0-day protection then why so many sig updates

Eset has for a while been touting their 0-day protection, but with the number of signature updates per day, I have to wonder if that claim has any truth at all. Here one of the number's from eset site:

"Approximately 88% of threats are proactively detected using ThreatSense heuristics."

88% !!! Then why so many signature updates per day ? I have to assume that the customer is not protected between the time the malware is released and customer receives the signature updates from ESET.

Also, why the False Positives. http://www.av-comparatives.org/seiten/ergebnisse_2006_05.php. My organization would love to try out NOD32 but we need ZERO FPs, not "low", not "very low", but "none". Cleanup after an FP is incredibly expensive, far more than a worm outbreak.

 

well, heuristic work based on code detection that maybe used inside malware so its not precise detection on spesific virus. in the other side signature is precise detection on spesific virus. so we can say that heuristic is pre-signature detection (complementing signature based detection). why we need signature on spesific virus if it detected via heuristic ? because heuristic detection can be false alarm (though its a rare case in NOD32) and if nod32 caught malware via heuristic it will be send to eset labs for further analysis (to prevent false positive)

 

Thanks for the info.

So what you are saying is that in most cases (88% by eset's numbers), a brand virus will be caught without new signatures (which we know is not true), and that the only reason we need new signatures is to catch the off chance of an FP and possibly give the virus a more accurate name.

There are just too many instances on this forum itself where a new virus or worse even variants of existing viruses are not caught by NOD32 without a signature update. Has someone done their own independent testing that proves that NOD32 catches new viruses 88% of the time without a new signature.

 

I did: it was 58% (with 3 month old updates; with up-to date heuristics etc. it may be of course higher).

 

An AV with zero false positives? Good luck in finding one!

All AV's have false positives, some more then others, but it is a fact and you need to plan for it.

 

Maybe you should get in contact with someone who knows what they're talking about before buying AV for your organisation. There's no such thing as an AV with zero false positives, never has been and never will be. A false positive is better than not recognising a virus and NOD is one of the best.
What is your organisation using for an AV just now? Why is clean up after a false positive more expensive? Find out if it's a false positive before deleting the file and have back ups. I can't understand where you're coming from on this. Common sense costs nothing.

 

"Most AV products today, Kaspersky, Norton protect against all of these. You may have the "best" AV product, but its useless if it can be disabled. So choose your AV product wisely."
https://www.wilderssecurity.com/showthread.php?p=793316#post793316

Somehow I think he's not serious about buying.

 

Nope, I saw his other posts after my reply in this thread... Waste of time to reply to the OP's posts, it seems...

 

I am not sure I see the link between my thread and the post here. If by "he" you mean the OP in the other thread ("me"). I have bought NAV32 and have been using it for a couple of years happily. I am serious about continuing to have top class AV protection after my licence expires on the 8th of August. Please explain this post as it seams at best unclear.

If you mean the "OP" here then I don't think the information in this thread allows us to predict his future purchasing behaviour and is off-topic.

Regards,
Fairy

 

I mean he/she(Zombini) bashing NOD32 on those topics if you read his other posts and not seriously asking.

 

I have asked Zombini to stop trolling, weather or not they return is yet to be seen.

Blackspear.

 

Ah sorry my misunderstanding. I see what you mean. All I can say on the subject is that I have not suffered a virus infection in the two years that I have ran NOD32 and I don't even use a software firewall. To me this suggests that ESET are getting things right. If I didn't trust a product I wouldn't buy it but I do trust NOD32.

Fairy

 

The topic could also be: "high proactive detection and many signatures added to reduce the risk of getting infected"
seems like some users want that their av releases more updates and signatures (e.g. see topics like "why no update today" etc.) and others like the topic starter would prefer less updates .

 

just what I was about to post and point out. I am not sure this thread is going anywhere though.

Fairy

 

Samples and heuristics are two detection methods. In NOD32 user is free to try the detection levels using various methods. I am not aware of product which will allow the user to switch of samples detection and perform just a scan with heuristics.

If you have proactive detection, you are protected from the moment threat appears. It is called pro active detection, detection withou signatures. The you have signature based detection which requires sample of the threat do be delivered to the viruslab.

There is none AV program with zero FP at all. You can only have zero FP on particular test set, not generally. Cohen theorem originating from early 80'ties still applies. According to Cohen, writing a code which will all the time do correct decision whether the code is harmless or malicious is impossible. This applies to heuristics with no exception.

As for the clenaup of the FP, heuristic FP in NOD32 is clearly identified as result of heuristical analysis. ThreatSense.Net will attemp or user will be prompted for sending the sample to the lab.

With heuritics, you can get FP, no dubt. But for this price, you will get reasonable proactive protection in most cases. Without heuristics you will get infected all the time.

 

I wonder which number you are referring to here? I don't remember NOD32 claiming to catch 88% of all brand-new viruses without signatures (regardless of being a zoo sample or in the wild)?

But what I do know is that NOD32 have nailed almost every new worm spreading in the wild without even needing a signature update, and it's probably in the 80-90% range. See this page for a list of some of the "in the wild" worms that NOD32's heuristics caught.

 

Zombini, about 1500 malwares are discovered daily. 88% is 1320 and the rest of 180 should be added. It's so simple.

Now talking more seriously I fully agree with mrtwolman.

 

Often the signatures are added because Pykko screams so loudly when NOD32 detects a threat but does not identify it by name
More seriously though, zero day protection is most effective when NOD32 is equipped with the most current up-to-date information available on 'known threats' - no new signatures added = no new variants detected unless they would have been detected anyway.

FP's are pretty easy to mitigate via planning of configuration and in NOD32's case pretty easy to reverse even on an enterpriste wide basis for somebody with the technical know-how such as yourself...

Keep in mind that the NOD32 support forum is where people go with gripes or support concerns - only a fraction of the many satisfied NOD32 customers are represented here...

Cheers

 

I really wish that your organization will give us a break eventually and decide to use a human security guard in order to prevent virus from spreading in your systems.

Sorry but I'm tired of constantly reading threads that their aim alone is to prove how bad a certain software is.