NOD32 falling behind in definitions?

Discussion in 'NOD32 version 2 Forum' started by Coolio10, Jul 6, 2007.

Thread Status:
Not open for further replies.
  1. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    Perhaps the definitions are behind, but Shadowserver shows them consistently at the top when catching zero days, so I'm not sure if it's relevant.

    T
     
  2. Get

    Get Guest

    Definitions that are behind not relevant? When you're infected the relevancy will become clear very quickly.
     
  3. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    Let's say, for arguments sake, that the definitions are behind (I doubt it, but let's say this.) If NOD32 is still catching most of the 0days (today, for instance, NOD32 caught 97.21% of the new 0days whilst Kaspersky caught only 13.14%.) Which is better? Even if (and it's big if) Kaspersky's definitions are more up to date, you'll be more likely to be infected if you're running Kaspersky (and just so I'm not picking on Kaspersky, McAfee caught 11.07%, and Avast caught 0%.)

    With enough computers, you can always find one AV that "failed" on one computer or one network, but that proves nothing - the original poster claimed he cleaned things up with Symantec - but if he had been running Symantec, there's a good choice it would have missed something that NOD32 caught - there is no perfect AV out there - there are some very good ones, and NOD32 is one of them, but it's a game of catch up, so AV vendors will alway be behind - defense in depth is the only answer.


    T
     
  4. Get

    Get Guest

    The question wasn't which is better. The question was if it's relevant and I say it is which of course isnt' a bold statement but simple truth.
     
  5. tsherr

    tsherr Registered Member

    Joined:
    Jan 30, 2007
    Posts:
    62
    If the heuristics are catching 96%+ of the new viruses, are the definitions relevant? I'd say they aren't very. As the power of the heuristics go down, the relevance of the definitions goes up.

    Perhaps I worded my first comment incorrectly.

    T
     
  6. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    621
    Where's this data coming from?
     
  7. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
  8. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    621
    The stats are really hard to believe. For example, out of 482,146 samples scanned during the last month, BitDefender detected ZERO?? o_O

    Isn't BitDefender known for pretty strong heuristics?


    Maybe I just don't know how to interpret the results...:doubt:

    Cheers
    Vlk
     
  9. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    BitDefender detecting none out of 480.000 samples? Pretty much impossible.
    With number of updates they perform and level of their scan engine (and B-HAVE heuristics which are top tier btw), i just can't belive it hasn't detected at least one sample, let alone more. Same goes to avast!, even though it's scan engine isn't as complex. The number of objects to scan is just to big for such results really...
     
  10. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,229
    It is just for 0 day viruses and exploits. yes Bitdefender does seem to have strange results, for the year they average over 40% but daily, weekly and monthly all show 0.
     
  11. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    621
    Define Zero Day.

    I sent them an email, asking them to enlighten the results little bit.

    My guess is that the files are not unique, i.e. it is possible that the 482,146 samples are in fact only e.g. 10 unique files...:D

    In other words, they're testing the same file over and over again - and guess what, the results are always the same...

    Cheers
    Vlk
     
  12. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Hell just froze over..:D
     
  13. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    The problem with the links you supply above are that they mention the addition of irrelevant samples (i.e. non-threats and those from VX collectors). But it seems that codpet had quite a problem and delay getting Eset to add detection for W32.SpyBot.Worm. W32.SpyBot.Worm is not irrelevant, and codpet is not a VX collector. S/he may not have had any success at all had s/he not posted here in the forum and asked for advice (something a customer should not have to do). So, from my perspective, while rhetorical arguments in defense of Eset's "prioritization" system may placate the credulous, this experience still shows that it's problematic.
     
  14. Get

    Get Guest

    Heuristics isn't 100% by a long shot (whatever shadowserver say) so definitions are very relevant in my opinion. Heuristics have always been a strong point of NOD32, but for some time now the definitions are going down so per balance it's going down. When Nod32 scored good in tests it was "great" or "we are the champions :D" and now they fall behind it's "the tests aren't good" or "these figures aren't relevant". I don't like that :doubt:.
     
