Does NOD32 Personnel Agree With (Virus Test by GEGA IT-Solutions)??

Discussion in 'NOD32 version 1 Forum' started by agoretsky, May 1, 2003.

Thread Status:
Not open for further replies.
  1. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    So in layman's terms, the test includes nonsense stuff that iare not viruses and then fails a product that doesn't detect them and passes products that do?

    Isn't that like (was it Cnet's?) the use of simulated viruses in tests which essentially reward AV's for returning false positives and penalized AV's that rightly did not regard them as a threat?

    And as a consumer this tells me precisely what about a product's effectiveness in real world application?

    That's what gets me about tests that have fake out stuff like that (if that's what it is in this case): it's misleading to the consumer.

    So 3% of this test's zoo "viruses" are nonsense crap that aren't badguys and that I'll likely never encounter on my PC and if in the rare case that I do NOD won't waste my time by alerting me to this? Good. But then, why do the testers think it's a good thing to for AV's to ID stuff as viruses when they're not?

    Reminds me of the time someone recommended an AV to me because "it catches things other AV's don't." So I tried it and sure enough it did "catch" things others didn't: legit program and system files. False positives can be as dangerous as real viruses if it leads a user to delete files they shouldn't. D'oh.

    So will GEGA IT please explain the value of this sort of testing to a consumer who wants to know WTH this has to do in ascertaining the effectiveness of protection against real viruses in the real (as opposed to academic) world?
     
  2. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Well at least on the bright side it's nice to know that due to this revelation, GAV will now protect my mouse cable from these dangerous batch files. :D :D :D

    But seriously, it's testing such as this that push vendors in their competitiveness for the market to further add more crap to their sig definitions that don't really serve the consumer at all. And then as I noted above, the vendors can point to such tests and the thousands of "viruses" they protect you from when in truth, IMO this sort of thing is what is "all hype" without substance. :mad:
     
  3. Hello!

    It's true, this file is NOT a virus. I fully agree to you here. But it is a PART of a virus. There are several viruses which do not only have one part (one file), but some more (e.g. 2-3) ones. Part 1 calls part 2, this one calls part 3 - for whatever reason. And maybe it also includes a debug script to create (or drop) a binary virus. Now, what files should an av program detect?

    Most av solutions tries to detect all of the files - if they are part of the virus and would not cause a false alarm (for example, because they are well-known harmless tools, such as Mirc or VNC which are often distributed by backdoor trojans). And if most av programs detects even this files, you can see that these developers have the same opinion I have about this.

    ALL components of a virus, regardless of it's type should be detected. I would not really like to see if just the "trash_disk.bat" part would not be deleted, just because it's not a virus!


    I have NEVER told you this. And if you cite my personal, internal mails to you, please cite them correctly!!! (It's nice to see that you don't respect privacy and all the other stuff I believe in...)

    I told you that about 2-3% of the files in the BAT virus collection are not viruses at all, but (if you only see this one file) non-viral. They are parts of viruses, short debug scripts etc. AND AGAIN: THIS 2-3% ONLY APPLIES TO THE BAT VIRUS COLLECTION - IT'S BEHAVIOUR BY DESIGN.

    And 2-3% reflects about 10 files our of 350+ ones. Nod32's detection score was 2% here. Therefore, even if you don't want to detect this files, I'd expect much more!


    This does not explain why the other av tools detects 100% in our script collection. Because they are fatally flawed, too? You found 2-3 files which you do not detect and call the test flawed, even if this one was performed against several 10.000 files. And Nod32 scored about 92,5% total, lots of other products got a 99,x% total score. And even the second worsest Zoo virus detector scored 96,6% (and 100% ItW, just like Nod32).


    In past, Eset recieved several copies of our virus collections from me, always with a comment like "please report all files which are not malicious to me, so I can remove them", the last one in January 2003 (IIRC on three CDs).

    However, I have NEVER recieved such a message from you. Eset has NEVER reported a file to me that we should remove from our collection. Nothing. Not a single "non-virus" report from your side -- from the BAT virus collection, for example. Nothing.

