NOD or DrWeb, quicker against new nasties?

And with Eset adding loads of 'old ones' to the signatures NOD32 will do better in most real test, I pressume.

 

The newest update is : NOD32 - v.1.1189 (2005080

 

No I had not heard of that site before so I had not tried it. When I uninstalled nod32 from my system and loaded Avast!, I cleaned out my system and cache completely and the browser cache history is where the urls were that I had gone to that tried to put the trojans on the system. I do not have the urls anymore but it would be quite easy to find more since all I did was google searches for x64 antivirus and found at least a half dozen sites that avast! stopped from loading trojans. As I said nod32 only detected one of these sites having a trojan on it. Some of the hits google returned had keygens and other warez crap that of course all are loaded with trojans and someone would be stupid to purposely browse those sites. If you try it for yourself, I would recommend that you install Avast! first, this way you can see what the detections are and bookmark them if so desired. Then install nod32 and try those same sites. I am sure you will be surprised at the results. I was.

Again, I am not bashing nod32 which I feel is a really good product, I just think Avast! was a better choice for my usage and needs. Remember though, there is not, never has been nor ever will be a single product that will do everything the best in reference to security. This is the nature of the subject and should not take away from very good products when they may not be as good in some areas. I feel the solution should be relative to the needs of the user and their usage. That is what should be the deciding factor in choosing a product or suite of products for that matter and not just popularity or biased statements of any one solution. In fact even though I feel more comfortable with avast! I still feel uneasy about not having any choices for an x64 compatible firewall that can provide outgoing protection as well. I saw the info on the TPF product but from what I can see, it doesn't appeal to me. I would like to see something like Mcafee PFP or Outpost or something a bit more polished and easy to use. Even though some products are very customizable and can be tweaked for extremely good protection, I just don't want to spend the majority of my computer time tweaking a firewall.

Well good luck with your testing and let us know what you find.

 

Speaking of Istbar, McAfee must have some strong generic detection sig for it. I've seen two different versions of Istbar in the last couple days that only McAfee detected (verified when I ran it in a virtual machine).

 

I have tried quite a lot of antivirus programs, such as kaspersky, dr.web, nod32, mcafee, norton, bitdefender, arcavir, antivir,f-fort, AVG, even some Chinese antivirus containing Duba, rising, KV, any in them can not found each virus. So in my view, no program is perfect, but the best is the one which you choose.

 

Welcome friend! Your English is good and I understood your post perfectly. You are correct that their is no one product which will be able to find every threat or be good at everything.

 

Just now from
http://virusscan.jotti.org/
No comments

 

Don't get rid of your AT's just yet.

 

Yes, McAfee does have very strong generic detections. It found 2 startpage variants and a TrojanDropper for my brother with generic signatures.

 

This thread is very interesting to say the least. I have a license also for Nod32 and have tried numerous antivirus applications.However I have a trojan scanner to back up Nod32 as a extra layer of protection. About a week ago I contacted Nod32 tech support about this exact question on Trojan/Malware detection. Here is the quote from Nod32 tech support.
==========================================================

NOD32 is checkmark certified for Trojan detection http://www.westcoastlabs.org/cm-av-list.asp?Cat_ID=3.

Most independent tests currently do not use scientific methodologies in conducting their tests. There is a gray area in what files are called trojans. Some tools that are used by white hack forensic experts are detected as trojans by some products because a network administrator may not want such files on their network. Without knowing what the trojans detected
are and that they have been analyzed, rather than placed in a test set because one product called it a trojan, it is hard to draw effective conclusions from most of these tests.

Regards,
Nigel Cook.

Just a little insight from Nod32

 

That's the problem though, with NOD you have to run an AT or another AV as backup, with KAV and others you don't have to. If your very light on recourses AV needs other resident scanners to support it's failings then there isn't much point in it being so light is there?

 

This is probably obvious to the experts here, but I have to ask ...

if NOD lets a trojan in, form NOD's point of view does it matter?

in other words - when the trojan tries to do something bad will NOD catch it and delete it anyway?

 

There have been quite a few postings on Wilder's from Jotti's showing that Kav has missed this or that trojan. Just as there have been for NOD, BitDefender, Dr. Web etc. Even several of the KAV guru's on Wilder's run an AT such as Ewido, A2, Trojan Hunter or BOClean and some run another AV on demand. You will also hear them preach a layered defence strategy. KAV is not 100% bullet proof and they don't claim to be.

 

This was also one of the deciding factors for me to go with Avast! instead.

