detection

Let me give my cents

KAV - Excellent detection, not so good heuristics. Nice generic signatures, and not-too-good registry cleaning (but not bad either).

McAfee - Very Good Detection (almost as good as KAV in my experience), Not much of a heuristic engine, excellent generic signatures, and very good registry cleaning.

NOD32 - Good detection (not as good as KAV/McAfee overall), excellent heuristics, Not too many generic signatures, and good registry cleaning.

In the future:

KAV - Seems like Kaspersky is focusing on proactive detection, and the registry disinfection isnt really bad.

McAfee - 5000 series engine looks promising

NOD32 - continuing development, it seems its gonna get better and better at signature detection....

 

McAfee is not that bad about heuristics lately. I saw lots of heuristic detections in last day my Mr. Mc.

 

will the kav 6.0 have better registry cleaning

anyone knows

 

I'm not quite sure, but considering that Kaspersky is currently thinking of a lot of things, it might just happen.

You have no reason to worry, because KAV does do limited registry cleaning (which suffices most of the time) for most malware. Remember, Norton, PC-cillin etc. do NOT do any registry cleaning.

 

I was testing a KIS2006 image on Sunday "at some more risky websites" when it popped up a box informing me that Dr Watson was acting suspiciously. It then showed me the registry entry that had been changed and let me "roll it back".

My immediate reaction was to try and get Drwatson zipped and check it at Jottis but being in a hurry I just wiped the disk and re imaged. I suspect it was probably some sort of spyware but was pleased to see the warning none the less.

 

NAV *does* provide good protection and without seeing these so-called "missed" malware samples for myself, I reject assertions like this without any proof. I've never had any "peep" of malware that slipped by NAV on my PCs, and these negative "bashing" reports are usually proffered without the slightest evidence or proof. I guess we just take your friend's word for it that NAV Sucks and don't ask for any samples, evidence, or proof? OH Well .. how can anyone argue with that? So typical of the biased anti-Norton "bent" of this Board ..

 

no disrespect but i think ull find that every board with users who have had a computer for more than 6 months is anti-norton. and rightly so. just my opinion

 

Such comment just serves to further demonstrate my point.

 

im sorry. i take it back. i dont like to see sad faces.seriously

 

The "frown" face was just expressing displeasure at what seems to be bias. All I'm saying to folks [and what I say everywhere] is to try to be fair, and try to provide some repeatable evidence to back up negative claims.

I don't speak against competing products that I don't use; I try to say something positive about other products, or not say anything at all; and if I did have anything negative to say, I would surely be prepared to back it up with hard demonstrative evidence and not hearsay.

In cases like this, all it takes is for someone to produce malware samples that Product-X [in this case it is NAV] is not detecting.

I would feel the same way if someone claimed any well-known product, say, NOD32, allowed their system to become infected without uttering a peep. I would want to see hard evidence of that before I accepted it at face value.

I too mean no offense by my remarks. Take Care ..

 

This happened to me once. Norton was off and I was hammered. Of course, NAV was off since I had turned it off - yes, on purpose. The machine was too aged to reasonably try to run NAV, I tried, became a little impatient, and turned it off. This was a long while ago - the PC was underpowered, this wasn't a bloatware issue.

This was my own fault. Given some of the things I see out there, it wouldn't surprise me if many folks have intentionally or unintentionally disabled their protection and were caught short.

I'll take Rich's and anyone else's reports as true at face value. What we oftentimes fail to learn are the root causes leading up to the incident.

Enough of the NAV critique. This could be replayed with any AV on the market. While the finger is being pointed at one AV here, why not also point that finger towards neglect of a strategy most of us follow to some extent - partially overlapping layered protection? Seems that may have assisted in dealing with the incident in the cases being mentioned as well.

Blue

 

Hi Blue,

As you suggest, I always use and recommend overlapping defense. I do not trust KAV 100%. In fact, last week, BitDefender's online scan detected some malware that KAV real-time and on-demand could not. So I always recommend ProcessGuard and RegDefend to backup up the AV.

I have no idea how the trojans got past Norton AV. (He was running it in real-time and he also ran a complete disk scan). But I do know that I was also badly bitten multiple times a year and a half ago while running Norton, and it was these incidences that finally motivated me to find a better solution. A simple, layered solution is the best way to go, and my friend was extremely grateful to me this morning (he is leaving on Wed. on a long, overdue vacation) both for my "cleaning efforts" and my advice. Cleaning is always much more difficult than preventing. Tonight I'll get some sleep.

