Does NOD32 Personnel Agree With (Virus Test by GEGA IT-Solutions)??

Discussion in 'NOD32 version 1 Forum' started by agoretsky, May 1, 2003.

Thread Status:
Not open for further replies.
  1. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Ok, well a lot of smoke but not much light here. There can be legit issues and concerns about performance and effectiveness of an app and they can be discussed in an adult manner so that users and potential users can decide for themselves what's best for them and what they are more comfortable with. But that's not what much of this thread turned into.

    How significant a threat are Zoo viruses? I asked and Rod answered. Not a particularly significant threat. If something goes ITW to a noticeable degree then it goes into the Wild List and then the question is, how good is your AV in keeping up with and detecting stuff that's in the wild?

    Then people can choose for themselves, do they want an AV that can catch all sorts of zoo viruses but perhaps is not so great at catching actual ITW stuff? Or do they want an AV that has a good record of addressing the ITW threats as well as some of the zoo stuff? It's a matter of emphasis and one's preference. (By the way, NOD isn't the only AV that's garnered some VB ITW 100% awards, so claims of VB bias for NOD don't stand up on that point, IMO. Also, a look at the VB's advisory board would suggest no basis for any claims of bias toward NOD.)

    Again, as with all comp/internet security issues it's a matter of risk management. What are the chances of one's coming across a zoo virus in one's email in box compared to those viruses and worms that are actively circulating in the wild?

    One can test for certain zoo viruses and then say a product is inferior because it doesn't catch them. But what does the test mean in terms of actual danger to the average user? Not a lot, IMO.

    As for archived, compressed files and detection. That's a bit more complicated. I recall someone some time ago posing "tests" of AT products elsewhere and slamming one (TH as I recall) because it didn't detect some common stuff when zipped. As I recall the TH defenders pointed out that it did catch the trojans when uncompressed and that when zipped the tojans posed no threat.

    We've seen much the same arguments here in the past regarding NOD's abilities in regards to archived files. "Missing" some files when they're harmless yet catching them when they pose a real threat.

    Some people obviously prefer catching the stuff while in archived format and there are products that certainly do better at that if that's what one prefers, although some of those same products overall may not have a great record at catching ITW stuff even when uncompressed and executing. Does it mean that NOD is "inferior" at catching viruses and worms? Or that it just does the job differently, focusing on when the threat is immediate rather than dormant and harmless?

    So one needs to decide what one is most comfortable with in that regard.

    Also, the issue of packed files. That's interesting but a bit more complex for the average user to discern what the issue is and how much a real threat such stuff poses in the real world (which I think is what the average user is actually concerned about). As mentioned previously if one wants to take the time one can pack something to defeat just about any AV/AT out there. But again, the average user isn't concerned so much about hypothetical threats designed for purposes of a "test" but actual stuff that they might come across in their everyday experience. To the extent that there is stuff out there that poses a real threat, one would expect one's AV to address that.

    It appears that NOD version 2 will improve on detection of packed and perhaps archived files? (I haven't been following the beta that much.)

    And as for Trojan detection, while NOD may catch some that's not its emphasis, neither does it claim to be an all in one solution for both viruses and trojans. As with many other AV's one can choose a layered security and also run an Anti Trojan app as many do here. Or if one wants a product with a good record on viruses and trojans as an all in one solution one can look to KAV or those products with similar records in that regard. It depends on one's computer use and needs and what runs well on one's PC.

    Not all solutions are for everyone. I think posting time and effort is best served by those who have the expertise in assisting those people trying to figure out what to use on their PC's, and what the pluses and minuses of a product may be, by highlighting the issues and concerns and discussing them clearly, objectively and dispassionately.
     
  2. SmackDown

    SmackDown Guest

    OK, all seems to be getting along OK now, I guess it was a proxy problem, anyway, I have been a member for a while, I just read mostly.

    Today, I come here, I am banned, why? I don't even post in almost 1 year, So I can't even read threads, I see Vamp is banned, So that's why I post in this thread. He got banned so did a lot of other people who did nothing, I like and respect Vamp.

    I have no problems with this forum banning him, but to ban others, who did nothing, is a little to harsh. Vamp uses proxies, so do I and many others, just be sure of what you are banning, a proxy, or an IP address, and does the IP address belong to Vamp?

    Anyway, If I have anymore questions, I will start a new Topic.
     
