Losing faith with NOD32 shocker!

Discussion in 'other anti-virus software' started by mrfargoreed, Apr 9, 2007.

Thread Status:
Not open for further replies.
  1. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    I've been a NOD32 user for several years now and always loved the way it runs so smoothly, doesn't slow down my machine, never has had a conflict with other software - BUT today I tried a little test as I've noticed lately that although NOD32 has notified me of the odd threat, I haven't been able to actually delete the file that is causing the problem.

    I downloaded a copy of Roboform by P2P - expecting it to be infected. Downloaded and extracted to my hard disk. No warnings from NOD32, despite there clearly being a crack included. I know that not all cracks are viruses, but the majority are malware of some kind.

    Checked the same file with KIS6 and it notified me that the crack, a .dll file, was a backdoor trojan. It may have been a false positive, sure, but having a possible backdoor trojan with an application that is supposed to encrypt passwords and private information and not being alerted by NOD32 made me feel unsettled. The information KIS6 alerted me about the .dll file took me to the Kaspersky web site where it displayed that several other AV programs had also detected this file as a backdoor trojan (Dr Web, Avira and one other - but no NOD32).

    Now I'd NEVER use a crack, warez, or any other 'dodgy' software on my machine, but the fact remains that NOD32 didn't pick it up.

    Sure, no AV has a 100% detection rate, but KIS6 also picked up two other files in a customization pack that NOD32 didn't - again, perhaps false-positives, but at least KIS6 made me think twice about installing the file (I chose not to, naturally).

    Of course I was never going to install a warez version of Roboform - this was purely a test - but I am unsettled that I got no warning from NOD32. Am I overreacting? Am I right to be unsettled by NOD32 missing what appears to be, by several other AVs, a very probable backdoor trojan?

    I am now tempted to install KIS6 - something I have never considered before until now. I feel that picking up three threats, from an AV that isn't exactly known to give false positives, have been missed by what I had considered to be the best AV there is.

    Oh, and I had my NOD32 set up to Blackspear's settings for advanced protection - everything on 'full', as it were, yet KIS6 I hadn't even started to tweak yet - I just scanned on the default settings.

    After years of happiness, I am, all of a sudden, in doubt about my beloved NOD32. :'(
     
  2. .....

    ..... Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    312
    All Anti-Virus softwares miss malware. Its best to submit the sample to all vendors so they can add it to the database.
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    In China, many of the die-hard antivirus fans here would be utterly bombshelled by NOD32's poor detection rates.

    Apparently NOD32's scanning engine is ridiculously easy to circumvent using packers/slight code modifications. Personally, I've lost faith in NOD32 a long time ago, despite its wide acclaim in the Western world.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,

    Two is not a sample group. You have 50:50 results. You need a bit more than two anti-virii to decide. Even if NOD missed something, it definitely is not a reason to ditch it, as there will always be something one or more products will miss.

    Finally, why did you download the program via p2p?

    Mrk
     
  5. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i do like nod32,

    but ive never really been 100% sure about its abilities, sure test results only say one thing which is a bit 2D.

    i dont think you should ditch nod on these few occasions, especially as its kept you clean for years.

    -------
    he downloaded it by p2p as he was most likely to get a virus with it, as he was testing.
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    ".....I downloaded a copy of Roboform by P2P - expecting it to be infected. Downloaded and extracted to my hard disk. No warnings from NOD32, despite there clearly being a crack included. I know that not all cracks are viruses, but the majority are malware of some kind."

    I use Roboform is it cracked? Or is it just the p2p method of getting it?

    Should I dump RoboForm?:doubt: o_O

    Mrk, what is this all about? We need clarity here?:doubt:
     
  7. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    I will certainly do this


    At least I'm not the only one. And I'm probably blowing this out of proportion, but IF NOD32 is missing threats, and KIS6 is picking them up, then if it was any other software (a firewall not properly blocking, a HIPS not securing a system as it claims to, etc) then I would change to software that DID do these things without even thinking about it.



    I totally understand you Mrkvonic - I can't get rid of NOD32 after five years because it has missed a couple of threats (or can I?), but, as I've said above, if another program IS detecting those threats, then I am certainly, for the first time, tempted to change my AV.

    Oh, and I downloaded the program via P2P deliberately to get a crack file/risk of getting a virus to test KIS6 and NOD32 in one of my FDISR snapshots. I like to test security software with FDISR - that's the beauty of the program, allowing me to test, replace the image if infected, and start again from new.
     
  8. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    Exactly the reason, C.S.J - no other reasons whatsoever. I wanted an infected file so that I had something to test my AV with.

    It's ok Escalader - it's nothing to do with Roboform itself - it could have been any other program, but I wanted something that was a security application, as a lot of security applications if downloaded by P2P can, and often do, contain malware/viruses. :thumb:
     
  9. ASpace

    ASpace Guest

    Hello . I don't want to discuss the other part - detection or not ... but I just want to note you that Blackspear's settings make you use AMON with settings "Clean automatically" as well as all other modules set to clean or delete automatically without any warnings.

    http://pandaman.my.contact.bg/031.gif

    Also note that Kaspersky is the antivirus which support many packs which other AVs may not , which means that Kaspersky can unpack almost any installer while other products will detect the threat a little bit later (don't know the exact case but this can also be)

    If you want to see if something is detected while using Blackspear's settings , check the Log files (Control Center->Log files) . If you continue using NOD32 , make sure you send any undetected sample to email samples[at]eset.com , where [at] is @ .
     
