NOD32 vs. KAV

I too have experienced false positives with KAV, but none with NOD32. KAV even detected one of my own innocent files that I programmed myself as a virus

 

We have a virus programer in our rows here
Welcome

 

To sir_carew from Firefighter!

First of all, because I have seen so many times in this forum that KAV makes SOME false positives within certain file types, I referred NOD against McAfee in this thread's detecting rates. What I have seen about McAfee, it isn't so famous of false positives.

U said:

"I recently download a ZIP package that include aprox 6.480 files that KAV with the latest update detect as infected and the files aren't infected".

"I will not send these files to Kaspersky, because I hate the people of it company".

Are u sure that u haven't any personal mission against KAV?

I have shown some detecting tables from different av-tests only because some, not only NOD, av-progs seems to perfom extremely well in VirusBulletin Zoo tests, but not at all in some other independent tests when some progs seems to perform well anywhere. I haven't so far heard any acceptable reason to that. I don't hate NOD, in my mind it has done a lot of improvements, unpacking engine, trojan detection, but so far there are progs that perform better IN MY MIND.

Because different av-vendors disagree about that which is an infection and which not, what choices I have but the deepest level of protection?


"The truth is out there, but it hurts!"

Best regards,
Firefighter!

 

There is no disagreement between different av vendors wether a sample is malware or not. Any av analyst will tell you that correctly. The problem is just that most av vendors started to include non-malware samples in their detections to make their product look better in some av tests.

Some "black sheep" started off to "improve" their product in several unqualified tests and all the other vendors followed because of people like you who get "fooled" by the figures.

If there is something fake with the tests at VirusBulettin for example than I wonder why nearly all av companies support that magazine and highly respected persons from the av scene write articles in this magazine?

But what should I say... The truth is out there but for some people it seems hard to beleave.

wizard

 

To Wizard from Firefighter!

U said: "The problem is just that most av vendors started to include non-malware samples in their detections to make their product look better in some av tests."

I agree that this might happen because of that feedback i've got from different av-vendors.

But how do u find the best av-vendor that don't add junk files to their database? Is it among the TOP 10, 15, 20, 25 or even 30 in certain large av-tests?

An other thing is then more interesting, how could u make your choice of the av u use?

Which are those tests that can be trusted?

VirusBulletin tests only viruses, that's why VB is always only one part of the whole malware issue. There are independent testers like checkvir.hu, Rokop, VTC Hamburg, av-test.org, Scheinsicherheit etc. which WERE PUBLISHING their TESTING RESULTS. Which do u believe? Why?

For me as "an average Joe", talking about a billion dollar business where is only less than a half dozen testers to be trusted, the whole business sucks.

One interesting thing, from which branch do those "script kiddies" earn their living when they have "grown up"? Are they loco or taxi drivers, do their work in Mc'Donald's, are they working in insuring companies or big factories, I'm just wondering things like this!

There have to be more trustworhtly testers in a billion dollar business!

"The truth is out there, but it hurts!"

Best regards,
Firefighter!

 

I wonder, Michael, why you've gone from blatantly praising KAV over NOD32 during your GAV days to, well, what you're doing now? Has KAV gotten a load worse, NOD a load better, or did you have a religious NOD experience of some sort? Which of the two AVs would you consider better now, eh?

 

It's funny how arguments like this still go on, over and over. After a lot of reading, and some private input from people who I know have a handle on these things, I'm fairly convinced that:

(1) KAV and NOD32 are both very effective at detecing real threats;

(2) KAV is more of a "kitchen sink" detector, which will catch some things that NOD32 will miss;

(3) the things that KAV catches but NOD32 misses aren't threats that any normal computer user has to worry about, so criticism of NOD32 on this point isn't particularly valid;

(4) the extra capability of KAV as noted in (2) comes at the price of CPU cycles, and the lack of capability of NOD32 in the same regard comes with the reward of significantly better performance;

(5) KAV has self-protection features, NOD32 does not, but Eset says they will be added soon; and

(6) other differences are preference alone, such as interface.

I have lots of criticism for KAV and NOD32 both, but I also have confidence in both at this point.

