NOD32 protection compared to KAV protection

[Defenestration]

I have to say I've been a fervent supporter of KAV but thought I'd give NOD32 another try because of the slowdown to my system caused by the KAV real-time scanner. NOD, on the other hand, causes minimal slowdown, if any.

While I didn't like the GUI of NOD before, it's not so bad on second viewing. I also like the fact you can purchase 1, 2 or 3 year licences.

The main reason I liked KAV was due to the fact you could use extended databases which detects a lot of trojans and malware (diallers, pornware etc.).

So, if I switch to NOD32 -

1) Will I still be protected against trojans and malware ?

2) What won't I be protected against ?

3) How often are the database updates released ?

4) By default, how often does NOD check for updates ?

[dvk01]

There is no doubt that KAV detects more but NOD is starting to catch up

Nod can be set to check hourly like KAV

updates are as and when, can be daily can be 2 or 3 days apart or might be 3 in one day

[Notok]

NOD32s focus of protection is on what you you will encounter in everyday situations (even if there isn't a signature for it yet), where KAVs focus is 100% detection of everything. NOD32 now has greater heuristics and focus on trojans and 'potentially dangerous apps', but it's probably still not for the avid virus collector who wants to positively identify anything s/he finds. If you aren't a super-duper-extra-high-risk user, or in a business situation where paranoia is an asset, then you won't go wrong with NOD32. If you're still worried about it, or want the best of both worlds, you can get an anti-trojan, even if just a free one.

NOD checks for updates hourly by default, and like dvk01 said updates can be anywhere from once every few days to several times a day, I think it just depends on what they find/are sent.

[windstrings]

in case you haven't seen this page... its tells lot of features: http://www.nod32.com/news/awards.htm

Plus, its only the "in the wild" viruses that should concern you.... otherwise, thats kinda like worrying about catching some disease like smallpox that is not longer "in the wild" or something that in a culture dish in some lab in china... its only the ones that are out running loose that matter... and if one of the other ones get out.... then its nod's job to start including them in their "in the wild" list. Having to search database dats for virus's that don't even exist "in the wild" only slows down the av's ability to scan fast that much more.

[ronjor]

Anton covered ESET's philosophy earlier this year.

June 17th, 2004, 03:11 AM
anton anton is offline
Eset Moderator

Join Date: Oct 2002
Posts: 208
Default Re: What happend ESET?
Hi Guys,

Eset appreciates (a lot) all and every sample/s sent to its labs (samples@eset.com). Every sample is logged and examined using various methods. Addition of a sample-signature into the database is made on a need-to basis. Extraction of a signature of a sample is an automated process and could be completed in no time. However, Eset does not want to take part in a 'maximum-size-of-the-database' race and prefers to keep the database clean, i.e. without 'meaningless' benign signatures.

Some of the forum participants may recall the Rosenthal Utilities (RU) tests performed by CNET two years ago. All the 'simulated viruses' generated by the RU were benign (non-viral). 100% detection of the RU samples (achieved by some of the products) meant 100% False Alarm Rate. Detection of non-viral samples may lead to a couple of things: excellent results in some 'tests' combined with a false sense of security, a huge 'virus' signature database and 'dinosaur' update files.
Exponential increase of the number of new malware samples may often lead to a 'path-of-least-resistance' approach: automatic addition of all sample signatures, regardless of their viral nature.

Eset exchanges samples with several av vendors. Opposite statement is incorrect.

Speed of update and reaction time is of essence. Eset is fully aware of that. Advanced Heuristics has been developed and implemented with that in mind. The only acceptable reaction time is equal to zero. NOD32 achieves that often, e.g. it detected the infamous Netsky.A and Bagle.A heuristically.

Once again, I would like to thank you all: for both the samples and your patience :-)

anton
Last edited by anton : June 17th, 2004 at 04:11 AM.

[Notok]

Yup! I think what's really missing around here, though, is a good definition of what all that entails. I think NOD32 will still pick up anything that you have just about any chance of getting infected by, including the less common trojans and worms that may be circulating and may, or may not, fall under the catagory of 'in the wild' I guess it would be more precise to say that it will defend against any INTERNET threat that you may encoutner in your daily activities, KAV extends it's protection to include threats that could be brought in through the physical world (ie a hacker in a workplace looking to steal data, etc.) or downloaded intentionally.

