PC World Review of Nod32

Good afternoon,

Just read PC World's latest take on AV -- http://www.pcworld.com/article/id,130869/article.html

They weren't too kind on Nod32's file virus capabilities:

"NOD32's overall malware detection rate wasn't stellar, however. When pitted against AV-Test.org's nearly 900,000-strong "zoo" of Trojans, viruses, and other malware, NOD32 caught only 90 percent, compared to the 96 percent rate of top performers Kaspersky Anti-Virus 6, Symantec Norton AntiVirus 2007, and BitDefender Antivirus 10. It fared surprisingly poorly with 32-bit Windows viruses (approximately 1 in 11 samples in the zoo), catching only 73 percent.

In disinfection tests, NOD32 cleaned up all malware files but missed resulting changes to the Hosts network settings file and most of the less-important Registry changes, for a disappointing 55 percent success rate."

Having just discovered a virus on my system (ir32_b.exe or TROJ_AGENT.CJF -- Trend was the only one who had any info on this) I am a little concerned about the protection that I am getting. Can any of the Nod32 experts here explain how Nod fared so poorly in file virus identification (was it the default settings)?

Best,

Sender

 

And now the NOD32 disciples can start complaining and bashing PC World and AV-test.org...

 

@ Sender


Hello !

If you treat me as a NOD32 expert...

900 000 samples is a lot . Who knows where did they got the samples from (from the very dark side of the net , probably , where a normal person would never go in) . 90% detection rate of zoo trojans is good , in my opinion.

NOD32 is not a behaviour analysis software so it cannot prevent changes to the host file . However , in real world , NOD32 can find/block malware that would attempt such bad behavious , thanks to signatures/heuristic technologies.

NOD32 does not scan the whole registry nor most AV products do . When the malware file is gone , the registry entires are not dangerous at all . The most important is the malicious file , everything else is just a matter of cleaning.

You found a virus/trojan on your own system or this is from the review?
If you find undetected sample , send it to email samples at eset dot com (this is ESET's Virus Lab).If Trend Micro was the only one to identify it , it may have been a FP

 

You should also take a look at proactive detection

 

Why don't you just admit that NOD32 is loosing it against Norton and Kaspersky more and more.

 

Not trying to start a flame war here -- I am a Nod32 user but I have licenses for Kaspersky as well.

While I like the proactive features of Nod32, the numbers they throw around in the review are distrubing, particularly the ability of Nod to detect Windows based infected files (73%?!). I currently have Nod installed on my main system, but this report, understandably, makes me nervous.

I agree that they used a large sample - but 90% vs. 96% (Kaspersky, Norton) makes the numbers identified by these other vendors all the more impressive.

 

Neither is AVG, for that matter, and yet the PRO version (which does NOT include Ewido engine) reversed both changes to the hosts file....

This is actually correct, but most AV products do, in fact, remove registry entries of malware that they detect. Registry entries are not dangerous per se, but registry entries can modify settings of several applications in your operating system and put your computer at risk to future infection. And since the change was done by the malware automatically, the average user would never know that the settings have been changed....

So, registry cleaning is important in a sense. Most of us with decent knowledge about malware and computers can perform our own cleaning, but not the average joe. And like it or not, the average joe constitutes the majority of PC users, so for all these users, only those AVs that fared will in the disinfection regard will suffice.

@Edwin: Throwing a direct accusation at a company is not going to get you a response. This applies true for all corporations that NONE of them will come out and say that "hey, we've degraded in our performance, we're trying to get back and currently company X is better than us". Having your own opinion is OK, but corporations are never going to admit it. If you don't like some company's product, don't use it and tell your friends not to use it (if you want to). Since this is getting OT, if you want to discuss this further then feel free to send a PM.

Yes, this is a very nice thing for NOD32. While heuristics are VERY good, they are not enough to save the day all the time. I'm sure many people have seen samples being missed by every AV's heuristic, not just NOD32. NOD32's excellent heuristic engine may also make it a target for malware creators to code the malware to circumvent NOD's heuristic detection.

 

A pre emptive strike! Now thats not fair. Seriously Edwin you would be making better use of your time if you at least attempted to provide a well thought out argument to support your position as Firecat has tried to do.

 

Great post from the 'Inspector' on another thread and much of it should be borne in mind...

When speaking about Antivirus Products you have to keep in mind that a antivirus program is a living product. It's NEVER FINISHED. That's a big difference to a car for example. You don't have to update your car daily.

And because of that it is pointless to judge based on a few tests how well every program performs. You have to see it in a long term relation. Of course one of the major points is detection. The best GUI design doesn't help if it doesn't find any viruses.

The real important point is not how many samples Antivirus X doesn't find but how many important samples it didn't find. There are thousends of undetected malware files - detected by NOBODY except of course fortinet since that flags every wet poop anyway.