Rich

 

I personally don't have anything against any AV for any reason.

I run NOD32 on my home PC, Norton2004 on my laptop, F-prot on 1 machine, etc..

For me Norton has just become too resource hungry, which is why I went away from it. I never had any infection problems while using NAV. It is a great AV in it's own right (why do you think it has been around so long).

I have not really used McAfee much, but many members of my family have. They've never gotten infected either with it running, but it has just become too big to run on older machines.

I have not tried using KAV. I have ready tons of reviews and i know it is a big-dog among AV's.

I know BitDefender is a great free (on-demand only) AV and I recommend it to people that need to do a clean up. (it's on my website)

I recommend different AV's for different people depending on their needs.

I have no beef with any AV and I'm glad there are so many choices

 

I had NAV 2003 and thought it was great! I went through a period where I was being bombarded with infected emails. NAV nailed everyone as the emails were being downloaded without interupting the connection. I did switch to NOD only because I wanted faster on demand scans than I was getting with NAV while not sacrificing protection. NAV is great for new users because it has excellent protection and NO learning curve. I had to go to school on NOD so to speak at the NOD forum to use it effectively. Nav does require more resources though, and if you know that you can compensate with more ram.

 

I've ran Norton and it looks very pretty but alot of trojans got thru and hammered me, I eventually found this board and gave it up and picked up Avast Pro at first, works good, trojan caught me again and then tested every single AV out there and I must say that I prefer 1. Panda - It's rock solid to me but my computer can't run the bloat program, when I get a powerful pc, that's where I'm going.

2. Mcafee - I love mcafee, it catches almost everything and it's not that heavy of a program.

I ran Nod and found 3 trojans in my Opera8 coach so I DL'ed Mcafee today again and re-purchased a license, needless to say it caught all 3 trojans with a non-updated database of definitions.

I just don't trust Norton, nor Nod32, not even F-prot.

Mcafee, Kav, Panda is awesome and Bitdefender for me, one of those four I'll deal with the slowdowns, I need good protection.

 

Gosh if you don't trust KAV, then I guess it makes me feel a little better that you don't trust NAV, because you aren't going to find a better AV than KAV in terms of detection rate of *all* sorts of malware, including trojans and trojanlike code.

But Rich, that is the problem. If people don't collect samples and give specifics, but only vague personal testimony, there is no way to know what specific malware was "missed" or why. Not only that, but I don't understand why people so often fail to follow through and submit undetected malware to the Vendor for analysis. This is very easy to do with NAV, just takes a few clicks, I've submitted hundreds and hundreds of samples shared with me by friends and colleagues.

No disrespect intended but I have to wonder what you were doing to encounter exotic undetected samples? NAV has essentially 100% ITW detection so anything undetected has to be perhaps less-well-known trojans, spyware, or some non-ITW "zoo" malware. I accept what you say, it is similar "Norton-failure" story to others I've heard, only I have to wonder what specific malware was being missed, and where was it coming from ?? ...

You know I agree with that statement but, go back and note what Blue said: "such can happen with *any* AV solution". You already said you don't trust KAV; but KAV consistently outdoes everyone in AV comparatives so I don't think there is any other AV which could be said to be more trustworthy in terms of at least *detecting* all the malware one might encounter in-the-wild or perhaps on P2P {Kazaa, Grokster, etc.} or however one might encounter more exotic or less-well-known malware.

Finally let me emphasize I am not questioning yours or anyone's testimony & experience, not questioning your word; only, it would help to have more specifics [malware names, variants, types, etc.] and even [ideally] some *samples* to look at. But the fact that you say even KAV "missed" something you thought should be detected, tells me something about how high your standards must be: because, after testing hundreds of samples sent me, I probably can count on my ten fingers the number that KAV has missed. And if KAV is missing anything, the Kaspersky Labs [KL] is very very quick to include it for detection once they get a sample: newvirus@kaspersky.com

I mean no disrespect but KAV is generally accepted as the best overall malware detector, at this and in other security circles; that is why I single out KAV to suggest that if it isn't enough, then no single AV is enough. If one has extremely high or perfectionist standards, one will probably never find a single AV solution that will satisfy the requirement to detect every possible malware and variant out there.

