The ultimate combination? (NOD32 & KAV)

I'm currently using NOD32 with Amon enabled and Kaspersky Anti-Virus Pro as on-demand scanner. I scanned my whole HD and KAV found 2 trojans which NOD have apparently missed.

Since NOD is very light on resources I guess it's great having it as the on-access scanner & using KAV as on-demand only.

 

NOD is an AV, not an AT.

 

I think a better combination would be the best of both worlds!

AV: NOD32
AT: TDS-3

Now THAT's real protection.

 

I have The Cleaner as my anti-trojan... Maybe it's not the best but I think it does it's job pretty good. Maybe it would've found the trojans but I haven't scanned my HD with The Cleaner in over a week or so & I have TCActive & TCMonitor disabled. I don't blame NOD32 for not picking up the trojans either... it's a very good AV and not an AT I know but I think KAV finds more viruses (of course I could be wrong) so I feel better having both AV's working in conjunction.

 

Hello,
Why you don't send both trojans to samples@eset.sk

 

I feel I have the best of both worlds with NOD and BOClean. Both do the job they do well.

 

Quite frankly, I think the best of all possible worlds would be KAV on a new, or relatively new box, with a lot of RAM, but not on an old W98/ME box. I don't think I should have to pay for two programs when one will do the job if it is the right one. You guys want to pay double to have proper protection, plus, you want the added problems that come with an additional application like this then be my guest. I think NOD32 needs to become much better at detecting trojans if it expects my business beyond the end of my license. That is about six months from now so we'll see.

I just read the entire 100 page manual for KAV 5.0 and am very impressed. I have never seen such an excellent manual from any AV vendor before. So, if KAV is anything like its manual, I would love it. Its GUI is great. So, Eset, you have a major contender on the block. KAV 5.0 Personal is going to give Symantec, McAfee...all major AV vendors a run for their money. It is going BIG TIME. I expect to see it packaged soon in Walmart, etc. right next to NAV and McAfee...eating into their dominance of the market here in the U. S.

 

NOD is not a dedicated AT, but neither is KAV. NOD, however, does claim coverage for trojans but as yet it is not equivalent in trojan detection to McAfee or KAV. That said, for active surfers and downloaders, I'd recommend a dedicated AT to supplement their AV whatever AV they use.

 

I think that may depend on how risky your surfing activities are. If you regularly go to porn sites, warez, do P2P, etc. then I would agree with you but for the average paranoid dslr member (for instance) I don't think a separate trojan detection program is needed if you have KAV or McAfee or even NAV. But then I don't agree that I need a software firewall now that I have a router so I'm not as paranoid as some.! But then, I don't have much of the risk that most do because I don't use IE and I use Proxomitron.

I guess what bothers me is Eset's claim of being a trojan detector when it still lacks considerably in this regard and the long standing insistence of NOD32 users that we should be required to spend double the money for protection since we require two applications and we have to be very careful to not get a trojan detection application that doesn't like NOD32. Well, you don't have those worries if the same application does both and your pocketbook is much healthier also. So, NOD32 is great...but it is the most expensive of all AV since you have to shell out the money for an anti-trojan application also according to most NOD32 regulars here.

 

I'm not agree at all. NOD32 cover more trojans than KAV speaking about heuristic, for exampe Beast backdoor was heuristically detected by NOD and not KAV. My malware collectionas, has about 50 differents backdoors, and NOD detected about 47 heuristically using AH. The same happen with worms. If a worm start spreading right now via e-mail, p2p, etc. Is probably that NOD will stop this without signatures, KAV will need a update.
Kaspersky Labs is also very careless analyzing malware, for example, many times they detect a certain malware as a trojan and it's a worm or vieceversa. Also they add detection to samples more quickly than NOD, however many times KAV can detect a new sample, but not desinfect this. (There are many infections or files that can't be repaired, but I'm speaking about malware that can be desinfected, and yes, I've a valid key for KAV).

 

I knew I would hear that layered defense argument as that is what I always hear from NOD32 defenders. Can't you guys come up with something more creative than that....that is an old, tired argument. I don't hear that one from the AV users who have an AV that is strong in both viruses and trojans.

I don't really buy the layered defense argument for anything. I didn't run any sort of firewall for over two years on a cable connection where my computer was never turned off. Never had a problem. On the other hand, I had Zone Alarm beta on my dialup AOL connection back when almost no one had ever heard of a software firewall much less used one. I had fun beta testing ZA. So, I am certainly not ignorant about firewalls! When I have run a software firewall (and did recently run NIS that came with my router), I have never, on either computer, had anything try to call out that I didn't already know would need to call out. All NIS did was mess up page compression at dslr so I had to get rid of it. I do, of course, use ICF if I have to go on dial up and I don't have the router's protection and since I had to ruin the protective bindings, etc I had for my W98SE box in order to network it, I would never now use dial up with it.

