NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying malwar

Discussion in 'other anti-virus software' started by solcroft, Mar 27, 2007.

Thread Status:
Not open for further replies.
  1. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Below is an antivirus test performed by... well, someone on the Internet, since I don't know him/her personally. The original text is in Chinese, and I've done my best to translate it into English. It makes for quite an interesting read, actually - in summary, the author of the test claims that his/her test results show that AntiVir flags malware only via the type of packer used to encrypt them, and not by actually identifying the malware itself.

    I'm actually interested in what the more venerable members of the forum think of this article. The samples used will be provided upon request to the more established members of this community, should they wish to verify the test results themselves. Anyway, without further ado:


    ---

    NOD32 users will be aware of the program's powerful heuristics, low false positive rate and low resource usage, but many have complained that NOD32 is ineffective against Internet-borne trojans. Many of you will wonder why NOD32 has the greatest heuristics in the world when AntiVir consistently displays better detection rates on various virus-exchange forums: I will tell you why.

    First of all, NOD32 employs a combination of static + dynamic heuristics. Many of you are clear on what static heuristics is, so I will focus on the explanation of dynamic heuristics. Dynamic heuristics is actually using a virtual environment to execute the file and then determine if the file displays malicious behavior, which makes it a technologically superior technique compared to static heuristics, with higher detection rates and lower false positives. By using a combination of both heuristics methods, NOD32 drastically increases detection rates while maintaining FP (false positive) rates at very manageable levels, a readily apparent result for NOD32 users.

    Secondly, while AntiVir displays a very admirable performance on various virus-exchange forums, a closer look reveals that most of its detections are HEUR/Crypted and TR/Crypt.XX.Gen. This calls for suspicion: with almost 700,000 virus signatures in its database, why does AntiVir identify malware with such generic names while NOD32 can give an accurate malware name? I have hereby conducted a test, which will reveal the secret of AntiVir's detection rate and why it reports malware by such names.

    First of all, a normal, non-malware file which has been encrypted by UPX
    http://www.nod32club.com/forum/UploadFile/2007-3/200732412303421430.png

    The same file, packed with UPX + ASPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/200732412403489797.png

    The same file, packed with NSPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/200732412452285821.png

    The same file, packed with NSPACK + ASPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/200732412475050863.png

    The same file, packed solely with UPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/200732412525088032.png

    The same file, packed with EXESTEALTH
    http://www.nod32club.com/forum/UploadFile/2007-3/200732412573850010.png

    The same file, packed with EXESTEALTH + NSPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/20073241303187193.png

    The same file, packed with EXESTEALTH + NSPACK + ASPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/20073241333697379.png

    The same file, packed solely with NSANTI
    http://www.nod32club.com/forum/UploadFile/2007-3/20073241383751111.png

    The same file, packed with UPX + EXESTEALTH
    http://www.nod32club.com/forum/UploadFile/2007-3/200732413162569187.png

    This is the end of the test with the normal file. The next test proceeds with a malware file, and the scan results are displayed in this screenshot
    http://www.nod32club.com/forum/UploadFile/2007-3/200732413371241656.png

    The malware file, packed with NSPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/200732413401768717.png

    The same malware file, packed twice with NSPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/200732413462576370.png

    The same malware file, packed with ASPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/20073241353646397.png

    The same malware file, packed with ASPACK + EXESTEALTH
    http://www.nod32club.com/forum/UploadFile/2007-3/200732413573286141.png

    The same malware file, packed with ASPACK + EXESTEALTH + NSPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/20073241404998771.png

    The same malware file, packed solely with UPX
    http://www.nod32club.com/forum/UploadFile/2007-3/200732414342411561.bmp

    The same malware file, packed with UPX + ASPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/20073241485442995.png

    The same malware file, packed with UPACK
    http://www.nod32club.com/forum/UploadFile/2007-3/20073241412712196.png

    The same malware file, packed with NSANTI
    http://www.nod32club.com/forum/UploadFile/2007-3/200732414145016680.png

    The same malware file, packed with ASPACK + NSPACK + EXESTEALTH
    http://www.nod32club.com/forum/UploadFile/2007-3/200732414173618456.png

