ANI Exploit detection of NOD32 not good

Discussion in 'NOD32 version 2 Forum' started by agruener, Apr 3, 2007.

Thread Status:
Not open for further replies.
  1. agruener

    agruener Registered Member

    Joined:
    Mar 19, 2007
    Posts:
    9
    Hello :)

    According to a report from PC Welt in Germany done by "AV Test" NOD32 has no the very best detection rate for the ANI exploits.

    You can find the report in german here, with a current comparison with other AV vendors. You can understand the comparison without german knowledge...

    http://www.pcwelt.de/news/sicherheit/76097/index.html

    Unfortunately it seems to be that NOD32 is going to be more bad in recent tests, while it was often among the first earlier.

    Regards,
    Alexander
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We added a generic signature that detects also ANI exploits missed by many other AVs per Virus Total. We have received the ANI files from the tester and all were detected. What's true is that not all the downloaded stuff was detected at the time of testing, but this should not be counted as missed ANI exploit samples.
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Didn't you say in the past that detecting downloaders was not necessary but rather the downloaded malware files? The downloaded malware is the real threat, is it not? When you say you've made a generic signature, I think you are right, NOD32 does have one of the best generic signatures for detecting the ANI exploit (speaking from personal experience). But you worked to create a signature only for detecting the downloader and not for the downloaded malware? Oh wow....

    Maybe it shouldn't be counted as missed ANI exploit samples, but it counts as missed malware anyway. And in this case it counts as missed important malware. So yet another blow to NOD32 right there....:(

    Changing statements at appropriate times is not a good way of doing business. This sort of damage control is losing its appeal. I am not an Eset-basher, but the fact is that today you have contradicted what you said in the past, and this is definitely not a good thing. I like NOD32 as a product, but it seems the company behind it has some real communication issues. Of course, its not that this test of just 144 samples says a lot about NOD32's detection rate, I wouldn't base my AV of choice just on a 144-sample test. But contradiction and twisting words is something I am less than happy with.
     
    Last edited: Apr 3, 2007
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Nobody has said that detecting trojan downloaders is not important and the only important thing is to detect the exploit itself:blink: And no, we do not sleep on laurels as you probably think, the downloaded files are being analyses and added. I merely wanted to pointed out mixing apples with pears and telling the customer it's only apples that he's going to buy. I think you get my point.

    Re. changing my opinion, I'm not aware of having changed it and do not plan to do so.
     
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I can only count failures for ESET in the last period :doubt: ... no Advanced + at av-comparatives.org, no VB100%, only 77% detection of this exploit... you're working too hard on ESS :D
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Here is a screenie of IMON jumping up when going to a test site :)
     

    Attached Files:

  7. agruener

    agruener Registered Member

    Joined:
    Mar 19, 2007
    Posts:
    9
    @Marcos: Thanks for this info.

    @Pykko: I agree with you. NOD32 seems to be not the very best with its detection rates in recent weeks any more. Besides this I decided to buy additional 24 months...

    @ESET: Please react faster to threats. It is nice to have an full ANI exploit protection, but next time please faster than this time. The patch just arrived a few hours later from Microsoft. But days before I needed the protection from NOD32. When the patch is there the need for protection is nice but more an academical question...

    Regards,
    Alexander
     
  8. ASpace

    ASpace Guest

  9. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    The test results are fundamentally flawed. That 144 sample set doesn't just contain ANI files. It contains a whole bunch of exes as well. PC-Welt is BS.
     
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Where do you know that ?
    Marcos didn't questioned the reliability of the test... he said NOD32 added an heuristic update to improve its detection, so I assume the test was accurate.
     
  11. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    You're questioning the reliability of a test performed by AV-test.org. A very bold thing to say from you, seeing as AV-test is one of the most reputed testing organizations around today.
     
  12. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I assume it isn't just the exploit itself that is in this test, but also the files dropped/spread using this exploit. See here for some details regarding the exploit.
     
  13. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Lets be honest here though, in general, you do have a much lower priority for downloaders (see this thread post #8 onwards https://www.wilderssecurity.com/showthread.php?p=919703#post919703 - a signature for downloader added 5-6 months after submission, before an av-comparatives) than the payload.. nothing necessarily wrong with this strategy aslong as the payload is always detected.

    It's good to see nod's made a generic for this exploit :thumb:
     
  14. Netherlands

    Netherlands Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    159
  15. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    wow the imon replacement jumps in to save the day:D
    lodore
     
  16. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    the suite should be a good one,

    if people know my comments about nod, most have been the dreaded profiles and amon/imon etc etc.

    the new interface of the suite, puts it all together, the way it should of been a long time ago. :)

    good news for you nod users.
     
  17. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Which one? There's one for advanced users and a simplified one.
     
  18. agruener

    agruener Registered Member

    Joined:
    Mar 19, 2007
    Posts:
    9
    Hello :)

    @Marcos: You said, that you "added a generic signature that detects also ANI exploits missed by many other AVs". Unfortunately a report by isc.sans.org tells perhaps something different:

    http://isc.sans.org/diary.html?storyid=2582

    Perhaps is't ANI, perhaps not, but once again NOD32 did not detect this while other AVs where once again faster or better in this.

    I do not want to blame you or NOD32 or ESET. I just want to understand the issue. If it is an ANI am I right that NOD32 should detect it (according to your quote) ? So this might be something else ?

    Regards,
    Alexander
     
  19. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    I would say that is the downloaded file - NOD32 IMON would detect the ANI exploit and prevent that the file gets even downloaded.
     
Thread Status:
Not open for further replies.