DRWEB vs. NOD32...My conclusion.

I have used both of these virus protectors for some time. I have come with this conclusion. Nod32 in my opinion is a toy...I don't really feel my computer is well protected using this product. The company makes no record or written statistics on the size of it's virus database....that scares me. If it has a database of 75,000, then they should let it be known. When they don't mention any number at all, it tells me that the number is probably very low and that they are trying to keep it swept under the carpet and out of mind. It seems to me that they are almost relying too much on Heuristics. Don't get me wrong, Heuristics are good, but having a solid virus database is also important such as KAV...over 75,000, etc.
This is where DRWEB comes in. People complain that DRWEB has all of these "Fasle Positives"...well to tell you the truth I like the false positives. It tells me that DRWEB is alive and doing it's job...If it can pick up possible suspicious viruses, then think what it can do to a real one when it surfaces. When a virus protector just sits there quietly over the course of a year and never picks up a single virus or suspicious virus I tend to question if it is really on the lookout and doing it 's job. I am very happy with DRWEB and will use it for many years to come. I can't wait to see what new features they add in the future. If you havn't checked it out everybody, your missing out. Have a good day people.

Barney

 

Hi Barney

I'm sure DrWeb is a good AV. Although I haven't tried it, I've seen many good reports, including the Wilders review.

But I must say that your case against NOD32 isn't very compelling. It may be true that DrWeb is better (although I think that what is best calls a lot of personal preferences into the equation), but your posting hasn't really convinced me - with all due respect for your opinion.

The judgement in your post seems based on two notions: (1) since there are no published stats on the size of the signature database - then it must be small, and (2) that DrWeb's reported false positives are not a liability, but an asset.

In regard to (1), well it is just an assumption, isn't it? In regard to (2), I can see how someone who is comfortable with the OS and can properly research suspect files can live with (and even enjoy) confirming ambiguous warnings from an AV. But I sure know I wouldn't want my wife to be prompted to do something about a suspect file while I wasn't around to help her!

I do note that your experience with DrWeb seems to confirm that there are "false positives". You must agree that there might be some sensible users who do not enjoy confirming such things on behalf of their AV - they would prefer the AV take care of it.

I also note your use of the term "suspicious virus" - which is confusing. I would say that it is more appropriate to think of such an item as a suspicious file - maybe it's supposed to be there, maybe not. The "suspicious" part only applies until you know whether or not it is malware. There's no sense in citing the number of suspicious files found by an AV as evidence that it is better at catching malware. Wouldn't you consider a hunting dog less talented if it led a hunter to a pile of old shoes twice as often as it found rabbits, as compared to one that only found rabbits?

In the end, I decided that there are many subjective traits that make an AV better or worse than others. This is even apparent in your post. So I just decided to go with the AV that a lot of informed people (around here, anyway) are satisfied with.

Respectfully,
Optigrab

 

i know there are a lot of nod32 fans here but i gotta say i agree with barney. ive tried nod a few times and ive always ended up disappointed. its not fast (compared to drweb) and i have a private collection of viruses and trojans that ive collected over teh years. needless to say nod doesent find any of the trojans (yeahi know its an av not an at)

KAv is the king, no doubt about that, but id say drweb is a good number 2, especially when u consider how lightweight and fast it is. going from nod to drweb on my pc (2600+) feels like adding an extra ghz cpu power..

true, drweb generates a few false alarms. doesent bother me as long as it finds all the real malware and doesent slow down my comp

thats my opinion on the matter

 

The following probably can only be used to demonstrate how obsessive I can be

While I m unable to find a published total for NOD32 signature database (I really didn't look for more than a couple of minutes), it was fairly easy to do a quick count of new virii added to the database recently.

I just had the word processor count all the commas used within the Update Info on the Eset site:
http://www.nod32.com/support/info.htm

1254 new signatures added in the last 30 days - since Aug. 25 update (inclusive).
2509 since July 16 update (inclusive).
6774 since beginning of 2003.
Although my method isn't the best example of fact finding and may not be precise or accurate, I imagine the likeliest error here would be that ESET hasn't posted the details of every database update, in which case the actual cumulative would be higher.