    (Can we conclude, that you have accepted our test set we were using at this time? The BAT virus collection has not changed much. The files you've mentioned were present for a long time already.)

    But I got mails from several other companies (including large ones and even very small ones) which asked me to discuss about the detection of a few files and so on. And why it would be good to detect or not to detect a special file. In the past three years, we have removed less than 0,05% of our files in the virus database due to "problems", most of them are related to backdoors (think about the legal problems to detect Netbus Pro...). Additionally, we were able to correct the results in nearly all cases, so the end-user will always see the corrected results - this applies to both the magazine tests and to our XLS sheets on our web page.

    And if this was not possible for the magazines (in their printed reviews) anymore, we have corrected our test results and included a proper remark in the test comments section, of course (besides correcting the XLS sheet). All have also published the facts on their webpage - that's how it should work and how we work.

    The PC-WELT test was performed during November and December 2002. It was published in issue 03/2003 which was first selled at the end of January 2003 (please don't ask me, why they are selling the March issue in January -- I'm sure they'll publish the next Easter issue at Xmas of the previous year ;-) ). You knew about the test results since February 2003, including the poor BAT virus detection results. Now we have May and you are now telling PC-WELT and us that something is not correct in your eyes and your sales dropped right now... what caused this delay?


    I cannot attend Eicar this year in Copenhagen. I'm in Magdeburg right now. Eicar is today (Monday) and tomorrow - it's not possible for a student like me to travel a few 100 kilometers right now, just for a five minute test and with all of the costs/fees.


    That's nice to hear from you. :) Last year, at the Virus Bulletin Conference, you asked me why I have not included Nod32 in our retrospective tests and that you'd very like to see the results how Nod32 would perform. And that you have very well designed heuristic methods etc. But today you're telling me that's not really interesting for you anymore... OK, it's your turn to decide this. But please don't ask me next time, why I have not included Nod32 in our test results.

    Of course, we can still include Nod32 in our tests. And if you wish, you are invited to follow these tests carefully in our lab, step by step! (Do you want to join us this week or next week?)


    And please send me a list of products where you are able to perform such a test like you suggests. :) The list wouldn't be long, maybe it only has 2-3 entries? If any? And how can you really be sure that this works as documented?

    Second, every av company has an other definition of heuristics. In some products, it's very signature-driven, in other products it's implemented more dynamically. So you would only need to add a few more "heuristic" signatures in order to get better results. And you'll get results no end-user would ever get. Because he won't use a scanner without signatures at all. And please think about "generic detection", e.g. very generic signatures to (hopefully) detect all new virus variants of a special family which you would forbid, even if this is part of the heuristic future. That's indeed flawed (to speak with your words :) ).

    However, our method (btw, I have NOT invented it) would show how the av products have performed in past against the newest threats. With a wide range of different updates and different WildLists you'll see how the products have performed in past (last week, last month, last year), so you can draw your conclusions to the future how the product will likely perform in the next few weeks/months (NOT years!)


    I'm sorry, but I won't be in Copenhagen tomorrow. Is any of the other forum members able to attend the tomorrow's Eset testing meeting at Eicar?

    cheers,
    Andreas
     
  4. Hello!

    Yes, it was Cnet (and other ones). And I (like many other av people) have signed a letter against this test. And we have never used any kind of simulated viruses in our testset (like from the Rosenthal utilities). Not today and never in past.


    Good question. In this forum, only one small part of the test was ever cited: Scan results, and only these ones for Zoo viruses where Nod32 performed quite poorly (but other products performed quite well).

    I do not saw any postings about the many other tests which were performed in the magazine, like functionality (e.g. internet updates, quarantine area, scheduler...); easy-of-use; service and support; quality and "the return of investment" (what you can expect/get for your money).

