NOD32 in the real world

I am not an NOD user myself so hopefully I will not show too much bias

But a recent thread at DSLR http://www.dslreports.com/forum/remark,8201352~root=security,1~mode=flat brought up some interesting questions (IMO). Yes, there is A LOT of snakeoil and unsupported opinions, but if one looks VERY deep, I think there are some legitimate questions that were posed. I know the test people ran in this thread are not what you might call 'professional' but the results are never the less rather disturbing. Yes, I am very aware of NOD32's record at VB and other major 'professional' tests, but it does quite poorly in most other tests. Of course the samples might come into question and there is always the argument that "NOD is a pure virus scanner," but still it makes one wonder. Especially if these same samples are detected by a few other respected AV scanners as legitimate virii. It would be nice to get some thoughts in from people here and possibly someone from Eset. I know they are busy people, and commenting on certain points made in the DSLR thread may be pointless. But I think when more and more people read that thread (without a respected source standing in for NOD), they will be inclined to believe the test results blindly and may not look as positively to NOD as they once did.

Finally, I would like to say that I have the utmost respect for Eset and their product NOD32, and hopefully there will be some "quality" discussion about this subject. The key word being "quality."

Hmmm maybe someone should test KAV against NOD32 with a dedicated troan scanner and wormguard

 

With malice towards none, I'd like to take a stab answering your question...

I don't take nothing for granted.. I took those Virii and ran scans with NOD32, KAV Personal Pro, and NAV 2004...

My results were CONSISTANT...

NAV and KAV found them all... NOD32, nothing....

You can see for yourself what the virii was, by reading through the thread and looking at the names of the stuff found on that thread... Realize, though, that I was AMAZED I wasn't I wasn't bashed at DSL Reports by the NOD32 users, at least not yet... The truth is the truth, plain and simple..

Needless to say, I did not enjoy finding out that Vampirefo and others may have been right in the past.. In the past couple of months, in spite of the accomplishments NOD32 is capable of, I have seen NOD32 miss more stuff than find.. I am NOT a professional tester, so I am going to get bashed there...I expect it, so, I am prepared.. I am even asking for it, I guess.. Again, for me, the truth is the truth...

Plain and simple.. I am not saying NOD32 isn't effective... I just think that for my purposes, I didn't see the point in renewing my license... Anyone can say what they want, but when you have 3 AV's that found the same stuff, and one AV that didn't, are those tests rigged? Have the viruses been tampered with? I don't think so.....

No, I am NOT going to make up for NOD32's deficiencies by buying and relying on an AT.. An AT is simply for layered defense.. I expect my AV to find malware..I do have an AT too, (TH), so I can't say that I don't depend on one.. BUT... I find My AT is a good supplement, not a subsitute...

I hope this post doesn't seem mean spirited because it isn't meant to be... Again, the truth is the truth... NOD32 users wanted proof, they got it... and even then a lot of them have a hard time accepting it.. Sorry......

 

Hmmm...comments from ESET?

...keeping his bias (and money) for NOD,

dave

 

One more note.... bias is not a player here for me.. If NOD32 passed the little test at DSL Reports there would have been no argument.. The thread at DSL Reports started when a member asked if KAV and NOD32 are comparable... I didn't start it...

 

Not a problem Straight Shooter....I appreciate the information (personally). I've not previously seen the discussion at DSL (and am reading it now). I'm finding this discussion most informative....and looking forward to a rebuttal from Eset.

best regards,

dave

 

I'm still wondering if the fact that the tests noted in the BBR thread consist of zipped files has in part something to do with some of the tests results? Although it has been stated in the BBR thread that if an on demand scan doesn't catch it in a zip file, that means the AV can't detect it at all even when uncompressed, I question that statement given previous discussions here.

I recall discussions regarding just that issue: NOD not alerting on archived files of viruses, etc. that were covered in the db but instead alerting on the uncompressed files. NOD 2's archive scanning I understood to be improved over the earlier version, but is it?

While I don't claim NOD detects everything, still at a glance there are at least a few listed in the BBR tests I spotted that I suspect may be covered in NOD's current database and so should be detected unless it's a variant that simply isn't covered. But it's rather difficult to tell which ones used in the test might be covered by NOD due to the limited NOD db encyclopedia available and also potential differences in nomenclature.