It is also pointless to let a scanner run over millions of samples if you don't know what it is and how much distributed they are. The only way to get accurate testresults is if you (the tester) knows exactly what's going on. You have to know which types of malware are still circulating, which types of backdoors are popular and so on. And that simply doesn't work out if you just scan what you've collected from somewhere.

There is no "Number 1 AV" and there will be none. NOD32 is a solid antivirus product and from a technical point of view more advanced than the Avira engine. NOD's emulation is top-notch for example. One reason why they are scoring good in heuristic tests without adding generic blacklisted packers.

You can bring down every antivirus program with stupid tests. It would take a few min to setup a "testset" where kaspersky scores 0.5% for example. Now based on this 500.000 ppl would spam the kaspersky forum how bad they are. And the story would repeat there again: Somebody would try to explain that the used samples are not important, crap or garbage. And they're right! Almost every av program provides enough protection for the average user. You'll never have 100% protection, just keep that in mind. The big thing is of course how fast do vendors react to important things, meaning updating virus definitions. And i think that's not a secret, but Kaspersky is there amongst the fastest.

From this thread...

https://www.wilderssecurity.com/showpost.php?p=990144&postcount=16

 

PC World did not measure system utilisation and CPU usage by each scanner. If they had, they would have discovered that NOD32 towered above the others in "lean burn" technology. Kaspersky Anti-Virus 6, Symantec Norton AntiVirus 2007, and BitDefender Antivirus 10 all stuff the PC up so badly, they virtually halve the processor speed. So there's a balance between PC performance and amount of protection - a point which PCW have wholly overlooked.

 

I can't find anything about the test system used or the configuration of each program. It would be very easy to misconfigure one AV and have it rate much lower than it should. I would suggest that AVs should be configured to be as aggressive as possible by someone who knows them inside out before the testing is done - so far as I can tell, that wasn't done here - so we can assume that the out of the box experience in this one test was better for Kaspersky than for NOD32.
But let's take a look at the overall scores. Kaspersky comes in at 85 and NOD32 at 84. That's less than a 1% difference in score. That suggests that PCWorld doesn't consider Malware detection rate to be that important.
Let's considers the stats:
Kaspersky:
• Malware detection rate: 96%
• Proactive detection: 51%
• System slowdown: 10%
• False-positive detections: 6
NOD32
• Malware detection rate: 90%
• Proactive detection: 79%
• System slowdown: 5%
• False-positive detections: 6
The Malware Detection rate break down:
Kaspersky - NOD32:
File viruses - 97% - 79%
Clearly, Kaspersky is better at the moment in time the scan was run. But this is just a test of signatures, and fast signatures are Kaspersky's selling feature.
Macro viruses - 100% - 100%
Script viruses - 100% - 100%
Polymorphic viruses - 100% - 99%
ActiveX controls - 100% - 100%
Back doors - 97% - 95%
Bots/zombies - 95% - 94%
I'd say all these are basically a wash. No AV is really 100%, so differences of 1%-3% are statistical noise.
Trojan horses - 97% - 89%
Clearly NOD32 is beaten here.
Adware - 73% - 86%
Clearly Kaspersky is beaten here - given steady rise of Adware as a problem, this is probably just as important as the file virus numbers.
Dialers - 80% - 99%
Not sure if I'd be as worried about Dialers anymore, given the rise of high-speed and fewer phone lines connect to computers, but you probably feel differently if you have recently gotten a $1000+ phone bill, which I've seen several times over the last year from my customers.
Number of false positives (out of 20,000 harmless files) - 6 - 6
I really don't care much about false positives, and these numbers are low enough to be meaningless - and probably prove that neither AV was set to be as aggressive as it could be.
Heuristic detection (one-month-old signatures) - 51% - 79%
This proves that if Kaspersky doesn't have the signature, then it becomes pretty much useless. While I'm a big fan of fast signatures, I'd argue that Heuristics these days are more important, given the speed at which the malware writers move.
Heuristic detection (two-month-old signatures) - 46% - 73%
Even worse for Kaspersky here.
Detection rate of malware within archived files - 81% - 84%
This is a wash.
Average time (in hours) to deliver signatures for new malware - 0 to 2 vs 4 to 6
This is a big deal (especially if you are an incautious surfer or download everything you see with a P2P client. Unfortunately, the 0 number throws the entire review into question, because it suggests that Kaspersky has new definitions out the instant a new virus is discovered. That is, frankly, bull, so we'll read that as 1 to 2 hours. That means that as of 10AM, Kaspersky has had between 5 and 10 updates and NOD between 1 and 2 - that probably explains the File viruses numbers. Let's a assume that each update includes two new definitions. That means that as of 10AM, Kaspersky should know about between 10 and 20 new viruses, while NOD32 knows about 2 to 4. That's a problem for NOD32, no question, but since signature tests only relate to a single instant in time, I think that signature tests are much less important than heuristic tests. What if PCWorld had waited one more hour and NOD32 had updated again, and Kaspersky hadn't - it would be conceivable that NOD32 might have caught up or bettered Kaspersky in the File virus tests. But we'll never know.
System slowdown - Kaspersky - NOD32:
With Firefox 2 - 24% - 4%
With Adobe Photoshop CS2 - 3% - 7%
With Microsoft Office 2003 - 10% - 5%
I've read that 65% of AV users turn off their AV because it slows down their system too much. I've also read that people can't feel a difference of 5% or less. Let's assume that the 5% rule is true.
That means that with Kaspersky, web browsing becomes noticeably (possibly painfully) slower. NOD32 has no noticeable affect.
In Photoshop, Kaspersky has no noticeable affect, and NOD32 gives a negligible slowdown.
In MS Office, Kaspersky slows it down noticeably, NOD has no noticeable affect.
Based on this, I would argue that for most users (who are going to web surfing and use MS Office more than Photoshop, NOD32 is significantly less likely to make them turn off their AV than Kaspersky. That is enough to make me pick NOD32 as the better AV.