    We have spend a lot of time on all these non-virus related categories, but NOBODY seems to be interested in it? Guys, this are the most relevant criteria. Zoo viruses scored almost nothing in the results (maybe 5%? I'm not sure)! We had a focus on a very accurate ItW virus detection, of an easy interface, on speed, on mail virus detection (mail guard) and so on. But NOBODY cites the results of these REAL WORLD criteria? That's indeed bad.

    cheers,
    Andreas
     
  5. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Those real world features are good in terms of ease of use, etc but I know of a very easy to set up and use AV whose effectiveness against ITW viruses is such that I wouldn't use it on my main PC. A nice interface really isn't enough for me if the detection rates of real ITW viruses is sub par.

    You well know that detection of viruses is a critical part of what most people who have a bit of a clue care about in an AV and what they look for in AV tests. And it is what both vendors and users cite when comparing AV's. And as long as tests use obscure zoo viruses and broken viruses and broken bits of BAT stuff to rate an AV's effectiveness, vendors will continue to include tons of zoo viruses and that will never see the light of day (except in tests) and broken crud and try to make the users feel that they're protected because of that. And users in turn seeing such tests will expect the AV vendors to include this stuff, not realizing it does not necessarily have any bearing on their AV's effectiveness against the real world viruses they may actually see on their PC.

    And consumers don't realize that because neither the testers or the vendors will tell them that! I'll have to look but does your test have a disclaimer: we included testing of zoo viruses and non viruses, but pay no attention to these tests because they really don't matter in terms of actual real world protection for your pc?

    If tests such as this don't really serve to suggest that these zoo results are a significant component to an AV's real world effectiveness, then why else would people be haggling over whether it's imperative that an AV catch all zoo viruses that they'll likely never encounter? Because testers and AV vendors have led them to believe that this is important.

    If detection of zoo and crud and non viruses is not as important as whether or not one can have scheduled updates, then why test for them at all? Because it's been done before and AV vendors include them in their defs? What is the real world value, then, of doing the zoo tests with such contents?

    Again, there appears to be a symbiotic relationship between AV vendors and testers: evidently testers include zoo and non working viruses in their tests because AV vendors include them in their sig defs. And AV vendors include them in their sig defs because AV testers test for them.

    The real question is, are these broken bits of what could be parts of a BAT virus valid tests of heuristics or sig defs?

    I ask because for example, some AT vendors included GRC's leaktest in their defs because people got upset that a harmless demo got past their AT. Then later, when people ask, how do I know my AT is working, the vendor points them to the leaktest. Amazingly, not only does the AT alert on the leaktest, but the user somehow feels that he's got a great AV because it does! Of course, it finds leaktest, it's hard coded in the program and poses no danger at any rate. That's goofy, IMO.

    So if the broken bits of code indeed represent a legit test of heuristics, I'd find that interesting. But if it isn't then what is the purpose and value of the test?

    As for generic detection, it seems perhaps not a bad idea. I dunno. If I recall correctly, Rob Rosenberger's been a proponent of that. :D
     
  6. We know about this and therefore, we are using our own (self-written) leaktest applications for every Firewall test. They are based on the ideas of the different leaktest applications, but NOONE outside of our lab has access to the files. And therefore, cheating (oh yes, I would simply call it cheating) is almost impossible. If you check out our test results in PC-WELT 05/2003 (the one with a test of Personal Firewalls), you'll see that we have different results than other leaktests shows which are available at some Internet websites which are using the original applications.

    For the _heuristic_ tests, we're only using ItW viruses, only viruses listed at the WildList and are known to be widespread. Of course, such malware pieces (where the virus needs 2-3 additional files to spread) are not included, this would be unfair in a _heuristic_ test.

    However, in Zoo tests (where usually only malware are stored which are older than about 2-3 months, to give all companies a fair chance and time to add them), such files where the virus needs 2-3 additional files to replicate should be included.

    There are Zoo BAT viruses which contains about 2-3 lines per BAT file, every single file is NOT able to spread and not a virus. But a combination of all of these files is. What would you like to detect? All files? No files? It's not easy to answer these questions, but I'd perfer to detect all files, maybe under the condition that all of the other files which the virus needs to spread are included, too. (But in most av programs, such condition cannot be made. There is only the chance to detect all files or no files.)