Can't comment on the speed of DrWeb or its resource usage - I haven't trialed it, though it may be as good as Tahoma attests. These two characteristics are valid points of comparison. But it would be helpful to get some quantitative results.

 

NOD32 catches all the ITW stuff and then some. I use a KAV-based av as a second opinion as well. It hasn't caught anything NOD32 missed. It did give me a couple of fp's, though. That's why it's a backup.

It tells you that it's doing it's job poorly. No wonder you never see Dr. Web on networks. The false positives would drive an admin nuts.

How could you tell if it was "real" or not??

I don't. I tend to believe that if it's configured properly, and has a reputation to CORRECTLY identify bugs, that it will do it's thing without me having to babysit it--one less thing I have to worry about. How on earth are constant fp's a good thing?

 

Normally poor detections correspond with improper configurations, disabling or not enabling crucial Features mainly for the soul purpose in attempt to save every little bit of System Resources possible, or because user’s lack of kn0wledge of the Anti System.

{

Another-way of putting it, I have 3 Levels;

3) - Maximum
2) - Medium
1) - Low

If user choose first selection (Low) or second selection (Medium) and my Anti-Virus System failed to detect a threat, who or what’s at fault the Anti-System or the user for selecting all other-than the Maximum Level?

-

If user chooses not to use “Automatic Updating” and prefer to-do manual updates every week or two, or they have a Software Firewall blocking Outbounds and/or the Inbounds of the Updating process than who or what’s at fault for Anti-System not detecting the threats?

-

If user is using Outdated Application components who or what’s at fault for not detecting the threats?

}

As for my opinion about using Anti-System with lots of false positives, I wouldn’t enjoy that a whole lot. I wouldn’t recommend something like that which Alarms it’s customers of something which really isn’t nothing. Possibly deleting something that wasn’t nothing just because of false positives, I’d say something that unreliable I surely wouldn’t trust keeping my computer protected.

I’ve personally seen NOD32 in action numerous times on users Machines, I can say it’s as good as the user who uses it…

 

I am quite a strong supporter of DrWeb myself (in secret ). But even with that said, I do not feel your judgement of NOD32 is entirely warranted.

First, I do not believe the number of virii in a databse is a good indicator to how "solid an antivirus' database is." AVs with weak unpackers might count the same virus 2, 5, 10 times etc; labeling it as a different variant each time just because it was packed differently or with a different unpacker. And just because NOD32 does not reveal this information directly does not mean they are trying to hide anything. To me it really makes no difference (as far as detection rates go). Just like it would make no difference if an AV were to exaggerate how many virii they could detect. They could say they can detect 100000, but only detect 60000. The fact is that it STILL only detects 60000. So why use numbers when you can be assured that NOD32 is one of the best ITW AVs (http://www.virusbtn.com/vb100/archives/products.xml?eset.xml) ? The support center at NOD32s site also can provide some information if you are wondering if NOD32 detects a particular virus (http://www.nod32.com/support/support.htm) . Not to mention that the NOD32 forums here also make it easier to report a suspected threat or confirm with others if something is already detected.

Secondly you mention heuristics and false positives. Just because you are getting false positives does not mean that particular AV has "good" heuristics. If this were true then there wouldnt be so many developers trying to limit the number of false positives that their programs generate. Also, if you have an AV installed it should (for the most part) always be operational and running in the background. You should not need a false positive to prove that it is "paying attention." Also false positives are not an indicator that your AV has a greater chance of detecting new virii when the time comes. If an AVs heurestics are not designed to look for certain behaviors or commands that a new virus uses, it is just as likely to miss the virus, no matter how many false positives you were getting before . That is why a combination of good heuristics with signatures are important. And that is what NOD32 offers as well.

To reitterate I am not saying that heuristics are not important (I obviously think so if I am using DrWeb). What I am saying is that it is a lil harder (than what you made it sound), to correlate the quality of heuristics with false positives.