 

I believe it will delete it if AMON is enabled but I'm no expert. Not by a long shot. Repost in the NOD forum and you will probably get a quicker reply.

 

Yes it does - because if I had NOD on my system and it let a trojan in I'd probably want to strangle NOD.

If it can't recognise the trojan when it is written to, or read from, hard drive how could it recognise it later? You would need some 'behaviour' based program to notice that a file is behaving suspiciously.

But of course if you had an anti-trojan scanner on, at least that would have a chance of catching the baddie in memory or process after it had slipped past the AV.

 

TopperID wrote

By AMON being partially behavior based? - or the trojan creating a file or carrying out an action that AMON does recognize? NOD is supposed to be really good with advanced hueristics - I didn't know if that meant that it might catch it when it tried to do something. I would have started a thread for this, but this conversation is what brought up the question that I hadn't considered before and then it might be a comparrison between the two programs.

I don't mean to side track the thread - I will start one on this subject or poke around ...

Thanks,
Roger

 

I really don't want to bump this but, FF how are you testing this sample? Are you leaving it in the Self extracting archive or are you scanning simply the executable. As this happens a bit with NOD32 and the SE archives in my experiences.

Below is a sample from VirusTotal:
Still in the archive
http://www.zer0-tec.net/likuidkewl/190805/InstabarISArchived.png

Extracted:
http://www.zer0-tec.net/likuidkewl/190805/InstabarISextracted.png

 

In my tests all my samples are zipped ones. If some scanners doesn't detect a zipped sample. I think that it isn't my fault but something else!

Best regards,
Firefighter!

 

But one could argue thats not a fair test as you are testing an archive which contains the nasty, not the actual nasty, especially when the scanner is perfectly capable of detecting the nasty once the archive contents have been extracted.

Ta. Nick

PS I dont scan archives real time, on access, but turned on everywhere else.

 

All AV software should, by default, be able to scan inside archives and, just as importantly, be able to delete inside archives too.

 

But for this kind of testing they should be unzipped in any case.

 

I have to correct my former post about my tested samples. When I made my 2699 samples av-test, all my samples were zipped ones. But now with this Trojan.Isbar.297 sample, this was a common executable sample. When I clicked that file, a pop up window from this sample asked me a permission to go straight to the net. So it was not the firewall but the sample, that asked this.

PS. Just now there are even more detections in Jotti's.

Best regards,
Firefighter!

 

In your opinion. Some don't share that opinion.

 

I don't think that just trying to post a few samples from Jotti's provides any real insight to your thread " NOD or DrWeb, quicker against new nasties?".

It is noted on that site, "You're free to (mis)interpret these automated, flawed statistics at your own discretion".

Checking that site a few time over the last several days show some that NOD detected but DrWeb didn't. I just don't think that means anything overall.

----------
Last file scanned at least one scanner reported something about: Server.exe,
detected by:

Scanner Malware name
AntiVir Heuristic/Backdoor.VB6
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
UNA X
VBA32 X


---


Last file scanned at least one scanner reported something about: Server.exe,
detected by:

Scanner Malware name
AntiVir Heuristic/Trojan.AVKiller
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
UNA X
VBA32 Backdoor.LargeGroup.2


----


_von_Hot_Chicks_hardcore.jpg.exe, detected by:

Scanner Malware name
AntiVir BDS/Prorat.19.H
ArcaVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Trojan.ShellStartup
ClamAV X
Dr.Web X
F-Prot Antivirus W32/Prorat.CP@bd
Fortinet X
Kaspersky Anti-Virus X
NOD32 a variant of Win32/Prorat
Norman Virus Control X
UNA X
VBA32 Embedded.Backdoor.Win32.Prorat.19


---

Last file scanned at least one scanner reported something about: Aimbot.exe,
detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender BehavesLike:Trojan.ShellObject
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
UNA X
VBA32 Trojan.Spy.Delphi.12

---

Last file scanned at least one scanner reported something about:
Trojan.Spy.Flux.A in 2.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Trojan.Spy.Flux.A
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 a variant of Win32/Spy.Flux
Norman Virus Control X
UNA X
VBA32 BackDoor.Flux.101


---

Last file scanned at least one scanner reported something about:
Trojan.New.Malware.G in pibx.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Trojan.New.Malware.G
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 probably unknown CRYPT.WIN32
Norman Virus Control X
UNA X
VBA32 Worm.Mytob.14


----

Win32/TrojanProxy.Lager.F in symcsvc.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 a variant of Win32/TrojanProxy.Lager.F
Norman Virus Control X
UNA X
VBA32 Trojan.Win32.Crypt.i