    Also, a few BAT viruses require some special conditions to spread, e.g. a MS-DOS 6.22, due to some tricks it uses. On today's computers with Windows or Linux as desktop platforms they won't spread anymore. Therefore, they are ZOO viruses. But would you include such a file in a Zoo virus collection? I'd do it.

    For example, even if a few BAT viruses cannot spread (on today's platforms), almost all of them are still able to execute the damage routine(s), e.g. to delete all files in a special folder or directory. So they are not viruses anymore, but they are still malware (I'm sure you can classify them as trojans right now).

    BTW: I just saw that Eset has added a lot of BAT malware to their definitions right now (see "NOD32 - v.1.407 (20030512)"):
    http://www.nod32.com/support/info.htm

    [...]
    BAT/Alek.A, BAT/Batman.A, BAT/Batman.B, BAT/BTG.gen, BAT/Bug.B, BAT/BVGen.A, BAT/Carbuncle.A, BAT/Code.169.B, BAT/Crodom.A, BAT/D_Smack.1424, BAT/Damang.A, BAT/Geez.A, BAT/Gray.A, BAT/Gray_Lord.983, BAT/Guru.B, BAT/IBBM.Qlop.646, BAT/Invader.A, BAT/Jerky, BAT/Joy.A, BAT/Joy.B, BAT/Kurt.1101, BAT/Lcambat.85.A, BAT/Minus.380, BAT/Newhost, BAT/Silly.53.A, BAT/Silly.55.A, BAT/Silly.63.A, BAT/Silly.84.A, BAT/Silly.BF, BAT/Silly.BG, BAT/Silly.BH, BAT/Silly.BI, BAT/Silly.BJ, BAT/Simple.A, BAT/Skul.A, BAT/Small.C, BAT/SMF.251.A, BAT/Snake.A, BAT/Snake.C1, BAT/Snake.D, BAT/Snake.I, BAT/Sob.B, BAT/Stormy.B, BAT/Stormy.C, BAT/Swing.378, BAT/Sysdata.823, BAT/TNSE.1519.B, BAT/TNSE.1519.C, BAT/Virs.A, BAT/Viru.B, BAT/VR.A, BAT/WaveFunc.Gremlin.1424, BAT/WaveFunc.Grunch, BAT/Winstart.297, BAT/ZipBat.607
    [...]

    However, I still did not get a personal e-mail to my account (that's "amarx (at) gega - it . de") with a report of files we should consider to remove from our collection. Has Anton changed his opinion about the files? Or someone else at Eset? (You can also write to my personal account, if you like.) Thanks.

    cheers,
    Andreas
     
  7. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Well my personal opinion is :

    - apparantly in the GEGA test set there are files which are in NO CASE VIRUSES, which they admitted in this forum (you may call it part of the virus but these are in no way more cangerous than bunch of rems in code. the only dangerous stuff is that part of the composite virus wich contains spreading routine)

    - is only one file in the test set is invalid respective to the test purpose, whole test is nonsesce and kinda wanna be test....

    - GEGA boys should relly read "Analysis and Maintenance of a Clean Virus Library" by Vesselin Bontchev :D :D

    - maybe ESET should subsidize travel cost for GEGA testers to meet and perform the test under the independent supervisions to clear the issue
     
  8. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Thanks for the response, Andreas. I'm still trying to wrap my mind around it. :D

    "BTW: I just saw that Eset has added a lot of BAT malware to their definitions right now (see "NOD32 - v.1.407 (20030512)")..."

    Yeah, I noticed that earlier when I checked for updates. ;)
     
  9. Kay Tiger

    Kay Tiger Guest

    Maybe you should read this first...

    A Guideline to Anti-Malware-Software testing (292 KB ZIP)
    http://www.av-test.org/down/papers/2000-02_eicar_2000.zip
    Andreas Marx, EICAR 03/2000

    They KNOW what they are doing.

