ANI Exploit detection of NOD32 not good

Hello

According to a report from PC Welt in Germany done by "AV Test" NOD32 has no the very best detection rate for the ANI exploits.

You can find the report in german here, with a current comparison with other AV vendors. You can understand the comparison without german knowledge...

http://www.pcwelt.de/news/sicherheit/76097/index.html

Unfortunately it seems to be that NOD32 is going to be more bad in recent tests, while it was often among the first earlier.

Regards,
Alexander

 

We added a generic signature that detects also ANI exploits missed by many other AVs per Virus Total. We have received the ANI files from the tester and all were detected. What's true is that not all the downloaded stuff was detected at the time of testing, but this should not be counted as missed ANI exploit samples.

 

Didn't you say in the past that detecting downloaders was not necessary but rather the downloaded malware files? The downloaded malware is the real threat, is it not? When you say you've made a generic signature, I think you are right, NOD32 does have one of the best generic signatures for detecting the ANI exploit (speaking from personal experience). But you worked to create a signature only for detecting the downloader and not for the downloaded malware? Oh wow....

Maybe it shouldn't be counted as missed ANI exploit samples, but it counts as missed malware anyway. And in this case it counts as missed important malware. So yet another blow to NOD32 right there....

Changing statements at appropriate times is not a good way of doing business. This sort of damage control is losing its appeal. I am not an Eset-basher, but the fact is that today you have contradicted what you said in the past, and this is definitely not a good thing. I like NOD32 as a product, but it seems the company behind it has some real communication issues. Of course, its not that this test of just 144 samples says a lot about NOD32's detection rate, I wouldn't base my AV of choice just on a 144-sample test. But contradiction and twisting words is something I am less than happy with.

 

Nobody has said that detecting trojan downloaders is not important and the only important thing is to detect the exploit itself And no, we do not sleep on laurels as you probably think, the downloaded files are being analyses and added. I merely wanted to pointed out mixing apples with pears and telling the customer it's only apples that he's going to buy. I think you get my point.

Re. changing my opinion, I'm not aware of having changed it and do not plan to do so.

 

I can only count failures for ESET in the last period ... no Advanced + at av-comparatives.org, no VB100%, only 77% detection of this exploit... you're working too hard on ESS

 

Here is a screenie of IMON jumping up when going to a test site

 

@Marcos: Thanks for this info.

@Pykko: I agree with you. NOD32 seems to be not the very best with its detection rates in recent weeks any more. Besides this I decided to buy additional 24 months...

@ESET: Please react faster to threats. It is nice to have an full ANI exploit protection, but next time please faster than this time. The patch just arrived a few hours later from Microsoft. But days before I needed the protection from NOD32. When the patch is there the need for protection is nice but more an academical question...

Regards,
Alexander

 

Yes , works fine
http://zert.isotf.org/tests/testani.htm
Thanks for the link , FanJ

 

The test results are fundamentally flawed. That 144 sample set doesn't just contain ANI files. It contains a whole bunch of exes as well. PC-Welt is BS.

 

Where do you know that ?
Marcos didn't questioned the reliability of the test... he said NOD32 added an heuristic update to improve its detection, so I assume the test was accurate.

 

You're questioning the reliability of a test performed by AV-test.org. A very bold thing to say from you, seeing as AV-test is one of the most reputed testing organizations around today.

 

I assume it isn't just the exploit itself that is in this test, but also the files dropped/spread using this exploit. See here for some details regarding the exploit.

 

Lets be honest here though, in general, you do have a much lower priority for downloaders (see this thread post #8 onwards https://www.wilderssecurity.com/showthread.php?p=919703#post919703 - a signature for downloader added 5-6 months after submission, before an av-comparatives) than the payload.. nothing necessarily wrong with this strategy aslong as the payload is always detected.

It's good to see nod's made a generic for this exploit

 

Nod's detection is just fine. It just protected me from that nasty bugger:

https://www.wilderssecurity.com/showthread.php?t=170872

 

wow the imon replacement jumps in to save the day
lodore

 

the suite should be a good one,

if people know my comments about nod, most have been the dreaded profiles and amon/imon etc etc.

the new interface of the suite, puts it all together, the way it should of been a long time ago.

good news for you nod users.

 

Which one? There's one for advanced users and a simplified one.

 

Hello

@Marcos: You said, that you "added a generic signature that detects also ANI exploits missed by many other AVs". Unfortunately a report by isc.sans.org tells perhaps something different:

http://isc.sans.org/diary.html?storyid=2582

Perhaps is't ANI, perhaps not, but once again NOD32 did not detect this while other AVs where once again faster or better in this.

I do not want to blame you or NOD32 or ESET. I just want to understand the issue. If it is an ANI am I right that NOD32 should detect it (according to your quote) ? So this might be something else ?

Regards,
Alexander

 

I would say that is the downloaded file - NOD32 IMON would detect the ANI exploit and prevent that the file gets even downloaded.