T

 

Just a quick note of interest.

While Kaspersky is soundly trounced when it comes to heuristics, even NOD32's 79% heuristics detection is a joke when compared to what Kaspersky's Proactive Detection Module can do - this is, of course, assuming one knows how to use it... which happens to be its biggest weakness. Not to mention that heuristics serve little purpose save for selling a product to sheep. Are you going to not update your antivirus product for one month and let your product's super-duper heuristics do its job? I think not. Proactive detection (heuristics) used to be the ultimate selling point of an antivirus product in the pre-Internet days when updating once a month was considered frequent. Not anymore. Considering the current malware landscape, the main issue is ALWAYS how much a product can detect at the present moment, and NOT how much it can detect at some point in future IF you don't update it.

I can also vouch for KAV7's heuristics. Is it stronger when compared NOD32? I have no idea, but given NOD32's performance that should give you an idea of how good KAV7's heuristics are. It's quite good when it comes to variant detection, definitely a contender to watch for.

EDIT: You've also completely misinterpreted the meaning of "response time". I'll give you an example of what actually happens, as opposed to your little theoretical scenario. About 2 weeks ago I submitted 16 undetected samples to both Kaspersky and ESET; Kaspersky updated and detected every one of them within 6 hours. NOD32, on the other hand, detected only 3 of them after a week later. Just so you know, "response time" is NOT some vague concept used to theoretically justify a 6% difference in detecting over 900,000 samples.

 

I'll reiterate what I have already said in this thread:

Please remember this is the NOD32 Support Forum, we have other forums available on this site to discuss KAV and any other antivirus.

Blackspear.

 

Simply responding to the above poster, who was similarly discussing KAV. I certainly hope the case that OT discussion is frowned upon only when it disfavors NOD32 is not true!

In response to your comment, I'll place my trust in a PDM which has detected 99.9% of everything I've thrown at it so far instead of a ~70% detection rate heuristics engine, and a vendor who has a response time of as fast as 20 minutes instead of one that responds in... actually, I don't know. I've never seen them respond.

 

Not at all, as mentioned, this is the NOD32 SUPPORT Forum, we have other areas within this site to discuss every AV to your hearts content.

Blackspear.

 

I think you are misunderstanding my point. (And perhaps I am misunderstanding the review.) Kaspersky killed NOD32 when it came to definitions. NOD32 killed Kaspersky when it came to heuristics. I'd like to have a product that is tops in both, but since I can't, I have to pick the one that is more important to me. It's a hard choice - fast definitions are awesome. But on the other hand, if I have to deal with a zero day, then strong heuristics is a better. There's no question about this. Given the rise of small area viruses (spread to only a couple of thousand computers rather than hundreds of thousands) the change of an AV company getting a sample and making a definition has gone down. That makes heuristics more important. So I'm going to have to weight heuristics and more important than definitions, and that puts NOD32 on top. I can understand your weighting of definitions as more important, of course, but I don't agree with it.

I think the question of which heuristics are stronger has been (for the time being) resolved. If you are going to agree with the review to give Kaspersky the definition side, you have to give NOD32 the heuristics.

That's awesome, but it still isn't 0 hour response. And since it's a very limited sample, it isn't scientific so it doesn't prove anything general, it just proves that in that specific case, Kaspersky well and truly kicked NOD32's butt. I could give examples where NOD32's heuristics kicked Kaspersky's butt (and heuristics is 0 hour response.