  3. SmackDown

    SmackDown Guest

    Sig,
    What concerns me is this, Vamp easily downloaded the viruses, and could have if he chose to infect people, and if they were NOD users, the would be in trouble.

    I don't believe Vamp would do that, be if he has access to them, why can't the bad guys get them and use them? Also I didn't like the ideal that the authors of NOD knows where to obtains these viruses, but yet refuses to add them for detection.

    You talked about Trojans, lets say TDS-3 knows where to down new undetectable Trojans, should they add them in their data base right away, or wait like NOD does, until they make a list, ITW list.

    This part really bothers me, Guys if you know where the zoo viruses are, why not download them, and add them to detection, heck if a bad guys reads this thread, he will go to that site and start using those viruses, and us NOD users are unprotected.

    Are my concerns valid, or am I just over reacting? Can someone today go to the site Vamp got the viruses from, and infect us NOD users? I need an honest yes or no answer.
     
  4. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    SD: why don't you email the Admin as suggested to see what the problem may be? Since evidently only two people have been banned (for continued software bashing and disruption as I recall which is not supposed to be allowed here ) in the history of this board it would appear not to be the case that "all lot of other people who did nothing" have been banned.

    Perhaps it is a proxy problem or a technical glitch, but as the Admin indicated you were not intentionally banned. Again, why not email the Admin so he may clarify the problem so it won't happen again? This really is off topic in the NOD forum.
     
  5. SmackDown

    SmackDown Guest

    The problem has been fixed, thanks for your concern, would you answer my other post to you, again the proxy problem has been fixed.

    An e-mail would have not helped, the Admin, wanted my IP address, which would not be in the e-mail headers, as I say, I use proxies, so he would have not received my real IP address.

    According to my records more than 100 people were banned, See the proxies we uses shows about how people use them. Now were these people trying to get on Wilder's? that I don't know, I just know that one proxy was blocked, and at the time more than 100 people were using it. Again this is according to it's own counting, So I can't say it was 100% accurate.
     
  6. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > Ok, well a lot of smoke but not much light here. There can be legit issues and concerns about performance and effectiveness of an app and they can be discussed in an adult manner so that users and potential users can decide for themselves what's best for them and what they are more comfortable with. But that's not what much of this thread turned into. [ ... ]

    An excellent post, sig ... well thought out, with valid and sensible comments.
     
  7. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > What concerns me is this, Vamp easily downloaded the viruses, and could have if he chose to infect people, and if they were NOD users, the would be in trouble.

    Any lamer can download a virus from a VX site. Any lamer can download some obscure runtime compressor from China or Korea and create an "undetectable" virus. Fortunately, most people are not lamers. (Virus coders hate such lamers, btw.)

    > I don't believe Vamp would do that, be if he has access to them, why can't the bad guys get them and use them?

    Vampirefo wants the world to see him as a "Security Expert". If he wants to be accepted by the antivirus industry then he should have the social responsibility to send samples of his "undetected" viruses to all the antivirus vendors ... just as many people who are not posing as "Security Experts" do every day of the year.

    > This part really bothers me, Guys if you know where the zoo viruses are, why not download them, and add them to detection, heck if a bad guys reads this thread, he will go to that site and start using those viruses, and us NOD users are unprotected.

    > Are my concerns valid, or am I just over reacting?

    Your concerns are valid if you don't understand the virus world. You would be overreacting if you do.

    Antivirus vendors with researchers who are CARO members share active virus samples ... ie: if one of their users is hit by a virus, they send a sample to all the other members. Some other antivirus vendors share with no-one ... they keep their virus samples to themselves.

    Suppose you sent PoopScan (who doesn't share virus samples with other vendors) 10 modified copies of CIH which you'd cooked up with your own one-off encryption program, and they added detection for these. No other vendor would ever get to see those samples unless you (or PoopScan) released them into the wild. You could waltz into security forums posing as a "Security Expert" and post your own "tests" showing that PoopScan detected 10 viruses which all other antivirus programs missed ... but that wouldn't make you a "Security Expert" ... just a lamer.

    > Can someone today go to the site Vamp got the viruses from, and infect us NOD users? I need an honest yes or no answer.

    We don't know where to obtain them. Do you ? If so, why not tell us ?
     
  8. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    SmackDown: The point of the ITW list is that it shows what is out in general circulation. Links have been provided here to how it is compiled and also as, pointed out, tracking of such things (the Message Labs info) suggests that the real threats to everyday users are ITW stuff, not zoo stuff.