To me, people run all this stuff because they don't know how or want to practice safe computing which is the most protective of all! I probably don't need an av that has better trojan detection as I have had NOD32 for a year and one-half and haven't gotten any trojans. In fact, in 5 years I have only had one virus infection and that was from a very nasty stealth boot virus lurking on a brand new blank floppy that I had just purchased at an office supply store. In my ignorance as a newbie I didn't know a brand new blank floppy like that could have a virus so I didn't scan it. I have had a few viruses sent to me from someone who likes to test and collect and I have wanted to see how my AV would perform. Other than that I have, in five years, gotten only two viruses sent in email and those were both when I had a one month trial of Earthlink dial up over three years ago.

I never, ever open an email attachment unless I am expecting it and I always download to disk and scan it first. I don't open any email unless I recognize the sender and even then I usually look at it first from properties/details/message source and I am always prepared to drop any email address as soon as it becomes at all compromised.

So, do I need a layered approach? I run Proxomitron, use Firefox and Mozilla as my browsers, never have had any spyware on either computer except when I was a newbie 5 years ago my friend told me about Bonzai Buddy and I got it and hated it and promptly got rid of it and later learned it was spyware. I don't use any sort of instant messaging and don't do P2P, warez, porn, etc. I believe it was Marcos who told me that with my careful habits that I probably don't need an AV at all!

 

I must ask a question. I have imon disabled at the moment since I'm not using a pop3 account. But I use hotmail within Outlook Express so I wonder if imon would scan my incoming mails if I enable it? AH is a very nice part of NOD and one of the reasons I'm keeping NOD32 as my main scanner.

 

owzlee: my understanding from some other threads is that at present IMON does not scan web based email even if you have it downloaded through OE. Although a new IMON version still in development is supposed to be able to scan webmail and stuff downloaded through http and ftp.

 

I have a friend who has just replaced nod(updated every hour:-full time web connection nod updated itself!)with Kav when he scanned his pc as prompted kav found 8 bits of malware that nod had missed 6x trojans 2xworms so unless Nod improves its detection(especially trojans)I will be replacing it with Kav on the machines that now use nod (we'll have to put up with any slowdown)
I'm not really interested in the arguement Nod is AV not AT my mate(due to wording on nod website)thought he WAS protected,perhaps its about time they(eset)thanged their website to make it CLEAR that Nod isn't so hot with trojans,I actually queried them,approx 5-6 mnths ago, (eset) about trojan detection and is it advisable to run an AT along with NOD :- didn't even get a reply!so about a week later I contacted one of the resellers with the same question and was reassured Nod32 caught "everything and was head and shoulders above every other product" and that they had "not heard of anyone having problems with trojans whilst using NOD"
Basically the same as the Nod32 web page! is this just a sales pitch? I would rather software vendors(all of them not just Eset!) were more open and honest about limitations of their products,then we the users would know what and what not to expect from a product,but I suppose its all driven in the end by sales,and vendors probably feel if they are too honest the product may not sell!

 

I've heard this anti-layered approach many time from guys with the exact same attitutude. The day will come when you get burned. A layered approach
is requried as no software package can do it all. The reason I'm here is I'm researching new products. I like what I hear about KAV, d/l and tried it, but it is too darned slow. arrrgghhh.

You state that 2 years ago, etc. Its a far different world out there now, than it was 2 years ago. You need effective protection. Heck. you can get infected on a new install b4 running windows update with some worms and viruses. Just depends on the situation.

Malware is more prevelant and unless you know what you are doing, its much easier to get infected without any participation on your part what so ever. The malware will evolve, you better hope your protection does.

 

>You state that 2 years ago, etc. Its a far different world out there now, than it was 2 years ago. You need effective protection. Heck. you can get infected on a new install b4 running windows update with some worms and viruses. Just depends on the situation.



Why do you think I spent over an hour when I first got this new box, which was my first XP box, following 13 pages of instructions from http://www.markusjansson.net/exp.html
securing XP before ever attempting to access the internet?