Edit: LOL, well there we have it!

[myluvnttl]

I used both the new version of both, and I think Nod 32 is easy to use and fast scanning, Kav is very built program, I made a test virus, and Kav took care and deleted it before I could open up the file.

[richrf]

Hi all,

I am testing NOD32 as a companion/alternative to KAV 4.5.104. I have been bitten once to many times by viruses that got by NAV so I do not mind spending a little bit extra to avoid the problems caused by viruses, trojans, and spyware. In fact, I have at least two of each in order to provide confirmation.

I was wondering whether NOD32's heuristics were ever put to the test. For example, test NOD32 and its database as it existed at lets say Time - 1 week. And use this version to test against all viruses that appeared up until Time (one week later). Such a test would allow users to confirm that the heuristics were adequate for handling viruses that were in the wild yet not identified with signatures. Has such a test - or something similar been tried by anyone? I imagine Eset performs such tests in its own labs, but how about outside testers? Thanks for the info.

Rich

[Blackspear]

Hi Rich, in regards to Heuristics, there is a post here about Nod32 picking up Netsky.A and Bagle.A heuristically before any signatures were written.

Hope this helps...

Cheers

[Stan999]

Hi Rich,

Also in regards to Heuristics, one example of the value of AH on my end.
http://www.wilderssecurity.com/showthread.php?t=42010
This has occured a number of times on my end with the machine running NOD.

[BlueZannetti]

Quote:

Originally Posted by richrf

I was wondering whether NOD32's heuristics were ever put to the test. For example, test NOD32 and its database as it existed at lets say Time - 1 week. And use this version to test against all viruses that appeared up until Time (one week later). Such a test would allow users to confirm that the heuristics were adequate for handling viruses that were in the wild yet not identified with signatures. Has such a test - or something similar been tried by anyone? I imagine Eset performs such tests in its own labs, but how about outside testers? Thanks for the info.

Rich,

Check out the retrospective test at www.av-comparatives.org, it's basically the test you wish to see. Click on the Comparatives link and select test number 2, May 2004. NOD32 and a number of other AV's examined

Blue

[richrf]

Hi all,

Thanks for the link. It really is a difficult choice between NOD32, McAfee, and KAV. I just switched KAV into on-demand and put NOD32 in real-time to see how things behave. It's too bad that I can't have two of the AVs running side-by-side. That I think would be optimal since each approaches the problem in a slightly different way, so that one fills in the holes that the other one may have.

Thanks again,
Rich

[rumpstah]

Too bad that test is outdated. It would be nice to see version 2.12.3 since it handles more malware. 2.000.9 was a good step forward, but 2.12.3 is even further.

Quote:

Originally Posted by BlueZannetti

Rich,

Check out the retrospective test at www.av-comparatives.org, it's basically the test you wish to see. Click on the Comparatives link and select test number 2, May 2004. NOD32 and a number of other AV's examined

Blue

[windstrings]

Humm... well unless I missed something.... like my earlier post,... its the "in the wild" that will get you!!! and Nod32 took the prize in that area!

you get good enough heruistics.... you don't even need dat files!..... other than you don't really know what to call em when you find them, because they haven't been labeled yet?

Some day.... it will be all about heuistics.... and those that make new viruses will have the challenge to try and make a virus thats different than any ever made before... otherwise they will be detected!

Most are not that smart... the idiots that make viruses and release them are "wanta be's" that play off of other idiots hard work!

We are in little danger of people doing what has never been done before..... and when that happens... news will get around fast enough, that then It will be included in the heuristics character database and someone else will have an even harder challenge...... to do it again!

I prefer strong heuistics and a smaller database that focuses on the "viruses at hand that I can really catch with lightening speed! Good for nod32!!!

