ESET lagging behind KAV?

I've used NOD32 for years and been very happy with it; but of late I've been seeing a rash of new baddies on Qwest's (admittedly terrible) news server in
a number of newsgroups. They are pretty obvious, and I suppose anyone who
opens a file called topless.scr gotten from a newsgroup deserves to get bit,
but I'm bothered that it is taking ESET so long to add them to their definitions.

KAV's online scanner has already identified them as:

topless._scr - infected by Backdoor.Loony.g

PamAndersonNude._scr - infected by Backdoor.Hackarmy.n

but NOD32 still declares them clean even after today's update (v.1.762 (20040516) ).

I submitted the latter file to ESET two days ago. I suppose they'll catch it in the next set of definitions, or the one after that, but it makes me wonder
where the heuristics (which I won't pretent to understand) come in.

All in all, a bit disappointing.

john s.

 

Try to scan those trojans using /ah command.

 

Hmmm.... now this is embarrassing. I don't know how to use the /ah command. There. I've admitted it. I'll google around a bit, and check back
for help if I can't find it.

john

 

there's no need to be embarassed. /ah isn't reall a widely known thing.

just chek out this thread: https://www.wilderssecurity.com/showthread.php?t=9776

 

Thanks, Norky.... I just installed the shell extension and ran the AH scan.
Unfortunately it still didn't detect a problem.

I know that many of the folk here use TDS and/or another program for worms,
but the annoying fact remains that Kaspersky picked these files up, as did
NAV on my wife's computer. I still think I'm pretty safe with NOD and using
caution about opening files, but suspect I need to upgrade defense against
trojans; NOD intercepted one nicely the other week when a web site slipped it into my "Temporary Internet Files." We'll see...

john

 

NOD32 already has some detection for several hackarmy trojans, I guess they will add this new variant soon.

Strange that they don't detect them heuristically though, maybe not much common between variants

 

I just got a note from ESET thanking me for the submissions, and stating that they would be adding them soon. Still, the fact remains that they will be at least three days behind other programs in adding them.

Their heuristics (which are over my head) are probably better designed for viruses than trojans, since that's their specialty. The more I study all this,
the more I am convinced that I need a good anti-Trojan. I just hate to
spend $50 above what I'm already paying for an AV.

john

 

NOd32 has never really been that great against trojans. They protect against them but it takes them a while to add the defs for them. Yeah I've experienced what you have just experienced for a while now. First KAV gets them, then NAV and Bitdefender (almost simultenously) and eventually NOD32. Althought NOD32 sometimes gets them before NAV OR BIT, but rarely before KAV.
I find KAV far superior BUT it slows my system down to a snail What KAV needs is a dedicated PC to peform real time scans. That's why I use NOD32, it's well mainly becuase of resources and not due to it's scanning record. NOD32 impact my system as much as virtually no AV at al. So if I had a choice between no AV and NOD32, logically I would use NOD32. It is a good first line of defense, but not a system shield.

 

For a good AT, get BoClean. They have great Memory Scanner, BUT they don't have a system scanner. So if you want to scan a file before you execute it then BoClean is not for you. TDS-3 will scan the file and your system for infection BUT it's resident execution protection is not as rebust as BoClean.
BoClean is great to install on an clean server while TDS-3 is good to install on a personl system at which you actually use and pay attention to everyday. Since even if TDS-3 finds a nasty it will require your action to remove it. Also if a nasty gets executed and is in your memory but TDS-3 doesn't have the defs for it then it will still be in your memory even after TDS-3 gets the defs for it (Assuming you don't reboot your system...at which point TDS-3 scans the memory). Boclean on the other hand scanns the files during execution and then the memory every few seconds after that. Thus if a nasty gets executed and Boclean does't have defs for it then as soon as BoClean retrieves the newest defs it will kill the nasty. (that is if Nasty doesn't kill Boclean ). Also you can set BoClean for set-it-and-forget-it. Meaning that as soon as nasty is detected, it will kill the process and delete the file without user intervention. THe only record would be in the log.

It's up to you to choose.

BoClean is at www.nsclean.com
TDS-3 is at http://tds.diamondcs.com.au/

 

ok i know this post is going to launch an all-out attack on me by NOD32 lovers. but its true that KAV is better than NOD32 when it comes to protecting your system. yes i know NOD32 heuristic is the best specially with the /AH switch but lets admit something, good heuristic should be supported by good database. if i get a heuristic alarm, i'll submit the file and wait, if i don't get response i'll think that its a false alarm. how many of us debugs and disects to see what it is for ourselves? KAV heuristic might not be the best but there is no doubt that its database is the best. i used KAV and NOD32 on my Celeron 850MHz machine with 256MB SDRAM running XP and both were gobbling same amount of RAM and the machine was running good.

 

Does anyone know if the KAV heuristic has been changed significantly in 5.0?

 

BOClean *DOES* have a file scanning system built in. Simply drag and drop a file over the BOClean menu after you open the program, and it will deepscan it for any Trojans/Malware.

Undocumented feature I think, and it works perfectly. =)

I highly recommend BOClean as well, its slick as heck!

 

Sorry No.. NOD32 has the best VB record out there, despite what Kaspersky tells you, just look at the numbers. KAV might detect a few things better, but the fact remains, KAV is bloatware to the core - by the very definition of Bloatware.

