0-day protection then why so many sig updates

Discussion in 'NOD32 version 2 Forum' started by Zombini, Jul 11, 2006.

Thread Status:
Not open for further replies.
  1. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Eset has for a while been touting their 0-day protection, but with the number of signature updates per day, I have to wonder if that claim has any truth at all. Here one of the number's from eset site:

    "Approximately 88% of threats are proactively detected using ThreatSense heuristics."

    88% !!! Then why so many signature updates per day ? I have to assume that the customer is not protected between the time the malware is released and customer receives the signature updates from ESET.

    Also, why the False Positives. http://www.av-comparatives.org/seiten/ergebnisse_2006_05.php. My organization would love to try out NOD32 but we need ZERO FPs, not "low", not "very low", but "none". Cleanup after an FP is incredibly expensive, far more than a worm outbreak.
     
  2. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    605
    Location:
    Surabaya Indonesia
    well, heuristic work based on code detection that maybe used inside malware so its not precise detection on spesific virus. in the other side signature is precise detection on spesific virus. so we can say that heuristic is pre-signature detection (complementing signature based detection). why we need signature on spesific virus if it detected via heuristic ? because heuristic detection can be false alarm (though its a rare case in NOD32) and if nod32 caught malware via heuristic it will be send to eset labs for further analysis (to prevent false positive) :D
     
  3. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    Thanks for the info.

    So what you are saying is that in most cases (88% by eset's numbers), a brand virus will be caught without new signatures (which we know is not true), and that the only reason we need new signatures is to catch the off chance of an FP and possibly give the virus a more accurate name.

    There are just too many instances on this forum itself where a new virus or worse even variants of existing viruses are not caught by NOD32 without a signature update. Has someone done their own independent testing that proves that NOD32 catches new viruses 88% of the time without a new signature.
     
  4. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    I did: it was 58% (with 3 month old updates; with up-to date heuristics etc. it may be of course higher).
     
  5. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    An AV with zero false positives? Good luck in finding one! :)

    All AV's have false positives, some more then others, but it is a fact and you need to plan for it.
     
  6. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Maybe you should get in contact with someone who knows what they're talking about before buying AV for your organisation. There's no such thing as an AV with zero false positives, never has been and never will be. A false positive is better than not recognising a virus and NOD is one of the best.
    What is your organisation using for an AV just now? Why is clean up after a false positive more expensive? Find out if it's a false positive before deleting the file and have back ups. I can't understand where you're coming from on this. Common sense costs nothing.
     
    Last edited: Jul 11, 2006
  7. LokiLoki

    LokiLoki Guest

  8. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Nope, I saw his other posts after my reply in this thread... Waste of time to reply to the OP's posts, it seems... :gack:
     
  9. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    I am not sure I see the link between my thread and the post here. If by "he" you mean the OP in the other thread ("me"). I have bought NAV32 and have been using it for a couple of years happily. I am serious about continuing to have top class AV protection after my licence expires on the 8th of August. Please explain this post as it seams at best unclear.

    If you mean the "OP" here then I don't think the information in this thread allows us to predict his future purchasing behaviour and is off-topic.

    Regards,
    Fairy
     
  10. LokiLoki

    LokiLoki Guest

    I mean he/she(Zombini) bashing NOD32 on those topics if you read his other posts and not seriously asking.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have asked Zombini to stop trolling, weather or not they return is yet to be seen.

    Blackspear.
     
  12. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    Ah sorry my misunderstanding. I see what you mean. All I can say on the subject is that I have not suffered a virus infection in the two years that I have ran NOD32 and I don't even use a software firewall. To me this suggests that ESET are getting things right. If I didn't trust a product I wouldn't buy it but I do trust NOD32.

    Fairy
     
  13. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    The topic could also be: "high proactive detection and many signatures added to reduce the risk of getting infected" :p
    seems like some users want that their av releases more updates and signatures (e.g. see topics like "why no update today" etc.) and others like the topic starter would prefer less updates :p.
     
  14. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    just what I was about to post and point out. I am not sure this thread is going anywhere though.

    Fairy
     
  15. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Samples and heuristics are two detection methods. In NOD32 user is free to try the detection levels using various methods. I am not aware of product which will allow the user to switch of samples detection and perform just a scan with heuristics.

    If you have proactive detection, you are protected from the moment threat appears. It is called pro active detection, detection withou signatures. The you have signature based detection which requires sample of the threat do be delivered to the viruslab.

    There is none AV program with zero FP at all. You can only have zero FP on particular test set, not generally. Cohen theorem originating from early 80'ties still applies. According to Cohen, writing a code which will all the time do correct decision whether the code is harmless or malicious is impossible. This applies to heuristics with no exception.

    As for the clenaup of the FP, heuristic FP in NOD32 is clearly identified as result of heuristical analysis. ThreatSense.Net will attemp or user will be prompted for sending the sample to the lab.

    With heuritics, you can get FP, no dubt. But for this price, you will get reasonable proactive protection in most cases. Without heuristics you will get infected all the time.
     
  16. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I wonder which number you are referring to here? I don't remember NOD32 claiming to catch 88% of all brand-new viruses without signatures (regardless of being a zoo sample or in the wild)?

    But what I do know is that NOD32 have nailed almost every new worm spreading in the wild without even needing a signature update, and it's probably in the 80-90% range. See this page for a list of some of the "in the wild" worms that NOD32's heuristics caught.
     
    Last edited: Jul 11, 2006
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Zombini, about 1500 malwares are discovered daily. 88% is 1320 and the rest of 180 should be added. It's so simple. :D :D

    Now talking more seriously I fully agree with mrtwolman. ;)
     
  18. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Often the signatures are added because Pykko screams so loudly when NOD32 detects a threat but does not identify it by name :D
    More seriously though, zero day protection is most effective when NOD32 is equipped with the most current up-to-date information available on 'known threats' - no new signatures added = no new variants detected unless they would have been detected anyway.
    FP's are pretty easy to mitigate via planning of configuration and in NOD32's case pretty easy to reverse even on an enterpriste wide basis for somebody with the technical know-how such as yourself...

    Keep in mind that the NOD32 support forum is where people go with gripes or support concerns - only a fraction of the many satisfied NOD32 customers are represented here...

    Cheers :)
     
  19. blipblop

    blipblop Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    15
    I really wish that your organization will give us a break eventually and decide to use a human security guard in order to prevent virus from spreading in your systems.

    Sorry but I'm tired of constantly reading threads that their aim alone is to prove how bad a certain software is.
     
Thread Status:
Not open for further replies.