    And if it's true that Nod32 had access to their collection and NEVER reported the "strange files" it's actually Nod32 fault, too!

    It looks like that Nod32 was only looking for a chance to blame them, and their reputation. I was looking at other tests on the Net, which includes Nod32.

    However, in most tests (like the ones performed from the University of Hamburg, Germany) Nod32 was NOT included. They are performing Zoo tests, too. Why is Eset not included here? And at the time, they were tested against Zoo viruses (back to 1999) they performed quite poor.

    Other tests I've found showed that Nod32 performed partly poorly, partly average. But in no test it was really good (besides in speed).

    Maybe you do not want to show how well or bad Nod32 really performs? In all cases, it's the tester's fault. Correct? Fine.

    -- Kay Tiger
     
  10. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    I know this paper :cool:

    o_O

    Apparently they know in theory what to do. But they've blantantly failed in "Unpacking and presorting the malicious code". :D
     
  11. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    Yes of course and NOD32 too : it's a well known fact they concentrate on ITW virus mainly and to have the fastest possible AV.

    See for instance the way KAV works virus/worms/trojans, a lot of packers analysis, etc... but slow.

    That's a matter of personal choice from the developpers.

    AFM, I use NOD32 as resident and KAV on demand.
     
  12. Has anyone noticed the following;

    The two top Anti Virus Products at Virus Bulletin have "so so" unpackers... NOD32 and Norton.. The stronger unpackers don't have the record of the two above ..(Look at McAFee, KAV, AVK, RAV...)

    I'm kind of torn on this..It's nice to have a product that has good strong unpackers, but, then again.. are they really needed? If I can paraphrase Michael from GAV, in a previous post, I think he said something to the effect that programs with "so so" unpackers tend to compensate for that defieciency by writing more and varied detection signatures...

    After all this, everyone may be worrying about nothing. I saw on another post NOD32 detected NetDevil, which is a "warez" trojan.. Maybe NOd32 is enough for the average user who wants good protection from the ITW, a good amount of trojans, and some zoo viruses. (WHy want protection from Zoo viruses?)
    If you want to deliberately infect your computer with out of the ordinary, zoo viruses.. then YOU KNOW YOU NEED KAV OR WHATEVER BECAUSE THAT PROGRAM HAS BEEN DESIGNED FOR THAT!!!! I also run McAFee on another computer, and AVK Pro on another.. McAfee runs good, but AVK Pro is already taking it's toll (in terms of speed and performance slowdowns)...so I am probably going to wait for the new TDS 4, trial that, and replace that with NOD32 and TDS 4 on that machine.. But after reading all these comments and so on, I think maybe NOD32 would like to consider adding script protection to their product..(If it has it I am not aware) But overall, I don't see anything that NOD32 that needs to be supplemented with other software for the average user.. unless, like I said, you like downloading mal ware...(LOL)...
     
  13. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    NOD32 has a script heuristic detection AFAIK...

    Once there has been a heavy discussion on Becky's regarding detection of some text cu't'n'pasted from a (script) virus to a virus description on kaspersky's site...
     
  14. Hello!

    I have a question to all board members: How many of you have subscribed the "Virus Bulletin" magazine and are able to find out, why some program did not got a VB100% award?

    This information is only included in the printed issue and not available at their web site. Only a summary like "passed" or "failed" is available there.

    Thanks,
    Andreas
     
  15. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I have not. However, I do read the back issues available online.
     
  16. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Archived issues are available at http://www.virusbtn.com

    Either AV Missed virus or it produced a false positive or during bugs or instability was not able to detect virus.

    This only proves NOD32 stability and user friendly heuristics.


    Technodrome
     
  17. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    The reasons varied over the years no matter what they publicly announced. Some did not like their product running a test with default settings right out of the box..others were in transition in building a new engine or feature that were being developed when the tests we held and they did not chose to submit..even others did not feel it necessary to have that testing label on their trophy case..and there are many more reasons...right down to questioning the competency of the individuals doing the test with their product and not understanding how it can be used.