For example, Stoned is listed in the NOD db as one of the oldest family of viruses, with but with no specific variants noted. So one can't tell at a glance if the same variants used in the test are also covered and NOD would indeed detect them if it wasn't in a zip file. (Yeah, that sounds lame, but detection in archived files has been an issue with NOD.)

So, my first question is, is NOD 2's archived file scanning so improved that it would alert upon scanning a zip if the virus is indeed detectable by NOD? Or is the detection of viruses in archived format still an issue?

My second question is, are the viruses etc used in the tests covered by NOD at all? It's a fair enough question IMO.

 

>So, my first question is, is NOD 2's archived file scanning so improved that it would alert upon scanning a zip if the virus is indeed detectable by NOD? Or is the detection of viruses in archived format still an issue?

Why is this important? A zipped file is HARMLESS! I could care less if NOD detects it while zipped. Why do you consider this an issue? Having said this, I have noticed a big improvement in NOD's ability to detect a virus in zipped form. That is ...as long as you use command line adv. heuristics to scan the file. Since IMON uses the adv. heuristics, I assume the improvement is seen there also. I do not use IMON so I can't speak to that.

 

Indeed, the Truth is the Truth. The people (and companies) I have admired most in life are those who could face the Truth about themselves no matter how much it hurt; most people (and companies) in fact cannot be honest with themselves. Most companies advertise themselves as "the best" at whatever, and most of us feel that we are always right in a particular argument, yet we all know that all companies cannot be "number 1" and I personally believe that even the smartest of us are wrong about half the time about everything, just look at all the opposing views there are about everything; how can anyone one of us be so arrogant as to actually think that we are the one person who is always right all the time, yet most of us do just that. (Heck, even someone as brilliant as Einstein was wrong about Quantum Mechanics.)

Acadia

 

Mele: Asking whether or not NOD can detect a virus in its database when zipped is a relevant question, since a) many users prefer early detection as many other AV's provide (even AVG as I recall) and b) tests are run by people who proclaim success or failure of an AV based on detection of archived files since major AV's provide that capacity.

And when such a test is apparently "failed" it's good for all to know if it is indeed a total failure of the AV in coverage for that malware or if it's a technical matter of not detecting malware in archives but the AV does detect some, most or all of the malware before the user can be infected.

For example, if NOD would detect all those viruses, etc. in the BBR tests if they were not archived, then the test would not be a completely valid test of bottom line virus detection but instead of the program's ability to "candle" archives. Even so, that would be a source of criticism, given other AV's performances, but not a total invalidation of the AV's protective abilities in regard to those specific specimens.

Thus the question of detection of archived malware is a matter that should be clarified IMO.

 

OK. I see your point, but why give credence to those tests done by the NOD haters in the first place? I don't buy a thing any of those persons said. They will go to any lengths to discredit NOD. Personally, the very reason I use NOD is because it is NOT like the "PACK". Eset thinks differently and I for one appreciate that ....I don't have a herd mentality.

(edited to correct spelling)

 

My 2 cents as for virus tests. I can say i have good xperience as a pro in virus testing. Gimme a virus scanner and i can perform a test where the results will be as you wish. I can bring them to the heaven or slash them with a hammer and my tests would be reliably replicable.
All I need to do for this is just carefull selection of test sapmles. Couple of intented viruses, couple of fp, misses and malware and voila... I can produce such a result as desired ...

What is relieble virus testing?

1. You need to have well defined test set
2. You must know what do you want to test
3. If you are testing viruses, ALL the samples must be able to replicate. If they fail to, there are no viruses at all....
4. You have to specify how did you perform the test
5. You have to publish how did you compute the results
6. You have publish you result (tables, counts, per cents|

Above are just basics.... If something from the above is missing the test was just a fun and not real test ....

Plus if you want to boost some particular product, just include lot of copies of file which is not detected by the rest of the pack ...

I rest my case

 

Well as a customer I'd like to know and others who really are just trying to tell what AV would be best for them would be better served by having some generally agreed upon facts (as hard as those may be to come by, given the climate at times).