    In conclusion, it is obvious that as long as you add the same types of packers, either to the clean file or the malware file, AntiVir will flag them using the same names, and those who understand what "crypt" means will know that AntiVir is simply reporting the type of packer used to pack the file. In the test, AntiVir continued to flag the sample even though it was often rendered corrupt by adding the packers, indicating that AntiVir flags the type of packer used without taking into account whether the file can be executed. I will make the bold conclusion here that, behind AntiVir's vast signature count, is simply a lot of hot air. At the same time, we see AntiVir and other antivirus software using heuristics to flag a file, which misleads people to think that AntiVir is flagging the file via heuristics when it is actually only detecting the packer. This is a very unfair act, and should not be compared to NOD32.
     
  2. Depth

    Depth Registered Member

    Joined:
    Mar 5, 2007
    Posts:
    3
    Yes,i agreed
    The heuristic detection built in NOD32 is far more smarter than that of AntiVir
     
  3. proll

    proll Registered Member

    Joined:
    Aug 9, 2005
    Posts:
    55
    I agree with you *lol*
    ~~await Avira's response
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Yeah, lets wait.;) Wonder how say, Micropoint would stack up.:rolleyes:
     
  5. EQ2

    EQ2 Registered Member

    Joined:
    Jan 25, 2007
    Posts:
    39
    I don't think Micropoint is a heuristics antivirus software
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I dont know solcroft, me thinks your Chinese is pretty good.:)
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    Hrm. I dunno. I just happen to be bi... tri... quad... penta... erm... something-lingual. :D
     
  8. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma


    Right:mad:
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    touché bigc ;)
     
  10. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    completly flawed test,

    since it was tested through jotti, in my own experience these are not accurate to what the software can actually detect, same goes for VT, although that is better then jotti.
     
  11. ASpace

    ASpace Guest

    Solcroft , really good review . ;)
     
  12. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    I look forward to Stefan's comment on this, at first glance it appears to be nothing more than agenda-driven BS.
     
  13. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    I knew about AntiVir's "crypt" detections for quite a while now, but some of the results for other AVs are really surprising. Hmm...Even BitDefender, which supposedly has a brilliant static unpack engine, is not detecting the repacked files?

    Would it be possible that the files got corrupted during the process of repacking?
     
  14. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    i doubt bitdefender would only detect ONE of the real-malware compared to nods SIX (drweb was FOUR btw)

    either way, jotti is poor.... so this is not accurate at all.
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    Yes. Per stated in the article. And to HiTech, I'm only taking credit for translating it. :D
     
  16. EQ2

    EQ2 Registered Member

    Joined:
    Jan 25, 2007
    Posts:
    39
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    In China,no body can install them to test,so they can use vt and jotti to test
     
  17. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    Actually, AntiVir offers a free version of its product. Why can't you install it?
     
  18. EQ2

    EQ2 Registered Member

    Joined:
    Jan 25, 2007
    Posts:
    39
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    Because I want to test not only nod32 and avira,but also other AVS
     
  19. EQ2

    EQ2 Registered Member

    Joined:
    Jan 25, 2007
    Posts:
    39
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    Yes,I think Dr.web is better than nod32
     
  20. ASpace

    ASpace Guest

    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    Oh , not necessary . I already finished my Chinese and English lessons and I got A+ on my exams . :p
     
  21. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    erm, i didnt say that

    just stating i dont like jotti for testing, or VT either... although vt is more accurate than jotti, its still not 100%, far from it.
     
  22. ASpace

    ASpace Guest

    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    Why do you think so . VT uses always the latest signatures as well as the best protection settings for each program . I find its results reputable .

    Well , Jotti is a little bit debatable ;)
     
  23. EQ2

    EQ2 Registered Member

    Joined:
    Jan 25, 2007
    Posts:
    39
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    Yes,I think so.Because they can't detect accuratly.For example,Kaspersky has Proactive defense,but jotti and vt can't detect.
     
  24. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

    why,

    countless viruses detected by my dr.web, are 'not found' on virustotal for the same AV, so not reliable at all.

    its good only for a guide, or an idea to check for FP's, thats it.


    edit: and jotti is even worse in this matter.
     
  25. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    ...and as we know in the entire Solar system. :D
     
Loading...
Thread Status:
Not open for further replies.