NOD32 isn't perfect, and it DOES require a good Trojan backup, but honestly, the NOD32+BOClean setup to me seems way better anyway, and takes zero resources.

KAV on the other hand, brings the best systems to their KNEES with its horrid programming and lagtastic scanning engine. Kaspersky might be good at writing detection algorithms, but the guy needs to head back to school and learn to program interfaces and assembler code for scanning.

 

I'm angree. KAV analyzers lacks in many things: For example, Aleks, a script analyzer of KL can't analyze JS/Cassa polymorphic virus!. KAV analyzers ***many*** time classified a trojan as virus, a worm as trojan, etc. And some KAV analyzers are very rude. ESET virus analyzers are more professional.

 

My concern, of course, is my own system's security, and that looks like it
will be better with a separate anti-Trojan to take care of the trojans. Now...
off to another forum to see how timely the vendors are at updates.

Thanks all who have commented,

john, not even thinking about worms yet... much

 

BoClean has no trial. That rules it out totally IMO. Plus, their web site is selling PC-Cillin 2002!!! Bit behind the times aren't they They also say they only do tech support via email. Again a no-no in my book.

If I were to ever get a dedicated Trojan detection application there is only one I would consider and it is hardly ever mentioned here and that is TrojanHunter. I trialled it about a year ago and it works perfectly with NOD32. I trialled all of them (except BoClean that you cannot trial) and the only one I was even half way impressed by was TrojanHunter. But I don't believe for one second that I should need to fork out twice the amount of money I would if I had KAV, NAV, or McAfee in order to have NOD32. NOD32 is currently the most expensive of the AVs since the recommendation is that you should get a dedicated trojan detector also.

I think a lot of users feel as I do and will go to other AV that cover trojans better than NOD32 does. I don't want a layered approach. That is usually recommended by people who think users have unlimited funds for software and also like to run tons of applications. Only if other AV will not work properly with my particular set up would I then consider NOD32 plus a separate Trojan application. At the moment, I'm ok with just NOD32 but what I will do in the future remains to be seen as it remains to be seen if and when NOD32 will live up to its hype on its web page regarding its ability to be a fine trojan detector.

 

Well personal experiance on my machine, NOD32 has proven to be completely inadequate for Trojans. This is why I use BOCLean, plus, BOClean is also amazingly good at stopping malicious spyware and adware as well. You know, those trojan downloaders like N-Case, Roings, etc. NOD32 doesn't even bother to watch for these and its quite annoying!

BOClean has no demo, because they don't want it pirated probably. They use a digitally signed download system that sends you a personal, signed file, and you click that, and it downloads and installs the product. As a result, I don't think BOClean has ever been pirated.

As for support, Kevin at BOClean answers emails sometimes hourly, i've recieved responses as a rule, within 6 hours of emailing him and his support is exceptional. Updates are daily as well. I want to stop trojans BEFORE they get to my box, and BOClean has been 100% for me so far. I have it set on auto, and completely ignore it, and check the logs once a week and to my surprise, i'm always finding things that slip past NOD32 that BOClean picks up.

Personally, I love NOD32, i've probably been responsible for selling several thousand copies of it (yes, I can prove this lol). But honestly, lately, i've begun to question NOD32. Its internet filtering seems lacking, and its lack of solid trojan protection is absolutely rediculous! Add to that, it doesn't bother stopping or detecting malicious spyware/adware, which sometimes, is more of a threat than a virus!

NOD32 peeps better get on the ball, and soon!

 

Yes, I have assumed that the desire to keep it from being pirated was the reason for no demo. Still, that has to be weighed against the users who will just dismiss it from consideration when they learn there is no demo. The only reason I ended up using PC-Cillin (which is crippleware for their trial) is because someone at dslreports had a bunch of licenses and a friend there got one for me free. PC-cillin is a fine AV (has one very nasty bug but otherwise is really good) but I would never have known that if it hadn't been for being given a free license as I would never have bought it without first being able to trial it. As it was, the nasty bug forced me to get rid of it ( after several months of using it and racking my brains to figure out my weird, awful symptoms...not knowing it was a bug from PCC ). Now, if I had paid for that application sight unseen and used it for several months and then been one of the first to discover the bug...I don't think I would have gotten my money back. The Trend engineer admitted that there was a major bug but said I could just stop using part of the application and that would solve it. So with that lousy attitude, I don't think refunds would be easy. So, I want to trial any application first to hopefully avoid major headaches down the road.

 

My license has six months to go.

Plus, who knows....it may turn out to be the lessor of all evils when I do trial AVs on this XP box (all earlier trials were on the W98SE box and NOD32 is undisputed to be the lesser of all evils on W98SE).
All AV are drawbacks to the use of your box. I don't know which will be least drawback coupled with the best returns in exchange for the drawbacks on this box yet. The only AV I have had on this box besides NOD32 was NAV 2003 that came on it. The drawback there is the most horrible support of all AV probably and DRM.

 

I'll be sure to report my findings. As I have said, I am particularly curious to see what KAV and McAfee do on this box. I'm holding off trialling KAV because 5.0 is so new and there have been reports that it trashes any computer that has NVidia with nView Desktop Manager running which I have. So, I think I'll wait a bit.