PC World Review of Nod32

I think there would be no difference in this case. The situation where the on-access scanner can perform better is when a dropper is not detected while the dropped file is.

Actually, this is a bit more complex than that: it all depends on the kind of signature (is it a simple CRC, like in ClamAV, or is it located at a fixed offset ?), on the type of the dropper (are the dropped files encrypted ?), on the technology used by the scanning engine (XRAying ? Does it look for embedded PE headers ?) and on the capability of the heuristics (Norman and Bitdefender for example are able to drop & scan files inside their VM).

A more or less similar example concerns webdownloaders, in case of a "harmless" undetected downloader and a malicious detected payload (excepted that, of course, in case of a webdlownloader the payload can change at any time).

Edit: ooops, didn't see solcroft post before posting...

 

No at all, I don'y say that NOD32 can detect 100% of executed viruses, but NOD32' s detection will much higher if you will execute viruses. It means that iven if you scan sample in virustotal.com and it shows NOD32 see nothing, keep in the maind that NOD32 may detects this sample after executing

 

The same holds true for all scanners, not just NOD32.

 

Are you sure? because NOD32 detected these viruses after executing especially with Heuristic!

 

Regarding this "embedded" malware thing, I will add that BitDefender is the third notable exception. I've noticed it scan embedded files, I've noticed it detect multiple malware variants in the same embedded file, and most VXers may also have noticed it, but thats another story

Even AVG (Anti-Malware/Internet Security) sometimes reports some files as "Infected, Embedded object" (I put some malware into a temporary folder and scanned it with AVG to prove this, see the attached screenshot). HOWEVER, AVG for some reason detects such files only on-demand and not on-access, the reason being that such files are deemed as being ARCHIVES by the AVG scanner, and the real time monitor skips scanning archives. In such cases, the threat will be detected on-execution or on-demand. Since all AV-tests use the On-Demand scanner only, I doubt the detection rates of AVG or any other AV should be any higher than what has been seen. Besides, most AV-tests also include the dropped/downloaded files separately in their collection.

{The file in the screenshot I've marked has two detections, both detections are of the same file. AVG detects instmkt38.exe embedded inside exactofferd8.exe as infected, and in the next cycle declares exactofferd8.exe as an infected ARCHIVE. This could be true for other AVs as well}.

So basically, the most common way tsilo's situation can happen is in the case of a downloader, where the downloaded file will be detected as malware, but simply scanning the downloader itself by the on-demand scanner will not yield any result.

Interesting info, thanks!

 

NOD's Advanced Heuristics isn't able to drop and scan files inside its VM?

 

As far as I've been able to tell, the only thing NOD32 seems to use its emulator for is unpacking purposes. This is pure conjecture based on personal observation, of course. But no, NOD32 doesn't scan embedded files.

Were you scanning an archive file, by any chance?

Again AFAIK AVG cannot detect embedded objects until the main body is executed and drops its component files onto the system.

Yes, I'm sure. Unless someone from ESET comes and tells us that the on-demand and on-access scanners use different engines/settings.

 

Well, the file had a .exe extension, and inside it was another .exe file which was the actual file that AVG detected as malicious. So, maybe its a self extracting archive, maybe not.

 

"Real" droppers cannot have their files seen or extracted via "normal" means (which is why so many scanners can't detect them). If you can extract the files inside the main body using WinRAR, 7-zip or some such, then it's not a "real" dropper, just a compressed archive.

 

I tried extracting the file with my archiver program and it gives me a message "Extract not supported for this file type". So that probably means its a "real" dropper.

 

Which archiving tool did you use, btw?

 

IZArc....

 

I don't know the tool very well, so meh.

All the same, I've seen avast! and KAV detect embedded files where AVG and other scanners failed to do the same. Execute the main body inside a sandbox, pick up the dropped files for a scan on VT, and all of a sudden everyone is flagging them.

 

I think will be good to hear point of someone of ESET. NO NOD32 on-demand and on-acces scaner aren't different, but maybe Heuristic better detects with behavior active threats ?

 

Try Universal Extractor. It can extract from many different archives (and supports a couple of runtime packers), and also many installers (which I think may be what solcroft is referring to?)

EDIT: By installers I mean like Gentee, Inno, Vise, Wise, NSIS etc. which I've seen been frequently used for malware.

 

This discussion has gone way over my head. It sounds like the implication is that NOD32 is better than it's detection rate due to it's heuristics.

I don't get that.

1. Don't all AV's that have active protection catch viruses as they execute?

2. Isn't NOD's heuristics merely part of it's scan function?

To me, an AV is all about detection rate. Whether it's by definition or by heuristics, them main thing is detection rate and removal rate as I don't really rely on my AV for zero day protection.

But can someone explain in layman's terms why many very pbviously knowledgeable posters seem to think that NOD is better than the detection rates it has been producing lately? I'd hate to switch products when my license runs out to learn that I am making a big mistake.

 

one reason could be, and ive experienced this myself yesterday with my own drweb is:

i downloaded a file, scanned it with my drweb.... its clean.

however i ran the file and it infected my O&O defrag, and when it did this... drweb detected it and removed it, now my O&O is clean and it works perfectly still.

strange and i aint sure why, but as long as my drweb got rid of it eventually, i still class this as a detection and in such tests... it would not have been.

other reasons people complain are, malware that cannot be executed ARE included in the tests (i dont know how much though..... but its there) and some av's like drweb do not add samples for un-executable malware, some people have stated it will only add 1-2% or so, but its still there.

more reasons are, the samples used are not malware in which people are likely to get, while some companys only add malware thats a real threat to its userbase,

or some companys only add malware signatures when the malware is malicious to a users computer etc.

there are many reasons, and i dont really look too much into them, as far as testing goes the av-test is the best out there as im told, but people should not look 'too much' into them, as it only states detection rates and not removal, everyone knows detection rates aint everything, there are other things to look into when deciding on an AV to purchase or use, which these tests definatly dont state or show.

 

But don't you put detection/removal rates above all? For example, what if you had a software that was:

1. Light on system respurces
2. Inexpensive or even free
3. Supported well
4. Easy to use
5. Quick to update signatures
6. Played well with other applications and
6. consistantly only detected 80% of viruses

Would you use it? I wouldn't.

 

Nope --> https://www.wilderssecurity.com/showpost.php?p=1002346&postcount=3

 

Actually this is the "Other anti-virus Software" forum, the NOD32 support forum is elsewhere

 

The thread was moved from the NOD32 Support Forum to its current location.

Blackspear.

 

lol, no i dont

also, take a look here at other peoples thoughts on this, including mine on post #3