New MyDoom.M worm NOD32 detects it via Heuritics.

Discussion in 'NOD32 version 2 Forum' started by tempnexus, Feb 16, 2005.

Thread Status:
Not open for further replies.
  1. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    I think you are probably being a little harsh here - no-one in those threads even said they had advanced heuristics turned on!


    First thread - Raptess - no mention of AH until Marcos mentioned it - and then no-one bothered to ask if AH was turned on.

    Second thread - WorldCitizen - never mentioned AH - Ronjor did this time and again, did NOT ask if AH was turned on.

    Third thread - thecrow - no mention of AH - not ONCE in the whole thread!

    So saying that AH failed without so much as a shred of evidence - it's a bit much in my opinion... basic-H might have been the only protection in use - deep scanning of archives might not even have been turned on... who knows.. but you have jumped to the conclusion that every single user had NOD32 optimized for best protection - which is definitely NOT the norm in my experience.

    regards

    Greg
     
  2. Gauthreau

    Gauthreau Guest

    Did you even read my post? I explicitly stated that “This isn't a knock against NOD, but rather a recognition that it isn't going to get them all”.

    I am not missing the point here. In the original post, we can see that it took NOD a WEEK to provide proven signatures. NOD’s reaction time of one WEEK is not going to cut it (read “sitting on your laurels”). In the case of the other threads I posted, NOD’s reaction time can be seen as much as FOUR months! Basically what it comes down to is that AV producers are being reactionary. NOD does a better job than all others in that their AH are great (AH ARE proactive), but they are lacking in providing quick proven signatures to known viruses. For the most part, AV producers wait until a virus spreads to the point of being a rampant outbreak until they are willing to do something.

    Come on now, if we are proactive instead of reactive we can prevent the viruses from really causing harm in the first place. After all, AH are designed to detect zero day viruses so as to alert the users, and more importantly the AV producers to new threats. It is at this time that they should provide proven signatures. It is at this time that we should be taking notice. Do not wait until the virus is running wild.

    The only way to improve is to constantly strive for excellence. AV producers need to be proactive to the utmost. Complacency will only produce poor results. If NOD is willing to settle for second best than ignore the suggestions from customers and listen to only those that are willing to give them the big stroke.

    I know that NOD is willing to listen to customers. They are willing to make an effort to improve their product. Asking for improvement is NOT the same as saying the product is crap and that we should ask all other products to improve – such as you did Stan – which is ridiculous, rather, taking an objective and critical point of view is the only way of identifying area’s that can use improvement. Stating that because other AV products could use improvement and that they miss viruses too, really only highlights your view that it’s ok for NOD to miss them as well. The links I provided were only examples that were found by a quick search of the posts here and should be used as a wakeup call to all those who believe so strongly in AH.

    Returning to the idea of dark figures, the 3 posts I presented represent an extremely small fraction of the total NOD32 users who experience problems with a reliance on AH. How many others experience problems but don't post? How many users Don’t experience problems and don't post? Both are dark figures, but again AH are only part of the solution, and they can always use improvement. And as was the original point of my post, Eset can use improvement on providing proven signatures for known viruses. There is no two ways about it. A week to provide proven signatures is in no way “timely”.

    Don’t shoot the messenger.

    Strive for excellence and you shall achieve, settle for less, and you shall receive nothing more.

    Neil
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Informed and rational comments are strown thru out this thread and if I may....as a very impartial bystander....offer a comment. I take that quote from Stan just as a way to express my opinion.

    Qualifiers:
    1) I am not a gung ho AV user....no matter what Company we are speaking of
    2) This is a Nod Forum and I'll attempt to keep my thoughts\comments in that direction.

    I'll offer a different twist to Stan's post using what I have read by many of the same folks in this thread along with many others....not only in this Forum....but others strawn around the Net. I'm an AV [​IMG] ....plain and simple.

    my twist:
    Average Joe needs Company A to provide timely definitions and good heuristics for the best overall protection given todays Internet environment.

    IMHO....this thread and others similar....boil down to differences of opinions concerning timeliness of defnitions from 2 camps....and no matter how each camp presents their views....nothing is going to change.

    Camp A....Nod users who are comfortable with the timeliness of defnitions and giddy about how well Nod's AH works.

    Camp B....Nod users who are giddy about how well Nod's AH works....not comfortable with the timeliness of definitions and attempts to impress on the masses that other AV Companies are throwing out new definitions every hour due to a new bad boy on the block.

    So where do we go from here o_O
     
  4. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    yes - I read your post.

    There are also times on record when definitions have been released in 24 hours... balance it out a little will you...


    No, you come on now... definition release are always reactive. If you want to clammer for improved submission to definition update times, let's start another thread... one thing at a time here... I'm sure we'll get there in the end...

    Eset and EVERY software producer should listen to users' contributions and suggestions - on that I agree. However, I'm completely understanding that priorities must be made - do we have a new version being written and stick to the planned enhancements, or throw in just one more good idea because it's good.

    I say make a plan and stick to it... push forward hard and get the new release out as fast as possible, then take stock and make a new set of priorities for the next release.... and so on, and so on...