    You also could come up with names of specific vendors who had other reasons..but I will not do this in the NOD forum...so that is your generic answer. And it would be nice if you did not sidetrack then your response to your own question by naming them...this thread is doing well and people are learning.

    Regards,
    John
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,473
    Location:
    The Netherlands
    Andreas,

    For the sake of all - please comment on Antons' post:

    Seems like a very fair deal to me - and most probably the majority from really interested ones.

    Although it's rather an open question - you might as well point out as of why you feel the necessaty - I for one have.

    regards.

    paul
     
  19. I've tried to explain the problems we have found in our tests several times. My arguments are always ignored or some people told me that I'm dumb (to make it short) and that all of our tests are flawed. I have showed you the logs that exactly shows what we found, but they are ignored as well. OK, I see that you are not interested in any further discussion and therefore I'm leaving this forum right now and do not waste my time any longer. Bye.

    BTW: I have just checked the virus collections I got from anti-virus companies in the last two weeks. I got 12 different ones, and only in *two* cases the files are not or only partly renamed. In all other 10 virus collections the samples ARE renamed. Even the reference sample set from the WildList Organisation/ICSA contains ONLY renamed files. And only virus researchers (developers of AV programs) and testers have access to such collections. Do you want to tell me that 84,5% (11/13) of them are dumb or stupid as well?

    cheers,
    Andreas
     
  20. I find it a shame that a disagreement between professional and credible entities - PC Welt, GEGA-IT, and ESET - has taken such an insidious spiral into the realm of personal bashing. I only hope the posts I read here from certain moderators are the opinion solely of that moderator and do not reflect the opinions of ESET. When faced with adversity, true leaders analyze rather than criticize, for only by thorough analysis and genuine desire to improve can problems be solved.

    Regarding the following statement from Rodzilla: "Conversely, some "Zoos" contain so much "crud" ... genuine "live" viruses which have been rendered inert by having their extensions renamed to "non executable" format, corrupted samples, lab samples, "simulated" pseudoviruses, various other "dead" files, etc ... that they are virtually useless as test sets. The results they produce are so far removed from reality that they impart misleading (and sometimes downright dangerous) information about a tested antivirus product's detection abilities."

    I would think that Winevar would teach a valuable lesson here. A virus is a virus, regardless of its extension. Masquerading as a "harmless" and "meaningless" .CEO file, Winevar employed scripts to register the .CEO extension as an executable, thereby allowing the virus to be unleashed in all its glory. It could have done the same with a virus renamed to .JPG and simply changing the registry to reregister the .JPG extension as an executable. As such, whether the files were indeed renamed during the test or not (and my belief, backed up by the log files, is that they were not), seems to me to be a moot point. I would prefer, if "all files" is the option selected, that indeed "all files" are scanned - regardless of extension.

    Regarding the following statement, also from Rodzilla: "An example of the current ratio of In the Wild viruses to Zoo viruses can be found in MessageLabs' January-March 2003 statistics. Every one of the 3,000,000+ viruses they intercepted during that three month period was an In the Wild virus. No Zoo viruses were detected."

    Several new viruses were discovered during that period. At some point prior to their being released into the wild, they existed in someone's Zoo, somewhere. These viruses weren't considered "in the wild" until they began spreading and some unfortunate folks served as the guinea pigs, becoming infected while vendors worked on updates. One example would be the SoBig worm, discovered on January 9th in-the-wild and added to Nod32's detection as of January 10th. Prior to its January 9th debut, this virus undoubtedly resided in a Zoo, if only that of the creator itself. This is not an indictment of Nod32 (I like and recommend the product) but rather an attempt to clarify what I feel is a misleading statement or one that could be construed by some to mean that only the "same old" viruses circulated during that period. Indeed, one needs only look at the number of viruses added to the signature database during that three month period to realize a large portion were new, formerly *not* in-the-wild threats, i.e. from someone's Zoo, somewhere.