    When something gets out and is reported as ITW then it's a significant concern, IMO. And NOD doesn't just include ITW stuff in it's definitions, there are also some Zoo things also. But again, how much of a danger is posed by something not generally out ITW?

    If you're worried that someone will deliberately get and send you a zoo virus, then what have you been up to to warrant that? Someone has to do that personally if that's what you're concerned about Although, again, NOD does include some zoo stuff, presumably those that are potentially significant and those that have previously been ITW also. But if you know of someone who wants to find something truly obscure to infect you and most AV's won't catch, that's possible. But that takes some effort and likely would be a directed attack and not quite what the average user comes up against in daily use.

    Although there are always those first incidents when something goes out like Klez for example. Then you want an AV that keeps up on the latest outbreaks, updates frequently and perhaps also has good heuristics. But even that might not help if you're the first guy to see a new bug and open every email and attachment that hits your inbox. It sucks to be the first or second guy to see it and the odds are frankly low that it'll turn out to be you. But it would be much worse to be the 100,000 one to have something like Klez in his inbox and your AV doesn't even say Whoa!

    No AV will protect you 100% from everything that might be available for badguys to use. But if something does get out of the zoo to the point that it becomes a general danger then it goes to the Wild List and most AV vendors I imagine pay attention, some more than others, evidently.

    Let's put it this way...law enforcement puts out APB's on armed and dangerous folks out on the loose. Not on those who are incarcerated who would pose a threat if they were out in the general population. If someone stages a jail break and they're now out loose and the general population is at risk, then law enforcement sends out APB's, alerts the populace and takes measures to catch them.

    To me security is a matter of risk management, always. Computer users are themselves responsible for their own computing habits also. If you put yourself easily at risk by unsafe computing practices, then you'd best load up on all sorts of security apps although even that's no guarantee of 100% saftey. Or you could exercise some caution, learn what the real potential dangers are and select the kinds of protective measures you feel are best for you. Based on real information and a reasoned threat analysis, not just because someone scared you on a chat board or because a vendor's advertisement promises you total security.

    What I do and use has worked for me (so far) for years. It may not suit you or you might be more comfortable doing and using something else. That's for you to decide for yourself based on your research and what you are comfortable with.


    As for your other issue, blocking a proxy is not the same as intentionally banning a specific individual. There's a general forum here at the top of the main page for board use issues is if you want to post there and discuss it further with Board Admins/mods.
     
  9. SmackDown

    SmackDown Guest

    Rod,
    You guys are ESET? this Mod says you have them, and he also has them, So somebody is not being truthful.

    Rod if you don't have them even though Technodrome claims you do, Seeing Technodrome is a Mod shouldn't he give them to you?
     
  10. SmackDown

    SmackDown Guest

    Sig, you wrote a long reply, but never answered one question, lets try again, keeps your answer short please. a Yes or no would be great.

    IF TDS knows where to download unknown Trojans, or Trojan not in the wild.

    Should they.

    a. add the signatures to the database right away.
    b. Do as NOD does and wait for them to make it on the ITW list.

    If a, then shouldn't NOD also, if b why?
     
  11. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Do you really thing that NOD32 should add 100,000 or more zoo viruses? Have you ever heard about virus generators?

    By using VG you are able to produce hundreds of ZOO viruses. Should they add them all? Should they waste their time and add every single ZOO virus?




    Technodrome
     
  12. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    They should only add viruses, which could present a potential risk. These are not!



    Technodrome
     
  13. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    It's not a matter of being untruthful. Tehnodrome doesn't know what Eset does or doesn't have.

    Nod does include some zoo viruses in its virus definitions. It does not and I'll wager NO AV includes ALL zoo stuff in their definitions. Why? For reasons Rod noted above in the early pages of this thread.

    Zoo stuff includes all kinds of stuff, some work as viruses, some don't. Of those that work, how many pose a significant threat? Are they spreading ITW so that users may encounter them or not? If they aren't spreading, then inclusion isn't all that vitally important compared to the more pressing task of including protection against stuff that is actually spreading and infecting PC's.

    You do know, don't you, that AV vendors make these decisions all the time as to what to include and what not to include in their definitions in regards to zoo viruses? NOD isn't any different in that respect as far as I am aware, although clearly it's more geared to those viruses that pose real potential threats rather than hypothetical ones.
     