Let me ask you this.... which is a better anti-terroists system for a country?... to "trust" that we have every name of every terroists and can identify them before they reveal their identity? OR have a comprehesive analysis on character issues of terroist to be able to find them "before" they strike or reveal themselves? We learn what they are likely to be wearing, what the look like, how they act, who they hang with, and whether they travel with family members ... etc etc..... then we use are database to catch the ones that we have "already learned about", and combine both!....

It doesn't do me much good if my countrys security system can detect "al capone" if hes long gone dead!
It's the terroists or "viruses" you "don't know about" that are the dangerous ones!!!!!!

[richrf]

Hi windstrings,

Quote:

Originally Posted by windstrings

Let me ask you this.... which is a better anti-terroists system for a country?... to "trust" that we have every name of every terroists and can identify them before they reveal their identity? OR have a comprehesive analysis on character issues of terroist to be able to find them "before" they strike or reveal themselves? We learn what they are likely to be wearing, what the look like, how they act, who they hang with, and whether they travel with family members ... etc etc..... then we use are database to catch the ones that we have "already learned about", and combine both!....

Using this analogy, apparently both are necessary - which is probably why our Intelligence services use both. This is the quandry: Positive ID vs. Probable. Complete retrospective (who knows if the virus has really been eliminated) or most likely current. These are the design issues that, I believe, every vendor must weigh against each other and compromise as they wish.

I think every solution has its pros and its cons, which is why, I believe, having both on a machine is somewhat more optimal. Right now I am playing with KAV on-demand and NOD in real-time and I will see how things go. I can switch back also. It is a difficult decision. Comments are welcome.

Rich

[BlueZannetti]

Quote:

Originally Posted by rumpstah

Too bad that test is outdated. It would be nice to see version 2.12.3 since it handles more malware. 2.000.9 was a good step forward, but 2.12.3 is even further.

The next retrospective is slated for November and should appear on the website December 1. Hopefully, they will use 2.12.3 for NOD32. While the test may be a bit dated given the year-end engine updates by many vendors, I don't recall seeing any other recent alternative examples of this style of examination.

No one is standing still. NOD32 has made enormous strides over the past 6 months, but everyone else is (I hope!) improving as well.

Cheers,

Blue

[windstrings]

Quote:

Originally Posted by richrf

Hi windstrings,



I believe, having both on a machine is somewhat more optimal. Right now I am playing with KAV on-demand and NOD in real-time and I will see how things go. I can switch back also. It is a difficult decision. Comments are welcome.

Rich

I think what your doing is an excellent idea "if" you are super paranoid that someone will sneak into your room and "plant" a virus into your computer from some disk somewhere. Maybe you work at an office with sensitive information and your machine is vulnerable to tampering?
but if you are on a network and your system is either "read only" or off limits, then you have nothing to fear in running only nod32... like I said.. its the "in the wild" is what its all about!...and nod32 beats kav in that area!

If you ask why not just have both to be safe?, well its an efficiency issue.... first of all kav causes your machine to be much slower... especially if your running both at once! If you enjoy spending lots of money on fast processors etc, and love to have a fast machine, then you will probrably be pissed that one program "your av" slows you down? I really like the fact that I can't even tell nod32 is one my system, yet I feel very secure.

Lets face it....
We are all "babes in the woods" when we are playing on the internet right?
If we never get online and never stick any disks in our system we have nothing to worry.. correct?
Even so.. if you lay in the woods and go to sleep... its not the bear in some zoo that will ever hurt you.... its only "those in the wild" you need to fear?

Even so... I don't feel I am exposed to any viruses other than those in the wild?

If this still doesn't comfort you, then you could install the top 5 antivirus programs at once?.. but then you would really choke yourself?

The fact of the matter is... there is no "perfect" security for your car, your home, or your computer... so do you build your home inside steel barriers or do you put up good doors and good locks and count your blessings?

Whats the worst that could happen?... you get a virus!
If nod doesn't catch it first out of the bag.. it will only be a few days before it does!

I'm not so terrified..... I never get virus's.. but I am behind a cable router too!.. Dialup folks are the most vulnerable.

I guess if you do what you do and your system still has satifactory speed, and the little loss you feel in speed doesn't bother you... then you may have a good solution for yourself!