    I also wonder at the continued emphasis on the poor detection rate of BAT files. It seems clear to me that it was only a small part of the review criteria and that the reviewer was not pleased with anything from Nod32. Personally, it seemed he criticized features which did not deserve criticism. For example, in the PC Welt review, Nod is criticized for not allowing updates by the minute. While this might be important to that particular reviewer, I fail to see the value in it unless the product in question is a mail server antivirus product or a message service provider plug-in. After all, if all desktops in an enterprise were configured to check for updates every 10 minutes (for example), the resulting network traffic could be overwhelming. And since vendors don't update every 10 minutes, the protective value in exchange for the bandwidth is marginal at best. They also have no particular complaint regarding Nod's support options yet give low marks for it. Conversely, AVK offers similar support services but received a 4 out of 5 possible. Perhaps someone from Eset should contact the reviewer directly and see if they can't help clear up any confusion about the product and help them better understand the features and services provided.

    Certainly the review performed by PC Welt does not sway my opinion of Nod32 and I will continue to recommend it, reinforced by other tests performed by GEGA-IT which demonstrate its abilities. Since I only recommend products that have successfully passed the tests performed by GEGA-IT, and since I do like Nod32, it is my hope that this "situation" will resolve itself amicably and to the betterment of the users themselves. Is it such a bad thing that a weak area was highlighted, pointing to a need to improve an area of detection? My primary concern - after fixing the detection problem - would be to discover why this particular reviewer has such a low opinion of Nod32. It would not be personally attacking Andreas Marx of GEGA-IT who performed only one function of the entire review (and who went to a great deal of trouble to provide professional and timely responses to all questions posed in this thread).

    Regards,
    Mary Landesman
    Antivirus About.com Guide
    http://antivirus.about.com
     
  21. Nautilus-X

    Nautilus-X Guest

    Hmm...

    I am not surprised about Andreas' reaction. I am surprised, however, that Rodzilla, a moderator, felt it necessary to make such an inappropriate and provokative posting that Andreas decided to leave this forum.

    In particular, I wonder about the following statements made by Rodzilla:


    1.
    Immaterial Statements

    "Immaterial. This has nothing whatsoever to do with Eset's current complaint."


    Agreed. If you define material = important to Eset.


    2.
    Obstrusive Statements

    "For the third time: Eset offered to pay your airfare and all other costs so that you could witness a repeat of this test performed publicly by independent virus experts at the EICAR conference. Why did you not accept the offer ?"


    The simple answer to this question is that no AV Tester will ever take any money from an AV producer. Under no circumstances whatsoever.


    3.
    Ignorant Statements

    "Let me get this clear ... you're saying that you went to all the trouble of copying 382 individual files from 244 directories and subdirectories into one directory, then you renamed them all to non-executable (actually *.BA$, not *.BAT$) extensions, then you zipped the directory to send to Eset ... an antivirus vendor ... "to prevent accidential execution" ?

    ROFL

    That's just about the funniest story I've heard this week!"

    Sorry. But this statement is not only immaterial but completely ignorant. An entire testset can be ruined if a virus is accidently double-clicked. On the other hand, tools can be used in order to move and rename files automatically.



    4.
    Unreflected Statements

    "When tested against the first archive of your .BAT virus collection ... the set of renamed and non-executable files ... which you sent to Eset, NOD32 v1.329 detected exactly the same miserable 2% as you reported in your test.

    When tested against the second archive of your .BAT virus collection ... the very same set of files which had not been renamed and were in executable format ... which you sent to Eset, NOD32 v1.329's detection rate was 40+ times greater than you reported in your test.

    An amazing coincidence ?"

    Andreas has posted the log file. The extensions were NOT renamed. Thus, it seems that Rodzilla has (i) not thoroughly read the thread or (ii) wants to suggest that Andreas has faked the log file. In both cases: a very clever statement indeed.

    It may be true that something went wrong with Andreas' test. It may also be true that NOD32 had a problem with the test system. But unfounded accusations are clearly not a promising way to figure this out.