  14. SmackDown

    SmackDown Guest

    Yes, I know of generators, each are different, but each virus made by the gen, can easily be detect if the signature is done correctly, You know of a Trojan call Donald Dick, How do you think it creates Trojans, yet each Trojan produced by DD can be detected, by TH, and TDS-3.
     
  15. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I am talking about less common VGs! It works just like less common packers.

    Anyway this is pretty much OT.



    Technodrome
     
  16. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    U R rite there. But viruses presented by Vampireinfo are available from well known VXers sites. I am sure ESET R&D team monitors them. But since they present no real danger, I can understand why they are undetected by NOD32.



    Technodrome
     
  17. SmackDown

    SmackDown Guest

    True let's call it a night.


    P.S. Will you e-mail Rod, those samples, that Nod missed? so he can add them for detection, He doesn't know where Vamp got them from.
     
  18. xor

    xor Guest

    TrojanDropper.Polymorph (GAV Name) aka TrojanDropper.SMorph (KAV Name) aka DDick TDS isn't even a "real" polymorph Trojan. It does NOT match the classification for highter Polymorph Levels (there is some kind of a skala).

    You can catch this "polymorph" nastie very easy by a simple, traditional pattern match. Just read my post in the TDS Forum - i did even post one part of the signature. However, if you want to catch 100% (and not only 99%) you have to search for a other (shorter) Signature which must be exist in the first 2k at least 2 times. (This reduces false postives).

    A good example for a highter complex virus is the Mistfall Engine.
    Or, some old Dos Viruses such as OneHalf Variants.

    Michael
     
  19. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Just back on the viruses topic a bit, here'a a snippet from a 2001 Register article, that contained some interesting comments from a Trend Micro guy:

    http://www.theregister.co.uk/content/archive/17372.html

    Stop the antivirus vendor hype
    By: John Leyden
    Posted: 06/03/2001 at 13:57 GMT

    A senior figure in the antivirus industry has spoken out against the misinformation and myths which surround computer viruses - many of which he said arise due to hype from vendors themselves.

    David Perry, global director of education for Trend Micro, said the public harbour a number of common misconceptions about computer viruses, due in large part to overstated warnings about viruses from vendors and sensationalist reporting in the media....

    ...Perry's central point, made in a speech at the 10th Annual European Institute for Anti Virus Research (EICAR) conference in Munich this week, is that misinformed users can actually increase the likelihood of virus infestation, and more needs to be done close the gap between perceived and actual damage caused by viruses.

    An example of this knowledge deficit, according to Perry, is that of the 30,000 to 50,000 computer viruses routinely quoted in figures from the antivirus industry, only 800 have ever infected anybody's computer and "only 200 are in circulation".

    "The rest are 'zoo' viruses - which are emailed to antivirus companies by virus authors themselves and never make it into the wild," said Perry.
    ____________________

    Thus an AV vendor can boost its claims to effective detection and protection by catching all sorts of bugs that in reality you likely will never encounter on your PC since they're not a real threat out in the wild. And self designated promoters of such products can produce tests to "prove" the "superiority" of their chosen product knowing that as far as real world risks go, their tests really prove no such thing.
     
  20. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    It is not sane to detect zoo viruses produced by generators by scanstring. More affective aproach is dedicated algorithm for every generator.
     
  21. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > An example of this knowledge deficit, according to Perry, is that of the 30,000 to 50,000 computer viruses routinely quoted in figures from the antivirus industry, only 800 have ever infected anybody's computer and "only 200 are in circulation".

    > "The rest are 'zoo' viruses - which are emailed to antivirus companies by virus authors themselves and never make it into the wild," said Perry.

    David was a little light in his estimates, imo ... but he definitely hit the nail on the head as far as "number of viruses detected" snake oil goes ... and it's still happening.

    > Thus an AV vendor can boost its claims to effective detection and protection by catching all sorts of bugs that in reality you likely will never encounter on your PC since they're not a real threat out in the wild. And self designated promoters of such products can produce tests to "prove" the "superiority" of their chosen product knowing that as far as real world risks go, their tests really prove no such thing.

    Yep ... two years down the track, and of the 80000+ viruses some antivirus programs claim to detect today, very few (comparatively) have ever made it into the WildList. (It takes only a couple of good confirmed hits for a virus to make the WildList.)