You assume that I am a typical user. You also assume that I use IE and that I don't use Proxo to filter everything. Yes, of course, anything is possible...likely that I will get burned no. Even Eset mods here have said I probably don't need an AV because I rigidly practice safe computing. Sure, that might not save me 100% of the time, but I am willing to take the risk for the 1-2% that I might not be covered for rather than have umpteen zillion applications running all the time conflicting with each other and destroying any enjoyment I might have from my computer. In an average week, I only access three sites regularly and they are all security sites...so I don't think they will infect me! I also access Google but usually just for searching for sites that inform me about Windows XP, etc. I like learning about computers...I am bored by the internet mostly...computers though don't bore me. So, I am just not likely to be venturing somewhere that I will get infected plus with Proxo filtering and my never allowing cookies except at three sites...etc. etc. it is just very unlikely that something will get me. If something does sometime, it will most likely be due to my forgetting something...like forgetting to make sure I have ICF enabled if I suddenly have my cable connection go down and I switch to dialup. That did happen the first time I used my W98SE box on backup dialup after I had to take down the protective tcp bindings so I could network the box. Within 5 minutes, Amon alerted that it had caught Opaserv! I felt stupid and you better believe that will never happen again..but I had used that box for close to 5 years with all ports closed...no way anything could get in ...tied down to netbeui so I don't think it particularly surprising that when I finally had to take down all my carefully constructed protections that I would forget once..but never again! Or, I test some virus that a friend sends me at my request and I mess up and get infected. Those are the only really likely ways and hopefully, I will remain alert and those scenarios won't occur.

I'm very curious to try KAV as I haven't tried it since they had KAV Lite and that was about three years ago. Some say that with new powerful computers like mine with hyper threading and lots of RAM that they don't see a slowdown....well, I want to see for myself. I wouldn't dream of putting it on my W98SE box! I trialled McAfee 7.0 and I LOVED it except this was on my W98SE box before I got the new box and the engine had a terrible bug that trashed OE only on W98SE boxes...otherwise, I'd be running it now. My beef with NOD32 is the poor GUI (although it is better than version 1 which was a nightmare) and the lack of a proper quarantine, extreme difficulty in making floppies, etc. So I am very drawn to an AV like the new KAV and McAfee and PC-Cillin and NAV all of which have very similar, excellent, easy to use and understand GUI's.

I get very confused even after a year and one-half of NOD32 with the GUI so I could get infected just because I can't figure out this GUI. It is totally anti-intuitive. For instance "hide" ? I don't want hide anything, I want to minimize which is not the same! Quarantine that doesn't quarantine? Whoever heard of an AV that doesn't understand the definition of quarantine as all other av vendors use the term? Make floppies for booting and scanning? Well, I just had a thread here asking about what DOS command to put in for AVDisk to run and no one had an answer ...not even Eset and I got AVDisk from NOD32 Australia site and NOD32 is approved for AV disk. Now McAfee for instance, has a beta application out that I may test that practically makes the disks for you and they are for use on NTFS not just FAT32. I could go on and on..but you get the point, I assume. NOD32 insists on going down a path that is totally different from all other AV vendors and that bothers me a lot. I think that kind and degree of difference sets up users for unnecessary risk as most users expect AV to have a lot of commonality across the various vendors.

 

I, for one, applaud NOD32 innovative approach with AH and the upcoming IMON module HTTP scanner, etc.. AH has already proven itself by detecting some new infections that some other AVs didn't detect.

A lot of times a new way of doing things can be very beneficial.

I have never understood why, with all your posted problems with NOD and wanting NOD to be like every other AV, you continue to use it?

 

KAV ain't that slow actually the new version 5 is pretty fast at recommended settings. Much improved speed over v.4.5. I have an AMD Athlon XP 2000+ (1.97Mhz) & 512 MB Ram, a pretty old machine imo, and I seriously didn't notice any difference between KAV and NOD's on-access scanners performance wise. KAV was very slow at scanning the HD and files (on-demand) though.

The reason I'm using NOD as the on-access scanner is that it uses less memory than KAV. The difference ain't that big though.

 

Fair enough, that's you're experience and it's worked for you in the past.

I've understood the logic behind a layered defense for sometime - but that was an intellectual exercise. I've come to appreciate the practical validity of it more recently. As I described in the last reply of the NOD32 tested thread already, a commercial lab I run suffered real and somewhat expensive hardware damage due to the Sasser worm. Due to internal network problems, the corporate Norton AV was having problems updating some LAN clients. Definitions were only a few days out of date, but that didn't matter. PC's that were current with Norton were fine, those impacted by the internal LAN issues were hit. Now, this can happen to anyone out there who:

a. Experiences a problem with an automated update service and hasn't noticed it (this would be me in the Sasser case).
b. Uses an AV/AT/etc. that happens to be a tad slow in handling the latest threat
c. Employs a product that doesn't cover the threat
d. Manually updates on a slow time cycle

Separate product layered protection is one insurance strategy that may address some of the situations noted above. It's not a certain solution, but that's the nature of insuring against unknown risks in vaguely defined situations. I'm not a tin-foil hat type of guy and it is very easy to go overboard on this type of thing. The important point to realize is that overboard to you and your needs may well be prudent practices to the next person based on their needs. Would a layered approach have helped in my case? I haven't a clue and due to corporate IT directives it's not a solution I could apply even if I wanted to.