Just my .02

 

People are free to have their own opinions, however a few thoughts....

If one decides that the advertised number of viruses covered correlate to the quality of an AV, one should first find out what that number consists of. Variants of the same malware counted separately? Whereas some other AVs might group several in a sort of generic defintion? Junk files and broken viruses that don't work at all and thus are no threat? Stuff that isn't malware at all? Viruses that perhaps were written and provided to an AV developer by the authors (and so get included in the count) but are still contained in the authors' collections and have never been in the wild and most likely never will be? The numbers game can be a bit of an AV industry sham IMO if one really looks at what those numbers really represent. Numbers alone don't mean that much about the actual quality of an AV in real world use.

Not speaking of Dr. Web specifically at all but just in general, the idea that a significant rate of false positives means an AV is working is not my view. To me it just means that the AV's alerts can't be trusted to a signficant degree if it's prone to false positives. I've always thought that an AV prone to false positives can be more dangerous than some viruses if it leads an undiscerning user to delete system files, for example, as a result of a fp. Again, I'm not speaking about Dr. Web since I haven't used it but know that it's generally considered a good AV. But I once briefly used another AV (not so well regarded) that was given to false positives and I concluded that it was something I simply couldn't trust and got it off my system.

So that's why these are not criteria that I would use or recommend another use to judge the effectiveness of an AV and the suspected "ineffectiveness" of other products.

 

My 2 cents and point of view regarding false possitives:

The Virus Bulletin not without good reason denies VB 100% award in tests to antivirus which produces false positive virus indentification. This happened to NOD32 only once, DrWeb scores suspicious files and FP on a regular basis.
Count numbers of VB 100% awarded to a NOD32 and DrWeb in a long time period. Which of the AV performs better againt known and defined set of the viruses which may occur in real life situation?

 

false positives can be verified or dismissed using a 2nd backup scanner.
in my case im running drweb, and i love the liberty and sense of freedom it gives me cos of its speed. if theres an alarm from drweb, or if i have downloaded a file that i think is suspicious, i let kav scan them.

works for me

 

I use a different approach - i grab a debugger, disassembler and will dissect the nastie. Having 2 different AV is waste of money from my point of view. And in the case of 2 resident scanners you are askin' for troubles..

 

Hello Paul

Your comment on AV's such as DRWEB being not a good idea for most users is an excellent point. This is precisely why I recommended Nod32 to a friend of mine, despite her moving from a free AV to paying for Nod. It's ideal for her, as she is a novice and probably always will be, as the Net is far from being the most central point in her life - and that's as it should be. Many people out there will never take the time to learn the ins & outs of computers, the web, security etc simply because they live busy fulfilling lives, and have little time to learn everything to do with technical matters. I have patiently tried to teach her about different things but the simple fact is that by the time I get to play the teacher again it's been so long she's forgotten what I taught.
Like many people who get online she doesn't know much about the pitfalls and has the expectation that like any other appliance you should just be able to switch it on and expect it to work without having to learn much. Nod32 is great as I can set it for her and it just reliably does it's job in the background, without her having to remember to download the latest updates etc. It's already caught a couple of worms trying to sneak in - one of them our old 'friend' "Ha ha sexy fun" For myself I remain very satisfied.

Morris

 

With regard to FP's - who here hasn't heard the story about the little boy who cried wolf?

FP's are dangerous to the uninformed - which as Paul pointed out is most people.

Also, how can scanning speed be brought into the equation if you need to (I'll assume on-demand scan):

1/Run an on demand scan
2/Get FP's
3/Run your "back-up" AV to double check
4/Investigate the whole situation and make an educated decision

I'd rather just stick to running the scan once and getting a real result that I'm satisfied with.

