NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying malwar

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Some Antivirus softwares' engines are old in the VT

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Just because their vendors have chosen so . Kaspersky , for example , uses v4 because they believe nothing has changes in detection . If KAV choose , they can force VT use engine 6 but they think v4 will detect the same as v6 (with the same defs).The same applies for all vendors.And Virus Total is off-topic for this thread,I believe

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

i dont think it is, jotti / VT... same thing, both unreliable, makes it right into topic.

always good for a 2nd opinion to check FP's, nothing more, flawed test.

nod probably does have the best heuristics out there, as their software is sooooo dependant on heuristics for its detection.

 

Ok , as you like it . Virus Total has always been reliable , at least for me

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

I think KAV6 can detect more than KAV5

 

Good，I think so.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

1. Why the hell it's AntiVir vs NOD32 when NOD32 sucks ballz here in all areas regardless!?
2. Jotti is using Linux versions which are very different from Windows versions of scanners
3. Whats wrong with detection of crypters if you generate very low rate of false positives while gaining enormous detection rate? It's not like we have another QuickHeal here... Sure it misdetect some but so does NOD32 and all the others...
4. I really wonder how "innocent" was the file in the first part of the test...
5. Waiting for Stefan and IC (and IBK)...

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

I agree with RejZoR. Of course Avira flags packers sometimes instead of malware itself but its detection rates are very high and they really don't have so many FPs like before. This test has little relevance IMO.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

"sucks ballz" in a good way or a bad way?

 

rothko, is there something good in "sucking ballz"?

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

well that's why i asked - it's not my cup of tea, i prefer coffee, but other's may well see it as a good thing - all fine- but here it doesnt really express whether NOD32 is a good or bad

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

"suck balls" = bad in this sense

i.e. RejZoR was saying that NOD32 performed just as badly anyway (if not worse), so why the hell is there even an AVIRA vs. NOD32 discussion....

 

Yes, rothko, I know what you mean. I also find it curious to see NOD labeled in this fashion. So I am joining you in questioning RejZoR: c'mon RejZoR, you can't be thinking that NOD is that bad...

EDIT: oh, maybe he meant in signatures aspect...

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

In the last proactive test on av-comparatives Antivir scored slightly higher than nod32, with very low false positives.

Nod32 uses dynamic heuristics/emulation, Antivir doesn't... Antivir has done well to fine-tune the heuristic to the level it's at now - high(est?) proactive detection with low false positives. This seems to grate on some people leading to the creation of threads like this.

Still waiting for one of the experts to comment but I don't think Antivir specifically detects any packer, unless maybe if you went into the configuration and selected to detect "unusual runtime compression tools"...

 

What makes me suspicious is that no source is given and that the writer (the "translated" text) sounds like an ESET marketing person and seems to know alot about how the ESET scan engine works internally.
I have my doubts about the used samples aswell.

Some points:

The number of signatures in AntiVir has nothing to do with the heuristic or generic detection. Actually we plan to dramatically increase the number of gens and kick out all signatures that are covered by the gens.

There is "Crypt" or "Crypted" in the detection name for obvious reason. There are a "few" other heuristic and generic rules without "Crypted", if the tester would bother to look.

Who defined that detection by dynamic code analysis is the only allowed way to detect malicious files? Of course it is an advanced and reliable method, but it has it's limitations aswell. And why bother with unpacking several layers of packers/cryptor (which can be VERY time consuming) when those packers are used 99% by malware authors only and for cracks or keygens otherwise?

What advantage has the user if the 25.000th variant of Zlob is identified by it's "correct" name?

Does the user really care how the malware is technically detected?

Someone noticed Mal/Packer, Packer/*, Bloodhound.Morphine, New Malware.n and similar detections? I guess someone missed a trend.

The heuristics of NOD32 is not really that good. What really ***rocks*** is their variant detection. Which is faaaaaaaar more efficient! Great job! The "tester" seem not to be able to notice or understand this.

Now back with me to produce more "hot air"...

 

good answer Stefan. Now a little question... is Avira planning to add variant detection also ?