Unfortunately, the need doesn't only scale with value of the data, the ability to recover from an infestation is also a significant factor. A complete novice may become crippled to the point of an expensive service call, while it's a two minute deletion/reset Winsock exercise to us. I believe that we are all aware of the downsides of layered protection. Blindly implimented, a system can slow to a crawl due to raw resource consumption and there is the ever present issue of program compatibility. There are no easy answers here. I assume that as more and more vendors expand the range of behaviors that a given application covers, the likelyhood of compatibility issues arising increases. This is potentially a real problem for the future and as you've stated

I agree with you completely here. In novice hands, the cure can very well be worse than the disease. I suppose this is the market driver for complete protection within a single application or suite rather than a classical layered approach.

I think you are right here, although your comments are more directed at basic operations and look-and-feel. I focus more on program approach and it doesn't bother me yet. Clearly, NOD32 places a lot of emphasis on heuristics. The approach is young and I think the jury is out on whether it is viable as a standalone approach. NOD32 has not yet employed it as a sole solution, but that seems to be where their primary development focus is and their CEO has signaled that as a significant direction, see this interview. Heurisitics are a potentially very efficient way of handling threats that are defined by some very basic behavioral characterisitics - so my gut says it's a great way of addressing rapidly evolving variants of a basic threat. Whether it can be generalized beyond that without becoming an avalanch of false positives I'm much less certain of. As always, consumers must weigh whether they are on the cutting-edge or bleeding-edge of technology and which side is more appropriate for them....

As always, Mele20 and others, following exchanges like those above help everyone to critically reflect on the ways we choose to address current and future problems. All comments are valuable to consider, even if we decide to follow another path.

Blue

 

About KAV, well, after about 20 minutes of scanning about 40 gigs of data, it still had not reached the 1/4 way mark, so for me this is too slow. Not only that, when scanning of course the machine slowed down considerably. I was trialing the version 4.5. I don't suffer these problems with NOD and find that it scans about the same speed as Norton. I suspended use of that product over 3 years ago. I will continue testing other products, but in a production enviroment, this is way too slow. We trialed the 4.5 since it seems to be the release of choice among the users comments I've read here.

Concerning the layered defense, Mele20 has found success locking down his computer and following standard security rules and some common sense. Heh, too bad all users were not like him. I don't have that luxury as I have to look after a larger number of users that tend to do as they please.They do not seriously rate security issues with any sort of importance. Malware is a huge issue and by itself can cause just as much damage as a virus. I use a mixed bag of programs to keep the spyware at bay while locking down the browsers and rounding it all off with some serious policy rules. Just replacing IE with firefox has taken some of the stress out of the job. Pest Patrol, TDS-3(under trial), Spybot S&D, Spyware Blaster, Process Guard (under trial), NOD32 and Pivx pretty well keep my network clean. Using Autoupdates for XP pretty well negates most user intervention and have only 2 9x machines to replace now.

Process Guard is an amazing program and is certainly a keeper. I am tickled with this program I use this in concert with NOD32 to keep and eye on what is executed on each computer. PG works exactly as stated and I hope to deploy it on all high value machines. Pivx is nice as it guards agains known exploits and has covered some emerging exploits as they are discovered.
While some insist on using IE, Qwik-Fix™ provides somewhat of a safety net. Pest Patrol and TDs-3 provide the required security against most of the malware out there and Spyware Blaster blocks the installs for those who will not listen. Using PG to lock these programs down is an added bonus since they cannot be shut down by malware or the user.

For a Firewall, I've been using Zone Alarm Pro for the last 5 years. We have had issues with the proxy continually dialing out using Zone Alarm, so we replaced it with Sygate. I am heavily testing Sygate for our new firewall, I'm extremely impressed with it. So it has taken over duties on the server and if it continues to work as it does now, all our ZA licences will be replaced with Sygate. With ZA I do appreciate the added protection of Email protection. Since most users can't seem to figure out how to open the ext with it renamed it provides yet another layer of security.

This latest line up causes no conflicts or slow downs on our file and print server and since replacing Zone Alarm it has run consistenly smooth. There are no slowdowns or conflicts and we have had no infections in the last 3 years on any machines using this latest collection.

 

Good decision. The NOD32 forum never ever has been intended to discuss KAV, NAV - you name them. Its the NOD32 support forum for heavens sake!

Blue

 

I was once an avid believer in 'layered protection'. I have it myself. Now the debate about having all your 'eggs in one basket' being bad is all well and good, but how many times has one of your layers actually being 'taken down'? My answer speaking from personal experience is none whatsoever. I have all this layered protection but never once has my AV been taken out by some piece of malware. If you practice safe computing and use something like KAV or McAfee for your virus & trojan protection then layered protection is not an absolute neccessity. Most users use layered protection as 'just in case' security. But unless you are constantly seeing examples of AV's being taken out left, right and center, i can't understand how you can advocate so strongly the need for layered protection. I use it, but i don't believe it's an 'absolute neccessity'.

muf