs the word "component" in front of "update."

Thank you very much for that link! It definitely does comfort me to see the daily frequency of updates. And I don't see any way to access it from the main NOD32v4 window; for example, I don't see signature update frequency among the Statistics. Signature frequency ought to be listed there.

I did notice that your link to the Threat Center was in Europe; I looked at some of the other entries and they gave me a red text warning in a European language unknown to me --- not surprising, given that Eset's home is somewhere in Europe; I think central Europe.

Thanks for your 'Ask before downloading a update" suggestion (even if it doesn't work), and for the link to signature frequency.

Roger Folsom

 

No problem, just trying out to help .

I will try out the 'ask before update' setting myself to see what it does here. Does not seem to me its only for PCU release's, but I may be wrong. I will report it back tomorrow.

And by the way.. I _do_ get updates notices when a normal signature update is downloaded and installed (from automatic hourly update schedule)! Seems to me it ain't working properly for you. I am not sure if it also displays a notification on manual update. Cant test it out now since im already at the latest .

You can also see the signature updates in the Log Files (Main GUI: Tools --> Log Files) under 'Events' (among other things). You need to have advance menu turned on to see the Tools menu.

/edit:

After starting up this morning I got a window to give NOD32 permission to update. My update settings are "ask if update is larger then 1kb". Forgot to take a screen-shot of it (quick fingers ). I did take one of the notification:
http://dl.getdropbox.com/u/349356/ESET%20NOD32%20Antivirus%20-%20update%20notificaton.jpg

/edit2:
And here is the update dialog to ask me for permission:
http://dl.getdropbox.com/u/349356/NOD32%20Update%20dialog.jpg

 

Ron,

I had the same set up shown, with the exception of a check mark in the "Test Mode" box.

Thank you
Stan

 

You succeeded! Thanks again.

Assuming we're both using NOD32 Anti-virus v4.0 and not Smart Security, the difference between our results may be that you are getting a normal signature update from an automatic hourly update schedule. I have not set up an hourly update schedule (or any other schedule, for that matter), in either v2.7 or now 4.0, because I always figured that Eset knew when it had a signature update, and would send it as soon as its server resources permitted, so I couldn't see the point of an update schedule.

(I don't schedule demand-scans either, because I work at erratic times so I do demand-scans when convenient (for example, when I am about to go to eat a meal or go to bed) and there's no danger that the scan will conflict with "real work" I am doing --- and no danger that the "real work" I am doing will conflict with the scan.)

Thanks for pointing that out. But the only signature updates recorded, I think, are the ones that happen while the computer is on and connected to the internet. So if you want to know how often Eset sent out signature updates, the link you provided in your earlier message to the signature updates list http://www.eset.eu/support/update-xy1
apparently is essential.

Incidentally, at that same Tools location, there's a Filter button that gets you a dialog box with an option to "Enable smart filtering." But the help (clicking on the question mark) doesn't mention that option, and I can't find it mentioned in the UserGuide, so I wonder what that option does. Maybe it lets you choose to log only some event categories? That interpretation seems redundant, since all the category checkboxes are available in any case.

Since Marcos' message implied that there had been no component updates for 4.0 Build 424, it does look as though the "ask if update is larger than 1kb" does apply to signatures as well as to components. I just now checked updates, and for some reason an earlier update had failed, and when I tried to update it now I got the same permission request you did, followed by the same notification request you did.

Forget my guess above that scheduling may be the cause of your receiving and my not receiving signature update notices (for updates larger than 1kb). I have now realized the reasons I haven't seen those permission requests and notifications are that
a) in NOD32 v4 the permission request is in the system tray and much smaller than in NOD32 v2.x, where the permission request was a large grey box in the middle of the screen where you couldn't possibly miss it, and
b) In my Restricted/Limited user account, where I usually am (e.g. right now), I have set the task bar to be hidden --- and I suspect that NOD32v4 permission request forgets to unhide it, so I don't see it. That's a guess, however; I'll report back if it turns out that I simply don't notice when the permission request does unhide the taskbar.

Somewhere there's a setting to lengthen the time that "tooltips" display, and I will lengthen that to see if it makes those requests more noticeable.

Thanks for all I am learning about NOD32v4 via this conversation!

Roger Folsom

(Using Windows 2000 Sp4 Rollup1 version 2)

 

Yes, we are both using EAV. Only difference I am using Vista instead of W2k as you may have noticed in my screenshots. The update schedule (every 60min) is a default build-in schedule by ESET. As far as I know NOD32 never checks twice in a hour (impossible to set up). There has been a pretty long topic about this in the past. It also checks for update at user logon.
Might feel its being pushed to update but it really pulls update in whenever the scheduler kicks in.


I don't know what Smart Filtering does. I opened a couple of logs and enabled/disabled it but I cant seem to see any difference between them. Perhaps a moderator can light this up. I cant find anything about the 'smart filter' option it in the help file either.


Yep seems the 'Ask for update larger then X' are for all kind of updates (Signature, module and PCU). It's already so long ago since I used 2.7, but indeed when you mentioned it the notifications were really big (and not the miss) back then .
Must admit the pop-up to ask for permission ain't really clear. Does not even say it is for NOD32, could be for any program by the looks of it.

NOD32 has some user specific configurations so things might be slightly different if you changed settings in one and did not in the other account.
In the very same option window where you can display the notification longer you can also specify which user needs to answer notifications with user interaction (advance setup). Since asking for update to download/install is such notifaction it might be this option which wont let you see the notification in your limited account. Although mine said 'Administrator' and im _not_ using the administrator account (only in adminstrator group) im not sure if this is your missing setting.