  15. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, if i hear that BitDefender hasn't detected a single sample, i'd doubt in such tests too...
     
  16. PatG

    PatG Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    579
    Location:
    South Alabama
    I am impressed w/all the updates received from Eset, sometimes 2 and 3 per day. Instead of worrying about whatever someone else's test results are, I'm satisfied that no virus/s has infected my machine in over 2 years and just recently renewed for 2 years more. :cool:
     
  17. Abeltje

    Abeltje Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    156
    Location:
    Netherlands
    Update frequency does not impress mé as it says nothing about the quality of the updates. An AV with just 1 update per day but significant higher number of detections added would always be my preference.
     
  18. codpet

    codpet Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    28
    Yes, they are. I believe their heuristics are better than NOD's currently. They picked up several items a day or two before NOD did.

    Not to say they are better in all aspects, just this one. I am sure that will change when NOD32 v3.0 comes out.
     
  19. Togg

    Togg Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    177
    Much of this thread reminds me of the anxious postings a few weeks ago when NOD32 lost its 'ADVANCED+' rating at Av-comparatives.org and was merely rated as 'ADVANCED' (Shock, Horror!).

    If you have a product that works for you and hasn't let you down, what are you going to do. Spend hours scanning all the available tests and 'reviews' and switch to the one that some self appointed 'expert' decides is the best (this week) or just relax until you have a reason (based on personal experience) to change?.

    I actually like the GUI, and the modular setup didn't give me any great problems when installing or using it, so I shall be sticking with NOD until some substantive reason turns up to force me to reconsider my choice.
     
  20. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    I've given up with NOD32 2.5 - the signatures do not update properly here in London, UK. I'm sticking with the non-signature-based MJ Registry Watcher which caught a trojan downloader the other day, when I clicked a link to a php page in Hungary from an email (something about Britney Spears). Note this was not an email attachment, just a simple http url (which I won't cite here for obvious reasons). Here is the log from MJRW :-

    =======================================================
    ** Thursday 5/7/2007 17:21:09 **
    Run Keys and Startup Files
    Registry Key hkey_local_machine\software\microsoft\windows\currentversion\run
    Value erwghjjrjt (S) will be a new value with data
    c:\windows\system32\drivers\ucbcg.exe
    =======================================================
    ** Thursday 5/7/2007 17:21:22 **
    Change Rejected
    =======================================================
    ** Thursday 5/7/2007 17:21:22 **
    Run Keys and Startup Files
    Files Added :-
    c:\U.exe - Size=19,968 Date=Thu Jul 05 17:21:08 2007 Attributes=---A-