With regard to point (2) above, I have one more thing to say, which has been on my mind for a long time... Aren't the same people who come across malware that some AVs miss the very same people who exhibit such poor computer hygiene and dearth of common sense that they lack all credibility anyway? I mean, if you install a new AV utility, and it catches 150 bits of malware that your old one missed, the first thing that comes to my mind isn't "Wow, that new AV is great", but rather, "Wow, you must be a moron". (And I don't buy constant "I'm an amateur malware researcher" or "I'm a virus collector" excuses.)

 

Great post, Nameless.

 

There is no secret all add "junk" into the detection. So the better certain programs score in big zoo malware tests the more "junk" is in their signature database. But don't get me wrong a program that has huge amount of junk in its database can also have fantastic detection rates on "real" threats. What mainly counts is how good was the ITW detection but not just in one single test but over a certain period.

It depends on what you want. Just look which program scored over a certain period good on ITW. Download a trial and test it on your system and if it works take it. Otherwise skip to the next. There is no 100 % perfect program available - there are several very good ones amoungst you can choose.

First make sure that you don't rely on tests from anonymous persons. You can always make up a test set that makes program A looking better then B and vice versa. So if the tester is anonymous this has a reason and makes me just suspect about the real intension of the tester.

Secondly check how long the tester is in "business". You can do plenty of mistakes while testing av software. The longer a certain tester is in the business the more likely is a higher quality of the result.

I think the "average Joe" should not care to much about all those tests. If you ask me personally what I recommend is if you want to have program that can handle viruses and trojans in one: just take a KAV based product. Kaspersky has been one of the first av companies that did work on trojan detection and they are IMHO mile ahead with a huge collection and superb unpacking features.

If you are more in favour of having to seperate programs: just give NOD32 a trial and look for one of the standard ATs like TDS-3 or TrojanHunter. And before somebody comes back with all Wilders recommendations on NOD32 are biased I can tell you: There is hardly anything to criticise on NOD32 whether they have a support forum over here or not.

I agree. But even with more trustworthy testers there will be a lot of people finding their tests suspect just they don't like the outcomes.

wizard

 

NOD32 did improve in a short time very well. I am not of this kind "i didn't like it - and because of this i will never like it."

They did add unpack support (ok yes they can not (yet) fight against KAV with unpackers) but at least they have now the most used packers included. I respect that. And i did NEVER EVER SAY that KAV has a better heuristics. KAV is better if it comes to packed backdoors/trojans, but as you may know this is not everything in the av business. And my last post means not that KAV _sucks_ it means only that KAV has also flaws. This happens to _all_ programs. And the issue here is not an "undetected" sample or a few of them - the issue is how you deal with such results.

And i want to point out some things the last time:

Only if you know WHAT THIS MISSED MALWARE SAMPLE R-E-A-L-L-Y DOES and/or you KNOW FOR SURE IT'S A WELLKNOWN SAMPLE THAT'S STILL ALIVE ON PUBLIC MACHINES ONLY THEN do you have a "right" to complain about not detected samples.

All other complaining is USELESS until the "newcomer av security test-experts" did learn this.
There is a BIG differnce between KNOWING MALWARE FROM A PROFESSIONAL SELFMADE ANALYSIS and KNOWING MALWARE FROM JUST SCANNING WITH OTHER SCANNERS.

And under "professional selfmade analysis" i do _NOT_ consider that the malware gets started under a VMWare Machine or whatever and only writing down some registry entrys. You have to disassemble AND UNDERSTAND this disassembled Code - only this way can you "open the doors" to the "undected features" of the malware so far.

Best example: Win32 PE Slowinfectors. How would you know a file is virus infected (without a scanner of course because we have a new unknown sample here) if you just start this file on a VMWare Machine AND NOTHING HAPPENS, BECAUSE THIS VIRUS IS A SLOWINFECTOR ?

For the readers who may not be familiar with the word "slowinfector" - it's a virus that does not spread at the same time you execute an infected file. He spreads if some events happening (such as 1.000.000 Files opened or a time trigger for instance)

You will never find such viruses with amateurish behavior - you need here a very deep knowledge about Assembler Code and Reverse Engineering. Otherwise you can not verify that you have a LIVING VIRUS SAMPLE not even if you start a "infected" file.

Take a Win32.CTX.6886 this is a highly polymorphic Win32 Fileinfector. And he infects Files also VERY SLOW. You get almost crazy if you want that this virus infects other files. If you want to know more about this and how you can detect this beast easily without using an emulator just pm me

Cheers,
Michael