 

First we will add emulation/generic unpacking.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

"NOD32 = best heuristics on Earth"
Does that mean it has no false/positives ?

 

You may be on to something there, Mr. Kurtzhals.

The website http://www.nod32club.com is affiliated with Version-2 software, which is the official distributor for Eset in China and Hong Kong. Considering this affiliation, it is very well possible that the guy who posted this was an Eset marketing person, as this type of marketing, I believe, is slightly common in China.

Frankly, I wouldn't be surprised if it was proven to be an Eset marketing person, but I'd rather give Eset the benefit of the doubt. Waiting for the "damage control".

I'm also seeing some other similarities. For example, there is one borderline-FUD on Eset's global/EU website in the "compare Antivirus products" page.

See here: http://www.eset.com/products/compare-NOD32-vs-competition.php

"Unified Anti-Threat Engine - protects against viruses, spyware, adware, rootkits, identity theft"

Eset - Yes, while Symantec, McAfee, Kaspersky etc. = NO ("multiple components required in a large suite"). This is just plain lying. Kaspersky has only one engine, as does Symantec. McAfee may be dividing into two engines, but the fact is that Symantec and Kaspersky have their unified Anti-threat engine in place. The other tests shown are fine, except maybe for the VirusTotal one (because I cannot see the test results anywhere, if anyone knows do show me ). But I won't bash Eset for the VirusTotal thing.

The other parts of Eset's AV comparison tables are fine, but this one para was plain snake oil. As such, NOD32 is a great product, and I do like it (I hold a license), but this comes across to me as "sleazy" marketing.

I do not understand this. Are you saying that it is perfectly OK to detect malware based on their packers? There is the risk of false positives in such a method, and also it is a sort of "easy way out"...

I agree, it seems the tester's main intention was to downplay AVIRA.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

No it means the OP probably has an agenda.

 

Re: NOD32 = best heuristics on Earth; AntiVir flags packers instead of identifying ma

Actually lots of variant detections aren't exactly an advanced variant detection anyway. I've noticed that quiet often, though they do detect lots of new variants. BitDefender is usually a good indicator.

For example you scan some malware, BitDefender detects it as Worm.Bagle.BQ, NOD32 detects it as Win32/Bagle.BQ (both detections are made up).
Now you repack the sample with some packer and detections will follow like this...

"GenPack:Worm.Bagle.BQ" for BitDefender and "a variant of Win32/Bagle.BQ" for NOD32. This is a nice indicator that NOD32 also flags just repacked versions as new variant. Well technically it is a new variant but it would be better to indicate the name like this "Win32/Bagle.BQ (repacked)" or something like this.
However like Stefan said, users don't really care how it's named as long as it works. And i can say that as a long term avast! user which is probably quiet known for it's Win32:Trojan-Gen detections. Ok, for me it maybe does matter if i know the malware type but for most users it's not important at all.

 

Firecat, if you never ever saw a legal user application encrypted with packer x, why not report it? Who cares if there is a Zlob, Hupigon, Banker, ... below?
As long as the malware doesn't execute on the customers computer, (s)he doesn't care if it's the 25.000th or the 25.001th variant of Zlob.

BTW, AntiVir just doesn't report the plain packer, except for the optional PCK/. There are always additional checks to prevent reportings on legal applications. Actually, corporate customers are interested in even "more paranoid" detection!

Sounds to me like someone is desperately grasping for marketing stuff. Sorry, I don't have time for that. I need to add more "hot air" to protect our customers.

 

Thanks for explaining that more clearly to me. I'll agree with you, as long as FPs are not made, its just fine to detect malware in this way.

 

BTW, ESET is going to release a gateway AV (alongside the suite and mobile AV), so more paranoid engines are to come.

 

Hello! I think there is a problem with the Avira's enginee on jotti.com . From about an hour AntiVir haven't reported anything. Not even a variant of Parite(.B) which in the past used to identify it. I sent an email to the administrator of the site advising him to solve this problem as fast as he can, since an usual user can make a very bad impression on this product after this incident.