Preliminary report

I have seen "amateur" virus detection reports scoffed at here and other places, but I will risk ridicule and post my own.

I (more correctly, my employer) have a collection of >46 thousand viruses at my disposal. Each has been verified by me or my predecessor as a viable virus. All except one have been "In The WIld" at some time, with >95% detected on our own networks. No damaged or broken samples are included. It is a proper verified test collection, the result of many years of careful work.

I am at the moment examining NOD32. Of my entire collection, NOD32 failed to accurately identify only one virus, the one that has never been "In The Wild". This is a CIH family virus given to my predecessor personally by Chen Ing Hau, never released. NOD32 (IMON) describes it as "probably unknown NewHeur_PE virus" in e-mail to myself, but the NOD32 scanner failed to recognize it as a virus. This is unimportant, because the virus is a single example that does not really "exist" outside its own directory.

I am VERY impressed with NOD32!

 

Whenever NOD32 reports a probably NewHeur_PE virus, please send that file to samples@nod32.com for analysis (BTW, use of advanced heuristsics can be enabled for NOD32 scanner using the /ah switch, ie. nod32.exe /ah)

 

 
> I have seen "amateur" virus detection reports scoffed at here and other places, but I will risk ridicule and post my own.

I'm probably the most infamous ridiculer of amateur AV tests alive ... but I ridicule only shonky tests.

> I (more correctly, my employer) have a collection of >46 thousand viruses at my disposal. Each has been verified by me or my predecessor as a viable virus. All except one have been "In The WIld" at some time, with >95% detected on our own networks. No damaged or broken samples are included. It is a proper verified test collection, the result of many years of careful work.

If you'd said you'd collected 46000+ viruses from VX websites over the past few weeks then I'd be ridiculing your results to hell and back right now, sight unseen, even though NOD32 detected almost 100% ... but if you've spent years collecting, validating, and maintaining your samples, and if all samples are (or have been) ItW, then your collection is definitely better than most others in the world today. It sounds like you've put a lot of time and effort into keeping it crud-free ... and that is THE single most important parameter in an AV test suite.

> I am at the moment examining NOD32. Of my entire collection, NOD32 failed to accurately identify only one virus, the one that has never been "In The Wild". This is a CIH family virus given to my predecessor personally by Chen Ing Hau, never released. NOD32 (IMON) describes it as "probably unknown NewHeur_PE virus" in e-mail to myself, but the NOD32 scanner failed to recognize it as a virus. This is unimportant, because the virus is a single example that does not really "exist" outside its own directory.

I assume "accurately identify" means that NOD32 tagged all your viruses by name. This doesn't surprise me. We see a lot of "PoopScan detected the BlahBlahBlah worm and NOD32 missed it" bleats on the Internet which turn out to be hot air, but apart from a couple of obvious set-ups we've seen very few failures on real viruses which have been ItW. (I suppose a sample of your one-off CIH is out of the question ?)

> I am VERY impressed with NOD32!

Thanks for the compliment!

I don't want to start a MDBTY war, but is there any chance of letting us know how other antivirus programs fared in comparison ?
 

 

I admire the work of that virus collectionnary.

1.Marcos, let me know if /ah remain a setting forever or must activate it each time when I make a hdd scan. With the other hands, could I create a profile that could to use it for mouse command and have ah enabled?

2.where can I find description of line commands and effects?

 

Fung,

Pls let me know how could do this collection with a minimal risk. This ideea was born also in my mind last week, when nod escape small.aa at an ondemand scan.
So, today I did first step: I've captured in quarantine a netsky/B.
1. I've restored with my personal extension. I've proceed a scan and was detected
2. But I don't know what happens if I'll try to rar it, of course, disabling AMON. Otherwise archiving is blocked by AMON.

 

I modified the NOD32 scanner shortcut so that it triggers the scanner with the /ah parameter. Please bear in mind that use of advanced heuristics has an adverse effect on scanning performance. Whenever a probably unknown NewHeur_PE virus is detected, rename the file and send it to samples@nod32.com for analysis.

A list of all switches is available in help files - just run NOD32 scanner and press F1 or click the Help button.