What sets NOD32 apart from the rest?

I have been a network engineer for quite some time now. Only now am I hearing about NOD32. I first heard about it here on this furum site. Then recently, I saw an ad in PC Magazine. The statistics mentioned in the ad seem impresive. What sets NOD32 apart from McAfee and Norton, both of which I have been using professionally for years.

Close Hauled

 

Re: What sets NOD32 apart from the rest/

More frequent updates, a lighter resource hit, and here recently much more unpacking support has been added, as well as many troajn detections, which was one of NOD's faults. Eset has made quite an effort in this area recently to rectify this however. Additionally, as long as your license is current any new version releases are free of charge.

Personaly, I dislike both $ymantec and McAfee, but that is just my opinion and you know what they say about opinions. You will get both positive and negative feedback here as some of us love NOD, some hate it, and some tolerate it, again opinions. The best thing I could suggest is to download the trial, and see what YOU think, and how it works on your system

 

Re: What sets NOD32 apart from the rest/

They need to make more effort as NOD32 recently missed some trojans on my PC that KAV found, and it seems that trojans are becoming more and more prevalent these days.

 

Re: What sets NOD32 apart from the rest/

Please submit the missed trojans to either samples@nod32.com or support@nod32.com, this will help them make that effort even better.

 

I'd say that it's a design philosophy that emphasizes small resource footprint, a focus on present and past active threats - as opposed to zoo based malware which could but have not yet appeared in the field, and a focus on malware only (not the integrated security center approach), and an increasing emphasis on heuristic (i.e. behavioral in a program sense) based identification of malware.

Blue

 

Re: What sets NOD32 apart from the rest/

Already have

 

Re: What sets NOD32 apart from the rest/

sard,

Were they active trojans or potential java based exploits that were flagged? Just wondering.

Blue

 

Re: What sets NOD32 apart from the rest/

Sard,
just wanna give my 2 cents: not all files reported by other AV as infected are actually functional viruses. Maybe NOD does not have as large virus database as the competitives have, but it does not detect files which only give an error that the application you are attempting to run is not a valid Win32 app.

 

Marcos, Any updates on the issue with IRC/SdBot.AIG trojan?

 

This is the file NOD doesn't detect, Discovered: Apr. 3, 2004 apparently.

http://www.trendmicro.com/vinfo/vir...yclo/default5.asp?VName=BKDR_SDBOT.HU&VSect=T

TDS3, KAV and online Trend Micro scanner detect it.

If you want to test it yourself I'm briefly hosting it in a password protected ZIP. Password is nasty. Do so a your own risk of course.

edited to remove link - BlueZannetti

I sent a copy to ESET. There was another one but I deleted it without thinking unfortunately so haven't sent a sample.

 

Thanks Sard, if you sent it to support@nod32.com I'll be able to check it. If you sent it to samples@eset.sk or samples@nod32.com, our guys will analyse it and let you know shortly.

To Flyrfan:
The fp has been remedied in update 1.815. Please update NOD32 to the most current version.

 

Well they got back to me very quickly I just received this email.

thank you for the sample. It's repacked (with ExePack) IRC/SdBot.AGH trojan.
We'll add detection as soon as possible.

Thank you for your cooperation.

According to this webpage http://www.nod32.com/support/infoarchive.htm NOD32 was updated with a definition for this trojan on the 26 April 2004, so am I right in assuming NOD32 failed to detect it because it was in an ExePack archive? Would NOD32 have detected it if I'd been unlucky and the exe had been executed thus unpacking the trojan?

This webpage http://www.nod32.com/products/nt.htm says
NOD32 Scanning Engine Key Features Virus detection in compressed or protected executable files, such as Pklite, Lzexe, Diet, Exepack, CPAV, UPX, AsPack, FSG, Petite, Neolite.

So why did it miss it. Are there some settings I have wrongly configured.

Thanks for all the help.

 

Did you scan it with the on-demand scanner and scanning runtime-packed files enabled before?

 

Yes if you mean these settings

http://uberish.fastmail.fm/4.jpg

 

Sard,
you posted a screenshot of IMON setup. Would you please confirm or deny that you had the Runtime packers check-box in the on-demand scanner setup (see Ronjor's shot) ticked before?

 

Oops, sorry. The on demand scanner boxes for runtime packers and archives weren't ticked. I have since changed my settings so they look the same as ronjor's but NOD32 still can't detect the file

Would you like me to send you a copy of the file to support@nod32.com ? I don't want to waste anybody's time at ESET as I've already sent it once to samples@nod32.com but I'm just wondering if there's something wrong with NOD32 on my PC or if NOD32 definitely can't detect the file in this incarnation.

 

Would you like me to send you a copy of the file to support@nod32.com ? I don't want to waste anybody's time at ESET as I've already sent it once to samples@nod32.com but I'm just wondering if there's something wrong with NOD32 on my PC or if NOD32 definitely can't detect the file in this incarnation.[/QUOTE]


If you are worried about your settings, you could upload the file at www.virustotal.com and see if their version of NOD detects it. As well as 11 other scanners I think, it is similar to KAV's online checker except that they email you a response.

 

It has been very interesting reading all of the responses these last couple of days.

Ironically, I received an e-mail with the latest Bagle variant attached. McAfee will not detect the virus, even with todays definitions. Will NOD32 detect this with and without updated definitions?

Close Hauled

 

See: https://www.wilderssecurity.com/showthread.php?t=42010

 

Cool website thanks for the link.

These are the results;

BitDefender 7.0/20040719 found [Win32.P2P.SpyBot.Gen]
ClamWin devel-20040517/20040719 found [Trojan.SdBot.Gen-79]
eTrustAV-Inoc 4641/20040718 found nothing
F-Prot 3.15/20040719 found [W32/Sdbot.OU]
Kaspersky 4.0.2.23/20040719 found [Backdoor.SdBot.ja]
McAfee 4378/20040719 found [W32/Spybot.worm.gen.a]
NOD32v2 1.817/20040719 found nothing
Norman 5.70.10/20040719 found [W32/Malware]
Panda 7.02.00/20040719 found [W32/Gaobot.OE.worm]
Sybari 7.5.1314/20040719 found [W32/Sdbot-HY]
Symantec 8.0/20040718 found [W32.Randex.gen]
TrendMicro 7.000/20040719 found [BKDR_SDBOT.HU]

So assuming they've configured the AVs with optimal settings, it's a problem with NOD32 failing to detect the file even though they've released a definition for it and supposedly support Exepack.

It's a shame www.virustotal.com doesn't show how the various AVs perform over a period of time.

 

I guess it looks that way. OOPPSS!

 

I just received a second e-mail that looks like it is a different variant than the one that I received this morning. The body of the text has a line added that says “Password:” and has a bitmap image of a password after it. Here is an example;

>Lovely animals


Password: <<Bitmap Here>>

The attached file is 66k, where the previous was 29k. Who can confirm if this is another variant?

Close Hauled

BTW: I sent them both to VirusTotal. No word from them yet.

 

Being a Network Administrator and/or engineer one can enjoy the fact that the IMON module in NOD32 terminates attacks from Lovsan and other network exploits. We had 2 laptops come onto our network. Lovsan and the DCOM Exploit were blocked on over 500 machines. Albeit all the machines had the patch(es), but it is the comfort factor for similar attacks.

Log Details
attack from computer xx.xx.xxx.xxx - Win32/Lovsan worm

Log Details
attack from computer xx.xx.xxx.xxx - Win32/Exploit.DCOM worm