    Files Deleted :-
    c:\*.exe - No Files Found
    =======================================================
    ** Thursday 5/7/2007 17:21:27 **
    MJRW Quarantined File c:\U.exe
    =======================================================
    ** Thursday 5/7/2007 17:21:28 **
    General Explorer Settings
    Registry Key hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects
    Subkey {040FA520-78C6-41ce-81D0-9E733ABC1A29} has been added
    Subkey {3F08996E-0A3D-456c-BEEC-9F51B6F614BC} has been added
    =======================================================
    ** Thursday 5/7/2007 17:21:34 **
    MJRW Quarantined Subkey {040FA520-78C6-41ce-81D0-9E733ABC1A29}
    =======================================================
    ** Thursday 5/7/2007 17:21:34 **
    MJRW Quarantined Subkey {3F08996E-0A3D-456c-BEEC-9F51B6F614BC}
    =======================================================
    ** Thursday 5/7/2007 17:21:35 **
    Low-level Drivers and Services
    Registry Key hkey_local_machine\system\ControlSet001\services
    Subkey runtime has been added
    Subkey runtime2 has been added
    =======================================================
    ** Thursday 5/7/2007 17:21:38 **
    MJRW Quarantined Subkey runtime
    =======================================================
    ** Thursday 5/7/2007 17:21:38 **
    MJRW Quarantined Subkey runtime2
    =======================================================
    ** Thursday 5/7/2007 17:21:39 **
    Run Keys and Startup Files
    Registry Key hkey_local_machine\software\microsoft\windows\currentversion\run
    Value startdrv (S) will be a new value with data
    C:\WINDOWS\Temp\startdrv.exe
    =======================================================
    ** Thursday 5/7/2007 17:21:42 **
    Change Rejected
    =======================================================
    ** Thursday 5/7/2007 17:26:37 **
    Important Executables and Driver Files
    Files Added :-
    c:\windows\system32\comi.dll - Size=44,167 Date=Thu Jul 05 17:21:11 2007 Attributes=---A-
    c:\windows\system32\wetde1.dll - Size=19,541 Date=Thu Jul 05 17:21:11 2007 Attributes=---A-
    =======================================================
    ** Thursday 5/7/2007 17:29:27 **
    MJRW Quarantined File c:\windows\system32\comi.dll
    =======================================================
    ** Thursday 5/7/2007 17:29:27 **
    MJRW Quarantined File c:\windows\system32\wetde1.dll
    =======================================================
    ** Thursday 5/7/2007 17:29:29 **
    Important Executables and Driver Files
    Files Added :-
    c:\windows\system32\drivers\ucbcg.exe - Size=19,968 Date=Thu Jul 05 17:21:08 2007 Attributes=---A-
    =======================================================
    ** Thursday 5/7/2007 17:29:36 **
    MJRW Quarantined File c:\windows\system32\drivers\ucbcg.exe
    =======================================================

    I submitted ucbcg.exe to VirusTotal, and it was not recognised by about half the scanners, including Microsoft, Norman, NAV, AVG and Bitdefender! NOD32 reported it as a possible trojan downloader, and others, like the impressive Sophos detected it despite having signatures that were 2 weeks out of date at the time of the scan. When submitted today, AVG, Bitdefender, and NAV now report it. However, Microsoft and Norman still do not report it. This shows how important the latest signatures are to most signature-based scanners. Since I am not the only one with NOD32 clients who are having trouble getting signature updates, I am no longer recommending NOD32, and am just plugging my own MJRW software.
     
  21. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    Odd, iv never had any issues getting NODs updates... that registry watcher looks interesting though :)
     
  22. ASpace

    ASpace Guest

    Perhaps your ISP has problems or your computer itself . Millions of people worldwide use NOD32 and very few complain , especially about updating.
    Eset servers are working very well now:
    http://status.nod32usa.com
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    This sounds to me like a contradiction. You say that NOD32 has reported a trojan downloader and then you ceased recommending NOD32 ;) I've always thought that the primary task of an antivirus is to catch and block malware, and not to let it in.
     
  24. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    I dont think he is doubting NODs detection ability, he is stating that he - and others - have had problems obtaining updates. Whilst I, myself, have not had any problems, an issue does obviously exist somewhere.
     
  25. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Apologies if this is a bit off topic, but there has been a big spamming of Trojan Small/Tibs last week with links to download ecard.exe (and as of this weekend now new patch.exe) see castlecops discussion.

    When accessing most of these links, if I click to download the file IMON jumps in saying "Probably a variant of Win32/Statik trojan" but if you tell IMON to ignore, or have IMON switched off, neither AMON or on-demand show any detection of the file, even with Advanced Heuristics enabled.

    I was wondering why IMON is detecting these but AMON/on-demand is not. FWIW, I submitted one of the first I received in my inbox to samples @ eset.com last week (still not detected - File size: 133963 bytes. MD5: c43175ea2aa792c15e655775c79b9c06) and IMON also warns about this but once downloaded AMON and on-demand remain silent.

    Does IMON receive same definitions as AMON and on-demand?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.