Let me also mention that spyware-adware, jokes, dialers, and other "expanded threats" are in NAV's database but are not detected by versions of NAV prior to 2004. NAV 2003 and earlier does not use that part of the database. Also, NAV had no runtime packers until 2004 and later. So it *is* possible that folks get "bitten" because they are running earlier versions of NAV which don't detect all the malware that later versions [2004-2005] are detecting. Just a thought ..

And also people should remember that spyware is often given "trojan" type names by AVs when in fact it is in the adware-spyware category and not the classic trojan category; so when people say "Norton missed some trojans" they could actually be saying: "A version of NAV prior to 2004 missed some spyware" .. just another thought .. as, I have had folks send me samples they *thought* were undetected but the samples turned out to be adware that *was* detected with the latest version [engine] of NAV.

I hope you and anyone who has found themselves disappointed with NAV will find that "ideal AV" out there, which will detect and intercept everything that you expect it to. Frankly if KAV isn't it, I don't know what single-AV could or *would* be the successful candidate.

The alternative is to go with the "layered prevention", which you and I and Blue can all agree upon: AV, AT, AS combinations along with other preventative security software "mix".

For the record, your testimony aside, I do not regard Norton as a "lesser" or inferior solution: I accept that you and others feel that way, just "agree to disagree". For most people, and under normal circumstances, NAV should offer good protection IMHO. Not taking away from your testimony, just offering reasoned counter-opinion and honest [but respectful] rebuttal.

Take Care,
Sincerely, Ran

 

Thank you for your gracious comments: I think both NAV and NOD32 have excellent detection {essentially 100% ITW} -- and under *normal* circumstances, for the *average* user who doesn't go to the dark places of the Net or engage in unsafe practices, should be enough, especially if supplemented by a good AT and AS solution. I exchange samples with some NOD32 friends and my impression is that the detection rates of the two AVs are very close .. thanks again for your gracious comments, much appreciated!

 

Hi Ran,

Fair enough. Everyone has different experiences in this world. When I drive down the highway, I see enumerable different cars, models, colors (the most prevalent being the black Honda Accord Ex ). So everyone has their own taste.

The problem here, and the reason I brought it up, was:

1) I ran several different products against my friend's machine. Not one caught all of the problems. Ewido found many. So did TDS-3. I ran these first because it was somewhat of an emergency situation. My friend's system had been penetrated by a keylogger (we had the files) and it was connecting out to home. We had no idea, until we began running the ATs that there was any problem at all, certainly not to this extent. Remember, my friend had run NAV full disk scan as well as having the real-time scan in place. KAV 5.0 MP3, found the last remnants which were apparently lodged in some system and bmp ADS.

2) The extent of the penetration was substantial, considering the system was rather new. I can tell you only one of the trojans that was found, because I was too busy trying to determine the extent of the situation to bother too much with documenting everything. My friend had absolutely no interest in retaining any files. He wanted all of the trojan material off as soon as possible. The one trojan I can definitely document is what KAV called Trojan-Downloader.Win32.Agent.bc.

3) There is a substantial with Norton somewhere. This could not possibly be a "new" trojan (or group of trojans), since TDS-3, Ewido, and KAV 5.0 were all able to detect aspects of them. My guess is that KAV 5.0 on-demand could not detect the ADS component, while KAV 5.0 real-time was able to detect the ADS because the trojan revealed itself in real-time in such a way that KAV was able to detect it. Once I realized there was an ADS issue, I ran ADSSPY and found lots of "stuff" in the ADS, of substantial size. What it was, I have no idea. My friend just wanted them off his system. I hope you understand that this is a system involved with substantial financial data.

4) This whole incident further underscores for me the need for layered protection in order to diminish the chances of this type of infection from occuring. No one product was complete in itself. It took many products to clean the system. My guess is that there are many, many other home users who run into similar situations (we have heard on this forum from those who specialize in this area), and simply have their systems cleaned. It is not only a loss of time and data, but it is often a most uncomfortable feeling to know that you may have been hacked and that someone may have been following every keystroke that you entered into your computer. My friend was crushed, but somewhat relieved to know that his system is clean. He has taken appropriate measures with the understanding that passwords and other identity data may have been stolen.

Personally, I never get into a discussion about which AV is better than another. I only relate my own experiences, my own decisions and the reasons for my decisions.

Thanks for your comments. Security is a tough business and I appreciate the efforts of everyone in this industry.