I'm sure it would be very easy for nod32 to include all the definitions from kav and rav, but then they would loose speed and agility for an extremely small advantage!
Its a business decision on their part... you have have to make a business decision on your part!

[richrf]

Hi Windstrings,

I have been stung by viruses on my machine and my son's despite our best efforts to surf conservatively. I guess it goes with the territory. The time required to recover, for me, costs much more than the software that protects. I guess you might say I am living in the post-9/11 era.

On my machine, I see no difference between real-time NOD32 and real-time KAV. On-demand scanning is of course longer using KAV 4.5. 104 - but I accept this. I am in no rush in any case. For me, it is simply a matter of keeping the bad guys out. It is like having a single or double lock on the door. Here where I live, double locks are considered a better solution.

In any case, both products are excellent. I am glad that they are both available (I would hate to rely on Microsoft which is the company that is basically causing most of these problems to begin with), and we will see where it goes. Thanks for your help and comments.

Rich

[Blackspear]

Further discussions on having a layered defence can be found here and here

Hope this helps...

Cheers

[windstrings]

I understand your caution if your have been burnt so much...... enough is enough... I guess one approach is to to put two locks on the door and if no one gets in... then your safe, but it takes longer for you to get through the door!
Then you will wonder if one lock would have worked?

the other approach is to put one lock on the door and enjoy the speed to exit, and then if you still get broke into, then put on the second conceeding that you just need two locks?

Its a free country "so far" to each his own!

[Blackspear]

Quote:

Originally Posted by windstrings

...one approach is to to put two locks on the door and if no one gets in... then your safe, but it takes longer for you to get through the door!

the other approach is to put one lock on the door and enjoy the speed to exit, and then if you still get broke into, then put on the second conceeding that you just need two locks?

I prefer the 3rd option, a layered defence, using locks, deadbolts, alarm system, back to base monitoring, CCTV and security screens. When it comes to personal security I don't think you can ever be too safe

My defence includes the following:

Windows SP2 full up-to-date
Nod32
Prevx
Spyware Blaster
Spyware Guard
Spybot Search and Destroy
AdAware
ZoneAlarm - version 4.5.594
Script Defender
Proxomitron
Kye U's filters for Proxomitron
Ewido - without file monitoring
IE Spyad
Fire Fox 1.0 PR
File Checker
Security Patches
Netgear 328S ProSafe Firewall

I am about to look at Process Guard 3.0

All this should keep me fairly safe

Cheers

[windstrings]

I too am layered "but not as much as you!!!" only in the area of spyware/anti trogan, because I don't feel it slows me down.

But I don't see even you, using "two or more" antivirus systems?, becuase it usually chokes the system too much?

[windstrings]

Quote:

Originally Posted by Blackspear

I prefer the 3rd option, a layered defence, using locks, deadbolts, alarm system, back to base monitoring, CCTV and security screens. When it comes to personal security I don't think you can ever be too safe

My defence includes the following:

Windows SP2 full up-to-date
Nod32
Prevx
Spyware Blaster
Spyware Guard
Spybot Search and Destroy
AdAware
ZoneAlarm - version 4.5.594
Script Defender
Proxomitron
Kye U's filters for Proxomitron
Ewido - without file monitoring
IE Spyad
Fire Fox 1.0 PR
File Checker
Security Patches
Netgear 328S ProSafe Firewall

I am about to look at Process Guard 3.0

All this should keep me fairly safe

Cheers

blackspear, you sure you just aren't a "demo" tester?
At what point do you feel you are comprimising performance?, or is that an issue for you?

[richrf]

Thanks for the links Blackspear.

Rich

[Blackspear]

Quote:

Originally Posted by windstrings

blackspear, you sure you just aren't a "demo" tester?
At what point do you feel you are comprimising performance?, or is that an issue for you?

We are really getting a little of topic here, these sort of things should be discussed in the 2 links that I provided... Most of these programs do not effect performance at all. I do have a nice system though, P4 3.0GHz Hyperthreaded CPU with 512MB 400MHz DDR RAM, 2 x 200GB HDDrives.

I will not tolerate anything that slows down my machine, that's why I don't run live file monitoring of Ewido...

Cheers