Nod32 interferes with Trojan Hunter!

Ok guys, got a problem here:

I use Nod32 in conjunction with TH (much better suited for Trojans, and can even block unknown ones).

The problem is, whenever TH tries to read a Trojan file that's already in the Nod32 definitions base, Nod32 pops up an alert window AND PREVENTS TH from analyzing the file - in the end TH does not detect it and sometimes FREEZES so I have to close it manually through the taskbar. VERY annoying . But when I disable the 'scan on "open"' option in the Amon setup, the TH can carry out its work unhindered.

And I'd like TH to have "priority" over Nod32 when it comes to Trojans, for the reasones I mentionned B4.

But I read another previous thread where it was highly recommended to leave the 'open' option on for Amon to be able to detect malicious scripts or something.

An AV is not supposed to detect Trojans (ATs are much better suited and some such as TH even have Trojan heuristics, which no AV, not even Nod32 or AVP, does. Nod32 may be an allmighty virus hunter, fine. Let it do its job, let TH do its own, let none interfere with the other. That's the definition of a well-organized multi-layed defense.

So anyone have an idea as to how I can get TH to read the files BEFORE Nod32 does?

 

Hi,
I personally recommend the following:
AMON, IMON, EMON (If you have Outlook in corporate mode) all the time ON. And TH monitor's disabled, but is fundamental run TH and scan all your hard disk. Also I recommend to you disable AMON temporaly if you plan make a scanner with others AVs, TH, or something like that.
I think that the trojan detection rate of NOD32 is decent, maybe KAV is better.
Or you can have enabled AMON, IMON... and TH, if AMON detect a trojan, it will deny the access and you're safe, however if you're opening a trojan that NOD not detect but TH detect it, you're also safe.
Best regards.

 

Yep yep yep. NOD32.....TDS-3.....Process Guard

 

Bah! As I said, no AV was ever designed for anti-trojan warfare. KAV may have a much larger trojan signature base for sure (even including dialers & stuff), but since like any other AV is lacks trojan heuristics, it is as powerless as any other AV when it comes to new, unknown trojans...

I know, I know - in fact that's the very reason why I hesitated before starting this thread. But like I said, it's a question of organization. For there is one certainty: any trojan caught by Nod32, or even Kav, would have been caught by TH, TDS, or even a lower-end but decent AT.
So let each do its job. That would spare having to disable the AV whenever one wants to launch an on-demand AT scan. Remember that the TH scanner freezes whenever it tries to read a file caught by Nod32. Fortunately, it is not so with the TH guard...
Still, AV interfering with AT scanner can be very annoying at times.

Besides I like watching TH in action unhindered. It's a nifty little prog, as clever as TDS yet like Nod32 uses very few resources...

Perhaps a good idea would be to seperate the Nod32 definitions base into 2 distinct databases (Viruses & Worms for n°1, (non-infectious) Trojans for n°2) and have 2 tick-options for Amon: scan for viruses/worms, and scan for trojans, so that users could disable the second option!

 

Negative, I'm NOT - it's obvious, too: if AV catches it, no need for AT to read it (but as I said, it would have also caught it anyways), but if AV misses it, AT will still catch it.

The problem is when the antivirus DOES catch the trojan!!!

It's just that, well, seems silly but it would be more "elegant" if each app focused solely on what it was meant to catch. Nod32 hunts down viruses and does a good job, and so does TH with trojans. Nod32 having added trojans do its base (that TH would ANYWAYS detect) is just a waste of memory AND resources, that's all - notwithstanding the possible consequences of having an AV interfering with an AT in case the AV DOES catch a trojan (app freezes & so on). See now what I was getting at when I spoke of 'organization'?

Well should anyone be wise enough to implement my idea ( ), I think the guidelines would be fairly simple. I know that there exist virus/trojan hybrids (take the magistr worm for example). So a "pure-blooded" trojan would be code that 1) does NOT replicate & infect other programs and 2) does NOT carry any destructive payload (file deletion, disk format or BIOS flashing routines, etc...). So any modern AV should be able to tell between such pernicious apps as viruses/destructive worms and trojans/non-destructive worms that simply try to access the Net and possibly spread over the Net, but without trying to inflict any damage...

