NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying malwar

Below is an antivirus test performed by... well, someone on the Internet, since I don't know him/her personally. The original text is in Chinese, and I've done my best to translate it into English. It makes for quite an interesting read, actually - in summary, the author of the test claims that his/her test results show that AntiVir flags malware only via the type of packer used to encrypt them, and not by actually identifying the malware itself.

I'm actually interested in what the more venerable members of the forum think of this article. The samples used will be provided upon request to the more established members of this community, should they wish to verify the test results themselves. Anyway, without further ado:


---

NOD32 users will be aware of the program's powerful heuristics, low false positive rate and low resource usage, but many have complained that NOD32 is ineffective against Internet-borne trojans. Many of you will wonder why NOD32 has the greatest heuristics in the world when AntiVir consistently displays better detection rates on various virus-exchange forums: I will tell you why.

First of all, NOD32 employs a combination of static + dynamic heuristics. Many of you are clear on what static heuristics is, so I will focus on the explanation of dynamic heuristics. Dynamic heuristics is actually using a virtual environment to execute the file and then determine if the file displays malicious behavior, which makes it a technologically superior technique compared to static heuristics, with higher detection rates and lower false positives. By using a combination of both heuristics methods, NOD32 drastically increases detection rates while maintaining FP (false positive) rates at very manageable levels, a readily apparent result for NOD32 users.

Secondly, while AntiVir displays a very admirable performance on various virus-exchange forums, a closer look reveals that most of its detections are HEUR/Crypted and TR/Crypt.XX.Gen. This calls for suspicion: with almost 700,000 virus signatures in its database, why does AntiVir identify malware with such generic names while NOD32 can give an accurate malware name? I have hereby conducted a test, which will reveal the secret of AntiVir's detection rate and why it reports malware by such names.

First of all, a normal, non-malware file which has been encrypted by UPX
http://www.nod32club.com/forum/UploadFile/2007-3/200732412303421430.png

The same file, packed with UPX + ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732412403489797.png

The same file, packed with NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732412452285821.png

The same file, packed with NSPACK + ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732412475050863.png

The same file, packed solely with UPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732412525088032.png

The same file, packed with EXESTEALTH
http://www.nod32club.com/forum/UploadFile/2007-3/200732412573850010.png

The same file, packed with EXESTEALTH + NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241303187193.png

The same file, packed with EXESTEALTH + NSPACK + ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241333697379.png

The same file, packed solely with NSANTI
http://www.nod32club.com/forum/UploadFile/2007-3/20073241383751111.png

The same file, packed with UPX + EXESTEALTH
http://www.nod32club.com/forum/UploadFile/2007-3/200732413162569187.png

This is the end of the test with the normal file. The next test proceeds with a malware file, and the scan results are displayed in this screenshot
http://www.nod32club.com/forum/UploadFile/2007-3/200732413371241656.png

The malware file, packed with NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732413401768717.png

The same malware file, packed twice with NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/200732413462576370.png

The same malware file, packed with ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241353646397.png

The same malware file, packed with ASPACK + EXESTEALTH
http://www.nod32club.com/forum/UploadFile/2007-3/200732413573286141.png

The same malware file, packed with ASPACK + EXESTEALTH + NSPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241404998771.png

The same malware file, packed solely with UPX
http://www.nod32club.com/forum/UploadFile/2007-3/200732414342411561.bmp

The same malware file, packed with UPX + ASPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241485442995.png

The same malware file, packed with UPACK
http://www.nod32club.com/forum/UploadFile/2007-3/20073241412712196.png

The same malware file, packed with NSANTI
http://www.nod32club.com/forum/UploadFile/2007-3/200732414145016680.png

The same malware file, packed with ASPACK + NSPACK + EXESTEALTH
http://www.nod32club.com/forum/UploadFile/2007-3/200732414173618456.png

In conclusion, it is obvious that as long as you add the same types of packers, either to the clean file or the malware file, AntiVir will flag them using the same names, and those who understand what "crypt" means will know that AntiVir is simply reporting the type of packer used to pack the file. In the test, AntiVir continued to flag the sample even though it was often rendered corrupt by adding the packers, indicating that AntiVir flags the type of packer used without taking into account whether the file can be executed. I will make the bold conclusion here that, behind AntiVir's vast signature count, is simply a lot of hot air. At the same time, we see AntiVir and other antivirus software using heuristics to flag a file, which misleads people to think that AntiVir is flagging the file via heuristics when it is actually only detecting the packer. This is a very unfair act, and should not be compared to NOD32.

 

Yes,i agreed
The heuristic detection built in NOD32 is far more smarter than that of AntiVir

 

I agree with you *lol*
~~await Avira's response

 

Yeah, lets wait. Wonder how say, Micropoint would stack up.

 

I don't think Micropoint is a heuristics antivirus software

 

I dont know solcroft, me thinks your Chinese is pretty good.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Hrm. I dunno. I just happen to be bi... tri... quad... penta... erm... something-lingual.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Right

 

touché bigc

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

completly flawed test,

since it was tested through jotti, in my own experience these are not accurate to what the software can actually detect, same goes for VT, although that is better then jotti.

 

Solcroft , really good review .

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

I look forward to Stefan's comment on this, at first glance it appears to be nothing more than agenda-driven BS.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

I knew about AntiVir's "crypt" detections for quite a while now, but some of the results for other AVs are really surprising. Hmm...Even BitDefender, which supposedly has a brilliant static unpack engine, is not detecting the repacked files?

Would it be possible that the files got corrupted during the process of repacking?

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

i doubt bitdefender would only detect ONE of the real-malware compared to nods SIX (drweb was FOUR btw)

either way, jotti is poor.... so this is not accurate at all.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Yes. Per stated in the article. And to HiTech, I'm only taking credit for translating it.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

In China，no body can install them to test，so they can use vt and jotti to test

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Actually, AntiVir offers a free version of its product. Why can't you install it?

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Because I want to test not only nod32 and avira，but also other AVS

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Yes,I think Dr.web is better than nod32

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Oh , not necessary . I already finished my Chinese and English lessons and I got A+ on my exams .

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

erm, i didnt say that

just stating i dont like jotti for testing, or VT either... although vt is more accurate than jotti, its still not 100%, far from it.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Why do you think so . VT uses always the latest signatures as well as the best protection settings for each program . I find its results reputable .

Well , Jotti is a little bit debatable

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Yes,I think so.Because they can't detect accuratly.For example,Kaspersky has Proactive defense，but jotti and vt can't detect.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

why,

countless viruses detected by my dr.web, are 'not found' on virustotal for the same AV, so not reliable at all.

its good only for a guide, or an idea to check for FP's, thats it.


edit: and jotti is even worse in this matter.

 

...and as we know in the entire Solar system.