And I'm also still learning every day where all the settings are in the advance setup maze of NOD32 . So many things you can change, I belive the designers even struggle where to put it all.

 

Hello,

I think the "problem" may be simply be due to a misunderstanding how ESET's software is architected.

The software is designed to function as an extensible framework. There is a base product, the engine, which consists of the kernel service and some other components such as filter drivers. For purposes of completeness, the user interface and the online help files can also be thought of as part of the base product, not because they operate at a low level within the operating system, but because they are a fundamental part, or component, of the product (and we'll come back to that word later on).

Now, the engine which is part of the base product makes extensive use of modules. A module, in ESET's case, is a kind of library which performs or provides various functions such as an antivirus/spyware, de-archiving (parsing of compression formats), advanced heuristics/emulation, self-defense, firewall and antispam is ESET Smart Security and so forth.

The engine and modules, in turn, make use of signature updates, which allow them to prevent, detect and remove malware. Although they are commonly referred to as "virus signature database updates" the actual amount of "classic" parasitic file infecting viruses is small when compared to the agents, bots, password stealers, Trojans, worms and other forms of malware that appear on a daily basis. It is probably better to think of it as a malware signature database. To further muddy the issue, exploits and threats are detected as well by the program, which are used to introduce malicious code into a system but do not contain the malware themselves (think web-based attacks, et cetera).

When an ESET program downloads a "virus signature" database update, it is typically downloading a new list of signatures for the aforementioned threats, however, since ESET uses a modular architecture, updates to the modules (libraries) can also be distributed at the same time. Either can be provided via conventional means, however, it would be unusual to perform a module update by itself as they are typically distributed in-line ("piggy-backed") with signature database updates.

Signature and module updates, though, do not update the parts of the program which make up the framework, such as the engine, user interface and online help. In order to update those components, a program component update (PCU) must occur. When a PCU occurs, the program basically downloads a complete copy of the latest version and runs it to perform an upgrade.

I hope that explains the differences between a signature update (which can include a module update) and a PCU.

As far as versioning goes, it has been my experience that when ESET makes changes to code, the new files get a new version. In some cases, these are very small changes, such as NOD32 v2.70.42 and ESET Smart Security/ESET NOD32 Antivirus v3.0.685.0, which were released in Hungarian and Bulgarian, respectively, to fix typos in things like the EULA or update a distributors' contact information.

Getting back to the subject of signature updates, the information is displayed when the graphic user interface is opened. It appears in the right panel when the program is first opened, so it should be fairly visible. It can also be viewed by hovering over the ESET icon in the system notification tray area. In addition to those in-program mechanisms, virus signature are announced on an RSS feed. It can be viewed, or subscribed to, by visiting ESET's web site at http://www.eset.com/support/updates.php. One thing to consider is that some people find this information intrusive, especially if they use their computer to run full-screen applications such as presentations or gaming.

I do not have hard data on virus signature update frequency, but I believe that the frequency of updates has actually increased over the last 9-12 months with more malware being named in each update. That would probably require some analysis which I am not capable of doing at the current time, though.

Regards,

Aryeh Goretsky

 

Ron would you mind expanding on the "test mode" showing in the graphic that you posted as I do not have my build configured as such.

Thanks.

 

Great, thanks.

 

Hi Ron,

This is only in ESS not EAV right? As I use EAV and it is not there!

TH

 

It is available in EAV v4 to! Are you sure you looking in the right place TH?

 

Yes wrong place but I found it Thanks! Also I clicked update and it downloaded 22.2mb of program modules.

 

[RNF's response to this thread's message 11, by Brambb]

Thanks for the news that the hourly check for updates schedule is a NOD32v4 built in default, probably starting the timing with logon.

I'm sorry that you also haven't been able to find out or figure out what "Smart Filtering" does. And I'm wondering also what "Dumb Filtering" would do. <grin>

I did get a "Ask before downloading [and installing] update, if an update file is greater than [1] kb" notice. (I didn't think to copy down the actual notice's wording, but it did the job; my wording here comes from Settings, Update, Advanced Update Settings. If the actual notice did not state that it was a NOD32 notice, it definitely should have --- all warning boxes should include their source.)

The nice thing was that in Windows 2000 Sp4, that notice, instead of being in the system tray, was in the middle of the screen --- not nearly as large as in NOD32 v2.7, but large enough to not be missed. And I am fairly sure that I was in my Restricted/Limited User account, which is not part of an Administrator group.

Although "malware signature" updates are often accompanied by module (library) updates (see Aryeh Goretsky's message 12 in this thread), they apparently get installed even though I am in my Restricted/Limited user account (unless all my signature updates so far, for about three weeks, have not been accompanied by module updates).

But I'd guess that program component updates (again see message 12) will open a "run as administrator" box so that they can be installed.

Roger Folsom

 

Agreed.

It definitely does. Thank you.

To me, that was very good news.

For your description of the graphic user interface, and setting up virus signature announcements on an RSS feed. I'll suggest that the reader read your full post, at
https://www.wilderssecurity.com/showpost.php?p=1472205&postcount=12

Personally, even at some future date I don't think that analysis would be the best use of your time, given your explanations above, and also given the update frequency link http://www.eset.eu/support/update-xy1 noted by Branbb in messsage #4 of this thread. I do hope that that link, or some other source of the same information displayed in the same very efficient way, gets into some future version of NOD32's user interface in some fairly obvious location.

Thanks for your explanations of Eset's NOD32 structure. They really, really, helped me figure out how the program works and how I will want to set it up (at most, only minor changes in the default settings).

Roger Folsom