I've certainly nothing against KAV. At the time I was in the market for an AV I would have picked KAV if it weren't for the resource issues of 4.0 which was the current version at the time. On an old W98 PC, I was juggling resources as it was to keep performance and resources at an acceptable level and run all the programs I wanted to. Hence my choice of NOD.

And perhaps some of the samples in those tests aren't all that critical to be covered. Some do not appear to be the latest and the greatest so personally I'm not particularly concerned that I'll run into them and I suspect at least some may be detected by NOD but perhaps just not in the zipped format.

 

mrtwolman: oh yes, I've seen "cherry picking" of samples in tests before (as I mentioned at BBR) and there are some people I have no doubt would do that to prove their case. In this instance with that poster I've no real reason to suggest that, although why those specfic specimens were selected was not discussed.

 

Mele20, LOL.. I get a good laugh reading your posts sometimes.. I am not a NOD Hater.. I used to root for NOD ALL the time...
The files I tested the AV's with were all UNZIPPED, Openned with Power Archiver First.. So, this thing about zipped or not doesn't apply.. I am sorry, I would've answered sooner, but I had to go to sleep...LOL...

PS... I never said NOD32 was no good.. and I am not a NOD32 hater... But I'm not so sure now after the past couple of days...LOL

PS... Here is a thread that McAfee also found the viruses.. So, they are REAL ...LOL...

http://www.dslreports.com/forum/remark,8201352~root=security,1~mode=flat~start=200#end

 

I'm not an expert but I've been using both McAfee & Norton AV for a long time untill I recently switched to NOD32 simply because it finds lots of viruses both mcafee & norton don't.

A friend of mine who is using Norton recently sent me a file that was infected. He thougt I was joking when NOD32 found the virus but I told him to buy NOD32 instead because I've seen how often both norton & mcafee misses viruses that NOD32 finds.

The point is that no AV is perfect... One AV product will always miss some viruses that another will find, I bet you could do a test that would show that KAV misses viruses that NOD32 picks up aswell.

Sorry about my bad english.

 

The entire basis for this thread is being stretched to the limits of credibility.

To me "NOD32 in the real world" means this: every instance of an email virus on this computer was caught by NOD32 and disposed of without problems.

Every instance of my kids getting my computer into trouble was picked up by NOD and taken care of by me, afterwards, with no problem.

THAT'S "real world" - day-by-day single-home-user regular life Internet activity protection.

And that tells me that NOD is more than good enough for me. The only "test" I need to see here is my computer being protected daily. Pete

 

I would question how up to date the definitions were for your friend that is using Norton??

 

Well I haven't had time to check on these things to see if these test specimens are indeed something that are worth even discussing or if it's a case of intending to "shock and awe" people with with things they'll never encounter in ordinary use. If 8tunes is any indication of the threat level of the test set, one might have cause to suspect the rest.

 

I would have to say that if NAV, KAV, McAfee, and Dr. Web ALL detected them as viruses, thenit would be a puzzle as to why NOD32 isn't detecting them...

I think the best thing for ESET to do is "fess up" and admit.. Then add the definitions into their daily updates, rether than try to discredit All the DSL Reports users who are pointing this out... or try to say anything else..

 

I'm the one who started the thread over there at dslreports when I was questioning if KAV was the best resident scanner for me, or if I should go with NOD32 resident and KAV backup. It's been very interesting and so far I'm sold on KAV being the right one for me. Something I experienced on my own helped confirm it, though - NOD32 was late to add all those java exploits (like ByteVerify and Needy) that were infecting me. But I am open minded, and would like to see more tests.

BTW, how many virus signitures does NOD32 have in its database? Are they keeping this a secret? Don't tell me about advanced heuristics, because I'm still interested in the amount of sigs.

 

Thanks for the welcome - which is NOD closer to in signitures - Dr. Web or Norton? Can you at least answer that.

I really like the feel of NOD32 and do want to use it - I'm open-minded by nature but even more so where NOD32 is concerned.

 

I have to ask the gentleman who sent me the stuff if it's okay to send them to you ... I think it's only fair... but I don't see a problem... I'll let you know..or send them to you.. and ESET...

Some of these Threats have been out for WEEKS... I suggest ESET look over the posts from DSL Reports and match the names with their competitors databases.. I don't think I have the time for this.. I have been very busy lately...





Thanks