    We're often asked "What's the worst virus in the world ?" I guess the definitive answer is "The one that infects your computer." An AV program might claim to detect 80000+ viruses in its advertising, but if it misses the one that bites you then that claim wasn't worth much.

    Even though NOD32 hasn't missed a single In the Wild virus in a Virus Bulletin test in the past five years, we don't claim that we can protect you against 100% of viruses 100% of the time ... no antivirus program can guarantee to do that ... but I've been in the antivirus industry for more than fifteen years, and I'm confident that NOD32 will put you closer to detecting the magic 100% of the viruses most likely to bite you than any other program, and keep you there.
     
  22. anton

    anton Eset Management

    Joined:
    Oct 25, 2002
    Posts:
    210
    Hi Guys,

    In light of the subject of this thread and the latest postings, it makes sense to look at this particular BAT file:

    @echo off
    resident.bat

    filed in the GEGA IT "Zoo" collection as Vg_71060.bat.

    This file is not a virus ... in fact it is not even anywhere close to being a virus ... and on this alone, I could rest my case.

    However, there is more than just one non-viral file to be taken into consideration. According to GEGA IT's own statement there are many other files (roughly 3%) of this or similar nature in their Zoo collection ... i.e. not viruses per se.

    By their own admission, GEGA IT's test set is fatally flawed and cannot possibly produce accurate detection figures!

    It would take just a few minutes for us to extract the "virus" signatures of all the files in any collection of any benign set of files ... but based on our standards (and on accepted antivirus industry standards) the detection of a non-viral file as a live virus is a false alarm. We will not trash NOD32 with signatures of non-viral files just to make our program look good in flawed tests!

    In my previous reply to GEGA IT I challenged them to participate in public verification of their test at the EICAR Conference. (As I have already pointed out, ESET has performed comprehensive tests of NOD32 v1.329 using GEGA IT's own collection of BAT viruses, and failed to reproduce GEGA IT's results.)

    Instead of accepting the challenge and addressing the subject, GEGA IT posted information on their "small_heuristic_test" ... which is completely outside the topic under discussion.

    Testing the old versions of antivirus products (GEGA IT: "retrospective testing") might be a good academic endeavor (and according to email from GEGA IT, the results are to appear in a "diploma" thesis of the tester) but it says nothing about the capabilities of the current version of the antivirus product.

    (It looks like "academic motivation" to perform these "restrospective tests" may not be the only thing driving GEGA IT, since they have already started "marketing" the test on this forum.) :)

    To provide the end user with relevant information on the heuristic capabilities of an antivirus product the tester must use the current version of the product with disabled signature scanning. This is the only reasonable criteria that might be applied by a client seeking a product with the best heuristics detection.

    It does not appear at this stage that GEGA IT will accept my challenge ... but if they do, and the public tests at the EICAR conference confirm their findings about NOD32's detection then I stand ready to offer my apology.

    Otherwise, I expect the same from GEGA IT and PC-Welt.

    Anton
     
  23. xor

    xor Guest

    Don't post very dangerous malicous code in the forum ! :D :D :D
    This is a highly polymorph batch virus who avoids detection by self deleting lines after resident.bat - you don't see the lines but they are there !!!! :eek:

    *ROFL* what a fun :D :D :D

    Kaspersky is indeed the trendsetter for BATCH-NONSENSE-NASTIES :D
    This is well known a long time now.

    A simple batchfile with COPY _special_file_name flags KAV as Backdoor Optix :D

    This Parasite BAT "virus" or better let's call it "joke" is more silly than the BAT.Silly viruses :D :D :D

    However i am going now to add this DARN DANGEROUS NASTY to detection to safe the world :D
    See ya later - i have now HARD TO WORK to include this virus which avoids detection by almost all scanners except kaspersky :D :D :D
     
  24. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    >> In light of the subject of this thread and the latest postings, it makes sense to look at this particular BAT file:

    >> @echo off
    >> resident.bat

    >> filed in the GEGA IT "Zoo" collection as Vg_71060.bat.

    > Don't post very dangerous malicous code in the forum ! :D :D :D

    > This is a highly polymorph batch virus who avoids detection by self deleting lines after resident.bat - you don't see the lines but they are there !!!! :eek:

    You may be laughing now, but you haven't seen its 13 May payload yet!

    See if you're still laughing tomorrow when you find that your mouse cable has been deleted!
     
  25. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    :D At last some humour in this thread :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.