 

People are always getting the definition of "layered security" wrong. What you describe isn't layered security, but rather compartmentalized security. To have layered defenses is to have redundancies in place, which in this case would mean having an "AV" utility that detected trojans, and having a dedicated AT utility as backup.

It is for this reason--because I believe in layered security, that is--that I really think AV utilities should detect trojans. And apparently, the AV vendors agree with me, as more and more, they are adding detection for trojans.

Speaking of TrojanHunter's "trojan heuristics"... Has it ever actually caught a new, unknown trojan? (Just a question.)

 

>The problem is when the antivirus DOES catch the trojan
Why you consider it as a problem?
The main matter is the following: Try to have the computer the more secured possible, independent if NOD detect the "X" trojan for example or TH detect the "Z" trojan. The important is that the computer will not get infected by adware, spyware, keyloggers, virus, trojans, worms, etc independet of the on-access monitor that detect those.

 

Fine - nothing wrong with that - but in that case AV utilities might as well complete the job & start implementing trojan heuristics too, so as to have "real" built-in AT capabilities. Then we could really call it 'multi-layered' defense when using AV in conjunction with an AT, perhaps. Nod32, Kav & others just having a trojan signature base is not enough...

...and a good one, too. Switching off the signature detection is not possible with TDS or TH, so I was unable to check this one myself. Besides, there are no "self-mutating" test trojans to be found on the Net, making the task even more difficult. It is one of the few that can block & clean the 'beast' trojan without terminating the host process & without needing a reboot, but then again, I'm not sure this has to do with its heuristics feature. The follwing thread [si]seems[/i] rather objective as it was not written or sponsored by any AT software developpers:
http://www.anti-trojan-software-reviews.com/

 

IMFO, that reviewer is a complete nitwit. He harps on BOClean for not having a file scanner, but that's the whole point of BOClean--it watches out for stuff that gets by your other file scanner! And in the same breath, he praises an AT utility that doesn't even operate in real time. This makes no sense to me.

But as for TH's "trojan heuristics", who is to say it's not just a gimmick? I was seriously wondering if it has ever caught anything that lacked a signature.

 

um...U sure about that? Check again: he does place it in the "Highly Recommended" category and says:

"With BoClean running we could detect no effect on the performance of our PCs. Even with the slowest machine, a 450MHz PIII, we couldn't perceive even the slightest decline in responsiveness. BoClean is a very resource efficient product, the best of any product we tested. The only way you know it's there is from the presence of the task bar icon and it's brief, once-every-ten-second flash.

Lean it may be but it's mean as well. BoClean really pounced on the trojans in our signature file currency test. It did well in both our 2002 and 2003 tests and there can be little doubt that that the people at BoClean are doing an excellent job keeping the signature file database file up to date.

Overall we were impressed by BoClean's monitor. In our opinion, it's the best anti-trojan monitor in the business."

So except for the fact that in the end he mentions the lack of a file scanner (isn't it nice to be able to launch an on-demand scan on a particuliar file? ), the overal review on this AT seems more of a praise to me.

As for "praising a utility that doesn't operate in real-time", I guess U mean TDS - perhaps it does hog the CPU, nevertheless, it has acquired, one way or another, its "N°1 place" amongst ATs - like it or not. Figure out how...

huh-I don't know. TH is a young program (like Nod32) that only a few years ago did not receive such high ratings as today. Programs evolve. Remember that at the time of the 'ILoveYou' virus epidemic, there was apparently only one AV that caught it - Viguard, I think. It is only "recently" that AVs such as Nod32 started to rise up & distinguish themselves from the rest of the pack. The same thing could apply to TH.