 

although drweb comes up with some false positives you must also admit that it's powerful heuristics sometimes catch unknown/new malware too.. and to me this is more valuable!
also count the fact that drweb is among the better trojan scanners among av's. something that nod 32 is not

 

Unless anything has changed ,Im not sure whether the VB 100% awards , has any good reason at all for denying AVs that produce one false positive; and then give the 100% award to another AV that missed 299 "real" viruses.Id rather an AV that produced 1 false positive with no VB award than one that had a 100% VB award but failed to detect all those viruses.

http://www.nod32.com.au/nod32/awards/vb0207.htm
me

 

Agreed, espically when using a 2nd backup scanner to "verify" totally defeats the purpose of using a antivirus with good heurtics.

For example, You use Drweb and NOD as a backup. You can replace the names with any 2 antiviruses, one with all aggressive heurtics , one wihout.

Drweb's excellent heurtistics picks up something as suspicious, say it's perhaps something totally new . You verify it with NOD, naturally it says no not having as aggressive heurtistics.

What have you learnt? The more aggressive scanner says something is up, the less aggressive one says nothing is wrong. This is exactly what you would expect if it's something real. Of course the former could be wrong too in which case it's a false alarm, but either way you havent learnt anything from doing a secondary scan.

If you are going to take the word of the secondary scanner over the primary one, to verify or dismiss threats, you might as well use the secondary scanner in the first place!


You might as well scan with NOD in the first place!

If you are not going to trust Drweb's heurtics, you might as well don't use it in the first place.

 

That's all just fine for addicts - the average Joe is quite a different story.

I've seen common users rely on Dr.Web blindly - and a system havoc as a result. Keep in mind if a common user has an antivirus installed (which is far too often not the case...) he will trust it - never heard of "back up antiviruses".

So you guys who know what you're talking about just go ahead - but I for one would recommend strongly against Dr.Web for the average user, if only to protect himself against the consequences of using software he does not know the implications from. Far too much harm has been done that way.

M

 

Here are some results comparing Dr Web and NOD (and KAV);

http://www.dslreports.com/forum/remark,8201352~root=security,1~mode=flat~start=40

Lively discussion going on as usual.




Added URL tags

 

Hmm all I see is NOD versus KAV. No mention of Drweb.

 

It's me again, the one who started this topic some time ago. I spoke pretty strongly against NOD32 and I am back to give you my newest opinion on this antivirus. Nod32 in my opinion has come a long way these past few months and I am very impressed. I was so impressed that I took the plunge and bought another 1 year license. I believe this AV to have a lot of features and an excellent detection rate. Nod32 is right up there with DRWEB (still my favorate). I recommend these two AV's to everybody out there.

Barney

 

I just installed a C compiler and single-handedly made the ULTIMATE anti-virus utility. Better than NOD32. Better than Dr. Web. Better than KAV. Better than ALL of them.

Super-Duper-Pooper-Heuristics are the key.

You see, all it does is flag EVERY file with a Win32 executable header--and EVERY single interpreted-code file--as an "unknown virus". Bingo! The BEST anti-virus utility ever!

 

Is Dr. Web really that much faster (when used as a real-time monitor) than NOD32?

 

I found that NOD32 uses about 3 times the memory that DRWEB does, but if you have lots of RAM this shouldn't be an issue at all. When it comes to the "Real time monitor", I found them to be about the same. Both have an unnoticable hit on system performance.

Barney

 

The only real annoyance I have with NOD32 is that whenever I launch a runtime-packed executable, my system has a "mini freeze" while NOD32 scans it. My mouse cursor actually freezes for a second. This didn't even happen with KAV (though KAV had some other, and phenomenally-aggravating, CPU-churning habits).

Does anyone else have that issue with NOD32? The way to test would be to launch a UPX-packed executable, then immediately begin moving the mouse cursor rapidly, and keep trying to move it until the program has been on screen for several seconds. Any lag in cursor movement means I'm not alone in experiencing this problem. (You can't just run a program and see if it happens; it has to be a runtime-packed program. You can use UPX yourself to test. Just use the command line "upx -9 [EXE name]" to compress the file. The command line "upx -d [EXE name]" unpacks the file.)

If Doctor Web didn't have that problem, I'd consider switching to it.