Regards,
Rich

P.S. I want to give special mention to the guys at Merijn. HijackThis (a product that I support through donation) was instrumental in my ability to clean this particular machine. Thanks much!!

 

Thank you; that is example of what I mean; it is most likely spyware. The "trojandownloader.xx.yy" classification, as well as the "backdoor.agent.xx" classification assigned by most AVs, is almost always from the adware-spyware category.

[I understand the "panic" feeling and uneasiness and wanting to get rid of the malware without regard to sample collection]. Actually though, those products, especially ewido, have detection added for such expanded threats and malware. One need only take a look at the Ewido site: http://www.ewido.net/en/

Then go to Ewido's "Why" page: http://www.ewido.net/en/why/ -- to see that Ewido is designed to "complement" [not replace] classic AV solutions by including expanded threats and malware that is often overlooked by AVs or that is not satisfactorily covered by the classic AV solution.

You mentioned a keylogger but normally that isn't what we think of as a classic backdoor trojan. It falls under what Symantec considers expanded threats and security risks. Scroll down that page to the following:
http://securityresponse.symantec.com/avcenter/expanded_threats/

For more information on hack tools:
http://securityresponse.symantec.com/avcenter/security_risks/hack_tools/

Which is also what I was getting at near the end of my last post: I wonder if your friend was running NAV 2004 or higher? Because earlier versions of NAV would not detect these malware even if in the database.

Regardless of the "why" or "how" of his infection, I'm glad he got cleaned up, and that there were some tools to help facilitate the cleaning.

On that you, me, and Blue of course would be in perfect harmony.

 

Hi Randy,

I did not look at the version of Norton that he was running. It came with a Toshiba laptop that he purchased one month ago. Of course, it could be an old version. If I have a chance to talk to my friend before he leaves, I will confirm the version that he was running.

Personally, I have copies of several security programs that I have purchased over the years for various reasons. This includes Ewido, BOClean, TDS-3, and TrojanHunter, WormGuard, etc.. I run them from time to time to see if anything has ever gotten through KAV/PG/RegDefend. So far, nothing has. Each product has their own "qualities" but it is difficult to explain to my friends the differences. But I recognize their value, and I support the vendors who help me. I am not simply protecting my "computer". I am protecting my privacy and security. Given the amount of money I spend each year for other types of "insurance", I consider these products a bargain.

Rich

 

For a business that needs its net to be as bullet-proof as possible, would it be a good solution to run NOD on-access & use KAV on-demand?

 

Hi Belgamin,

I would consider this a good idea, since each product has its own strengths which both overlap and complement each other.

I would highly recommend, if it fits within your overall strategy and resource capabilities, to consider proactive defense measures that will prevent malware from executing and/or installing on your machine. To me, this is preferable to "detection" which is more reactive in nature. My two favorite programs in this category are ProcessGuard and RegDefend. They are mighty strong and complement AVs very well. Both of these products have forums on this board that you may want to visit.

Rich

 

I agree with Rich: find products designed to complement the classic AV solution. I'm not a business, just a home user, but I have similar to what you suggest: NAV on-access, with KAV and BitDefender on-demand. If a person insisted on only using one single product to detect the widest possible spectrum of malware, that choice would have to be KAV. I've tested many many samples and KAV simply doesn't miss much malware, period. But as Rich and Blue suggest, layered solution is the best, because not even KAV can by its lone self detect everything; and also the preemptive-proactive posture is better than reactive ["reactive" meaning, signature detection after-the-fact]..

 

I currently have a KAV 5 licence and have been looking at an ideal free backup scanner. I've tried bitdefender and like it. But Whilst not much gets by KAV once it's signatures are updated I was wondering about having NOD32's advanced heuristics as a back up scanner for day 0 nasties - i.e. have it as free by letting the trial expire but use it as on demand for heuristic scanning - presumably the advanced heuristics are not reliant upon sig updates??

I hope I'm not committing any forum offences asking this as I'm not asking for cracks or anything but mods please delete if this is crossing the line.

 

Yepper. For a couple of reasons:

1. NOD32, due to it's heuristics, is going to catch most of the through-the-mail stuff at 0 day. That's the biggest threat to business users, IMO. It's very good through-the-browser trojan and d/l'r ability makes it my preference here also. It's also lighter on the PC.

2. KAV excels at having a definition for everything, so as a backup scanner, it's probably unsurpassed, and would be great as an on-demand.

My .02.