    5.
    Questionable Statements

    "> There are several viruses which do not only have one part (one file), but some more (e.g. 2-3) ones. Part 1 calls part 2, this one calls part 3 - for whatever reason.

    If parts 1, 2, and 3 are all viral in themselves then by all means detect them as viruses ... but if part 3 is viral and parts 1 and 2 (either standalone or in combination) are harmless without part 3 then they are not viruses and should not be detected as viruses."

    IMHO a lot of users will prefer to have the entire virus (i.e. all components) removed from their harddrive. Does NOD32 offer this possibility although non-viral files are not detected?



    6.
    Unilateral Statements

    Rodzilla:
    "Immaterial. Eset is not complaining about the validity of your test on runtime compressed files."

    Eset (cites from the website):
    "Viruses, worms, and other malware are kept out of striking distance from your valuable data ... Scans memory - detects viruses, worms and Trojans which are running. "

    I do agree that it makes sense to differentiate between viral files (which replicate and carry a dangerous payload) and ancillary files (which do not impose an immediate danger). It does make sense to mention if only relatively harmless, non-viral files are not detected during an AV test.

    However, why is Eset complaining that much?

    First, PC magazines usually write their AV tests themselves. They want to sell their magazine and want to present sensations...winners and loosers. In such case, GEGA-IT merely provides the data which is evaluated by someone else.

    Second, Eset should not complain that much because they do not mention all the important stuff about NOD32 either. For example, they suggest that NOD32 (although it does not have a sophisticated unpacking engine) protects not only from replicating malware but also from trojans. I believe, it would be fair to mention that NOD32 should only be used in connection with a good AT scanner. ( http://members.lycos.co.uk/scheinsicherheit/nod32.htm ) Eset does not do this because it would negatively affect sales revenues...


    7.
    Important Statements

    It seems to be pretty clear that at least the current NOD32 build does not suffer from the 2% problem anymore. Therefore, most (if not not all) people will agree that NOD32 is a good and very fast scanner which sufficiently protects from replicating malware. I believe we should concentrate on this.

    (Admittedly, it would have been interesting to know whether the tested NOD32 build had a bug, a compatibility issue or whether something went wrong with the AV test itself. However, I guess that this chance has passed now ...)

    Never mind,

    Nautilus
     
  22. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hey there clueless you have one post in blue and the other in white and they both rant the same thing :D So before you beat yourself black and blue with your opinion..this forum is just fine for NOD..but you certainly know where to send those cards and letters to NOD CEO if you really want to make an impression..here you are just all hot air.
     
  23. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    > Hey there clueless you have one post in blue and the other in white and they both rant the same thing So before you beat yourself black and blue with your opinion..this forum is just fine for NOD..but you certainly know where to send those cards and letters to NOD CEO if you really want to make an impression..here you are just all hot air.

    I have deleted the (identical) posts ... 18 of them so far.

    "CLUELESS"/"CLUELESSROD"/"RODCLUELESS" is just another spineless anonymous troll with nothing of value to contribute to these forums.

    I expect there will be more posts in similar vein from this childish clown.
     
  24. RODCLUELESS

    RODCLUELESS Guest

    Rodzilla, And the other Mods here are a disgrace, and they are destroying any chance NOD, has of becoming a great AV, no one will take NOD serious, After reading this thread.

    Rodzilla, and the other Mods are so unprofessional, why would anyone waste money on this product? The support site is a joke. The Mods unhelpful, Rude unprofessional.

    NOD, CEO is this really the forum, and people you want, providing support for your product, I use NOD but I am considering other AV's.

    Please NOD CEO, move your product to another forum, Where unprofessional people like Rodzilla, wont bring it down, to a laughable product.
     
  25. RODCLUELESS

    RODCLUELESS Guest

    YOU waste both of our time, by deleting my post, It will remain period!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Delete it, I will Spam you to death, but in the End my post will remain, You are a coward!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    You are Clueless!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.