    I agree with your sentiment here -but again there is no real evidence in what you have shown here that AH was at fault in THOSE THREE INSTANCES. I don't disagree and I know for a fact that AH is NOT going to have 100% detection - but if you must argue for improvement - choose some better example threads!

    none of which explicitly state they have AH turned on... point gun at foot - gun - fire.... you have to find better examples to back up this argument - and I am not even arguing against you about improvements - merely showing what a shoddy job you did in backing it up...

    Lots I guess

    Lots I guess

    Improvement on the user interface would be nice - a simple 'high' to 'low' protection factor for the technically challenged would be nice.

    agreed.

    cover you rear better then... I agree with your sentiment - but you have to fnid better thread to backup the "improve AH" argument.

    Plan it and work your plan and you'll achieve it much faster....
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,027
    Location:
    Texas
    https://www.wilderssecurity.com/showpost.php?p=198429&postcount=18

    Addition of a sample-signature into the database is made on a need-to basis.

    Speed of update and reaction time is of essence. Eset is fully aware of that. Advanced Heuristics has been developed and implemented with that in mind. The only acceptable reaction time is equal to zero. NOD32 achieves that often, e.g. it detected the infamous Netsky.A and Bagle.A heuristically.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Ladies and Gentlemen, play nicely, tone things down or have this thread closed. Enough of the personal attacks.

    Cheers

    Blackspear.
     
  7. Gauthreau

    Gauthreau Guest

    Yes definition releases are always reactive. I stated that in my post i.e. “Basically what it comes down to is that AV producers are being reactionary.” But do take note in the rest of the comment “NOD does a better job than all others in that their AH are great (AH ARE proactive)”.

    AH are a step in the right direction, but again, I must repeat that they are only part of the solution. As for starting another thread, perhaps you should re-read the first three posts by tempnexus – the starter of the thread. I’ll save you some time by providing the following snip from post #3 in this thread:

    In other words, the thread was meant to deal with providing signatures within a timely manor as well as NOD’s AH abilities. But because although NOD detected the worm, NOD did not detect the Trojan

    This is where timely signature updates win the race. NOD is making a concerted effort to improve the Trojan detection abilities of their program, and I tip my hat to them for that, but again, timely is the key. Sure some defs are provided within 24 hours, BUT some definitions are not provided until 4 months after the fact. I believe we should push to make all releases within 24 hours. Tough task, and ultimately not possible, but that in no way means we can’t strive for it.

    My argument is about providing more timely updates with proven signatures (read the posts). When I stated “…examples that were found by a quick search of the posts here and should be used as a wakeup call to all those who believe so strongly in AH.” Translated, that means AH can and do miss a few (I’ve stated this, as have others). We’re in agreement on that. However, it is not saying that AH need to be improved. It’s recognition of the fact that AH are only part of the solution.


    Hello Neil, this is Greg the Pot, you're Black.

    Your argument against the links is weak. It’s a tactic that can be used in one of two ways: 1) because the links didn’t explicitly state that AH was on, they are not valid; 2) because no one explicitly stated that AH were turned off, they are valid.

    What we do know is that NOD missed a few. What we do know is that it took NOD four months to provide proven signatures in at least one of the posts. Not good. Four months. I do not want a virus on my system for four months, feeling that I am safe because NOD has the best AH, only to find out long after the fact that my machine is infected because of complacency.

    And that’s where this thread comes in. Critical thinking and voicing an opinion is the only way that NOD is going to become aware of potential problems. Complacency happens when all people do is stroke them. Does this mean that Eset has to drop everything they are doing right now, and implement every idea thrown at them? No. The point of the thread is to highlight problem areas, to make Eset aware of the problem, and to provide a solution for it. I’m not demanding this as a ‘do it right now’ thing.

    Neil
     
  8. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    NOD32 ships with AH turned on - half the users don't even understand what AH is.
     
  9. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Heuristics are only part of the solution. Agreed.

    I would go a little farther than your comments and say that the majority of defs are provided within a reasonable time frame. Much the same as most other AV's.

    Immediate reaction is the goal, no question.


    Again, I take issue with the use of the word "complacency". Who are you talking about? If you were serving up scores of examples of viruses missed by NOD32, perhaps it would be easier to understand. I could submit examples of viruses not detected by one antivirus and detected by another from 2 years ago that the AV in question still cannot detect--due to the fact that it isn't a virus. Who is being complacent? The AV with the fp, or the AV that doesn't detect it? Or is it me? :D


    Okey-doke! :D

    Good post Neil. I appreciate your opinion, and I agree with the following point you make:

    **ESET should strive to get defs out as quickly as possible--whether or not heuristics catches the bug or not.

    **I don't agree that ESET is complacent or becoming complacent. In fact, I believe they are constantly improving their product and issuing defs at a high rate of speed. And overall, I personally don't believe ESET has a problem with timeliness--not when it's nailing bugs that other AV's are passing to user's desktops.

    I believe that the issue of complacency is more valid when asked of AV vendors who are resting on their "laurels" of wide, all-inclusive def db's, --who get absolutely punished at the desktop by zero-day threats--and not improving their product to be proactive whether by developing heuristics or another method, as ESET is--as you state.

    Best Regards,


    Jim
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.