Anyways U still seem to believe in TDS' heuristic capabilities, for they are well known (but I'd like to be able to test these as well - any test trojans out there?). You seem puzzled by the fact that according to reviewers TH can do almost the same job as TDS, but in real-time. But IF, unlike TDS, THguard scans in memory instead of scanning the files, whilst using the same heuristics as TDS, that might explain the apparent contradiction.

It's only a pity TDS uses that much resources. (I value my RAM & CPU). Otherwise it would make a perfect permanent choice, given the reputation. There a few ATs out there that are known to have trojan heuristics: TDS, TH, Digital Patrol & possibly Pest Patrol. There may be others...

The following is another shareware site listing some famous AT products, but - here we go again - TDS is still rated no1, just to warn you so you don't get a bad surprise
http://www.wilders.org/anti_trojans.htm

 

TH is a young program (like Nod32) that only a few years ago did not receive such high ratings as today.

Wrong assumption. NOD32 can prove at least 13 years of history. And remember - users were those responsible that trojan detection has been added to AV programs...

 

When I say "young" I mean "young as one of the BIG AVs".
Remember the 'ILoveYou' virus - at that time, no standard AV could catch it. Same with the deadly Magistr. Nod32 (and others) may have gone a long way since then, nevertheless it is still "young" as a "good AV"...

 

HI!

KAV detect all version of ILoveYou, without update!!!

Protection from even unknown viruses
Kaspersky® Anti-Virus Personal is powered by a unique integrated technology for unknown virus searching, based on the principals of second-generation heuristic analysis. Because of this, the program is able to protect you from even unknown viruses. The highest effectiveness of Kaspersky® Anti-Virus is proved by the fact that it was the only anti-virus in the world that repelled attacks of all "ILOVEYOU" virus variations without any additional anti-virus database updates.

This text is from Kaspersky web page:
http://www.kaspersky.com/buyonline.html?info=25

 

I know, I know - that's the case TODAY for most good AVs (KAV, Nod32, Dr Web, F-Secure, NAV, etc...). But I was talking about the past, when 'ILoveYou' first appeared.

BTW I like the link U mentionned - very objective...

 

When ILoveYou appeared KAV detected without upgrading!!!!

Bye

 

Hi,
No, KAV detected the most in-the-wild variants without update, but some encrypted variants need an special update, and in the web page of Kaspersky said that detect IloveYou variants without update, it's true, but via KAV Script Checker and NOT via the typical bases or standar heuristic.

 

That's certainly not what I heard, but huh - if U say so. Nevertheless, KAV is not that recent an AV, so that was the least one could expect of it even at that time...

 

 

ROFL

Just to set the record straight .........

When LoveLetter appeared, I owned AVP Australia ... so I'm not just quoting some marketroid snake oil ... I know what I'm talking about.

AVP was very fast with an update ... one of the first (if not the first) in the world ... but AVP did not detect LoveLetter without an update!

If AVP had detected LoveLetter heuristically, Kaspersky Lab and all the AVP distributors (including me) would have been shouting about it all over Usenet and the Internet ... but we weren't ... see http://groups.google.com/groups?selm=391180d6%40grissom&oe=UTF-8 for the very first AVP Usenet post about LoveLetter.

A little-known (at that time) opposition antivirus program called NOD32 actually did detect and block LoveLetter (and its subsequent variants) heuristically, as an unknown virus ... but of course I didn't say anything in Usenet about that.

Check the records ... NOD32 has detected and blocked more new viruses heuristically (including Big Name "killer" viruses like CIH/Chernobyl, Melissa, Anna Kournikova, Homepage, Marburg, Frethem, Klez, Sobig, Opaserv, Yaha, Swen, and many more) than any other antivirus program in history ... including the grandfather of heuristics, Frans Veldman's awesome ThunderBYTE!
 

 

And, as usual, the people running the most powerful heuristic engine of all, CSH or "Common Sense Heuristics", didn't get hit with it either.

KAV and NOD32 are both good products. Can we shut up about it now?

 

Darn! Never heard of this new technology. Is there a trial version available?

 

Based on what I see, I think the product has been discontinued.