  10. mrfargoreed

    mrfargoreed Registered Member

    Joined:
    Jun 16, 2006
    Posts:
    356
    Actually, that's the one part of Blackspear's settings I changed to 'Prohibit access and show alert window with action options'. I like to have a final say on what to delete just in case a false positive is detected and I KNOW 100% that it IS false. I used to use a program to help with repetitive strain injury and because the program installed a hook, naturally to monitor your keystrokes and assess how much I was working, NOD32 would not let it install and clean the legitimate file before I had a chance to allow it to be installed. Since then I've changed this option so I am asked every time.
     
  11. ASpace

    ASpace Guest

    Ok , then . Thanks for letting me know :thumb:
     
  12. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I cannot read Chinese, and hence the only source I have of Chinese tests is the malware-test.com website which is based in Taiwan and hence offers a decent enough view of all these AVs for the so-called Chinese malware.

    However, I do receive many samples from time to time (and some of my samples come from a Chinese source), and it pains me to see NOD32 not detecting as much as some of the supposedly "worse" products according to other tests. For example, in my sample set, NOD32 detects less than AVG, BitDefender, AVIRA and Kaspersky. It is, however, still a bit better than Dr.Web (for example). I wouldn't call NOD32 "bad", but it certainly isn't among the best.

    If you are a high-risk surfer then I highly recommend AVIRA, BitDefender, AVG Anti-Malware or Kaspersky to you. These four products also scored relatively high in the malware-test.com results.
     
  13. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    firecat i wouldnt be too reliable with that chinese testing site,

    dr.web got 3rd in the december test, which i think we all know is not true.
     
  14. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    TBH Malware-Test.com is a piece of joke as far as I'm concerned. :D My experience with NOD32 comes from several malware-exchange sites that I frequent, where malware simply bypasses NOD32 on a frighteningly regular basis.
     
  15. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Well, I guess you are right, but still Dr.Web should do really well on detecting Chinese malware because of the hard work put in by the Virus Chaser team on this matter (They add signatures directly to the Dr.Web database). Due to their efforts, Dr.Web should remain at least somewhat good for these tests. This is because China is a major market for Virus Chaser, and hence a lot of focus is given to malware in that region.
     
  16. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country

    No - Roboform is a great little program - free or paid for. Just get a legit copy.
     
  17. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    Sorry to venture off topic, but I thought the regulars on this forum knew that malware-test.com was far from a credible source. :'( Firecat, you even posted in the thread below. :blink:

    Malware-Test Lab: Antivirus Comparison Report (February 26, 2007)

    On topic: I think it's obvious that Eset needs to step up. The recent credible tests show this to be the case as well. I've also been disappointed with their slow response to submitted samples.
     
  18. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    the only credible test is the one performed by the user, surfing the net, download files etc etc.

    the rest are just filled with malware that users will never even get, just for marketing-sake.

    nod32 is a good av, ive tried it ... and it performs well, dont be too put off with this.
     
  19. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    So AV -Comparitives, av-test.org, and a few other independent AV review sites aren't credible in your opinion? With your logic it's also implying that AnandTech isn't a credible hardware review site since you need to test your own hardware. :rolleyes:

    I never said that it wasn't a good AV, in fact I have a 2 year license. However I am not the only one that is a little disappointed with Eset in general. Just look how long NOD v3.0 has been vaporware and was finally released as a public beta.
     
  20. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    you're right. NOD32 went on a way down in the last period... and I don't know whether they'll be again what they supposed to be.
     
  21. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Yes, I posted in that thread. Still, malware-test results are "interesting" to see depending on viewpoint. Personally, I wouldn't give it too much importance, I just mentioned malware-test as a possible "Chinese malware test" (I did say "so-called Chinese malware", did I not? :)). I've been in contact with someone at malware-test and my impression is that they are not fools, but they are not very knowledgeable either. They did mention to me the point about "Chinese malware", though. But a lot of Chinese tests show strange results, and I was wondering whether there was anything that I am not looking correctly into. :)
     
  22. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Yep, hopefully they'll improve again - they are aware of what the problem is (various threads have been made in the nod support forum about adding/missing malware and speed of virus lab, they usually end up being closed............ and the lack of response/reply to emails sent to samples[at]eset.com) it just depends on whether they are prepared (or have the resources) or see the need to change their policy.
     
  23. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    spot on ;)

    tests are created with 500,000 malware or whatever, that users will just not get, the only test that IS credible is the one created by himself, in his own testing and trials of the software.
     
  24. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Right, Joe Sixpack from Redneckville trying to judge an AV by performing his own tests.

    Just what we need, a horde of clueless people spewing random results into forums.

    No thank you.
     
  25. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    right joe bloggs from wienerville

    im not talking about making own tests,

    but in my normal use of surfing and downloading, if i.e. sophos finds more than nod32, i will use sophos. no matter what these tests of half a million malware say, half a million... if the net was 'that bad', i for one wouldnt be on here.
     
Loading...
Thread Status:
Not open for further replies.