But you do raise a very good point - Eset needs to get better and faster at definitions. Perhaps they are resting a bit on their laurels.

But this wasn't the original posters question - he wanted to know why NOD32 faired "so poorly." I don't think it did. I think it came within one point of besting Kaspersky, and had the weighting on the tests been different, might well have won the review. Since we don't know the weighting, configurations, or the testing methods (unless you can find that out) the review is largely meaningless except as a sample of a specific test at a specific moment in time.

T

 

Obviously, NOD did pretty good in this comparison. They score KAS at 85 and NOD32 at 84. I think you would be pretty well protected with any of the top 4 (though you better have one mega-honkin computer to withstand Bitdefender's demand for system resources).

To me, the most disappointing and surprising result was NOD32's overall detection rate of 90%.

Even though I am a NOD user and a NOD fan, I am not going to bash the reuslts or the testing methods. They are certainly meaningful and relevant.

 

There's still the likelihood of which type of infection you'll get hit by. Unless you regularly get bombarded by zero-day malware within the first hour of them being released or so, judging from the statistics it looks like some competing products fare better than NOD32, including two which offer freeware versions. And even then, there're still two things to consider: you're only protected against ~70% of such infections, and will have to wait hours for a fix if the malware happens to fall into the other 30%, and also that some competing products offer proactive protection features that far surpass NOD32's, but aren't revealed by the testing methodology.

In the here and now, however, with all the zero-day malware floating about at the time that the test was taken, NOD32's detection still doesn't match up to the competition.

That's certainly an interesting way to look at it, but I'd just like to point out that even with superior heuristics, NOD32 still falls behind in detection rates. Neither signatures nor heuristics are the sole deciding factor, they're just part of the equation.

I think I can very safely say that whatever proactive protection NOD32 has to offer is going to very soundly trounced by Kaspersky's PDM. But of course, they're entirely different technologies, so perhaps the comparison is a little unfair...

Perhaps the original poster was concerned about NOD32's detection rates, rather than the overall performance.

 

I think PC World is getting a little like PC Magazine who will rate an app Best Buy one month and trash it a few months later. I think PC Magazine gives the rating job to the office boy. I subscribe to PC World and I think it is slowly becoming more like PC Magazine as time goes by. As a former Norton AV user, I am glad for the day I uninstalled it and installed NOD32. It was like getting a new computer less the errors and BSOD's.

 

Can you offer us some evidence of the advantages of PDM and why these advantages didn't show up in the review? I don't use Kaspersky often (except as part of AVK) so I'm not familiar with it.

T

 

Ok i have read the report. Not the first I have read either. My job is computer tech, certifications include A+, MCSE do da do da. Who here isn't.
I work for a shop that is a NOD32 retailer. I have used Kapersky 6 v.614, and my computer is definitly not low end.

MB= Intel 975X
CPU= Intel PentiumD 930 (not core 2 but I love it)
RAM= 2GB Corsair XMS 4x512MB chips DDR2 800
HD's= 1-Seagate SATA2 320GB 7200.10
1-Maxtor SATA 200GB
2- WD SATA 160GB
I have a corsair 2GB flash drive speed boosted
PSU=FSP group 600w 4 rails.
2 Sony dvd rw drives.
OS= Vista Ultimate

Kaspersky missed 6 trojans. One of my spyware apps caught them. I removed kaspersky and replace with NOD32. NOD32 found 2 more.

The comparatives are for the person who wants to pick a good av but knows jack about computers beyond getting their e-mail, and scanning e-bay for crap they dont need.

I have tested...damn...just about every AV that is avalible to the general public and a few you need to dig for. And I got access to a popular AV that most public school systems are supplied with.

NOD32 has always drawn me back.

In the last year I have retest kaspersky and a few other popular apps.

NOD32 has always proven superior in its detection, in all catagories. And my personal rig was not always the test bed I used.

Bottom line NOD32 is the best. And when I sell a license I do it with confidence that I sold that customer all they will ever need when it comes to online security.

Looking foward to v 3.0, our NOD32 rep says June 2007.

Should be a big a release as Spiderman.

 

Very nice rig. I'm not sure about the June 7 release date. You are aware Version 3.0 is available as Beta 1 as a suite? There is a forum dedicated to ESS:
https://www.wilderssecurity.com/forumdisplay.php?f=18

 

And I'd rather place my trust in a product that has kept me virus-free for six-plus years in the real-world scenario of the nether regions of the internet. With neglible impact on my PC to boot! (Pun not intended.)

 

I think posts 9 and 11 clearly show the overall winner

 

My PC's Actual BD1O footprint

bdagent.exe 28,086K
bdcom.exe 1,348K
bdss.exe 3,664

CPU= 0.5% in active heuristics mode, not scanning

What are the comparable # for NOD32, and KAV?