NOD32 in the real world

Discussion in 'NOD32 version 2 Forum' started by rerun2, Oct 13, 2003.

Thread Status:
Not open for further replies.
  1. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I am not an NOD user myself so hopefully I will not show too much bias ;)

    But a recent thread at DSLR http://www.dslreports.com/forum/remark,8201352~root=security,1~mode=flat brought up some interesting questions (IMO). Yes, there is A LOT of snakeoil and unsupported opinions, but if one looks VERY deep, I think there are some legitimate questions that were posed. I know the test people ran in this thread are not what you might call 'professional' but the results are never the less rather disturbing. Yes, I am very aware of NOD32's record at VB and other major 'professional' tests, but it does quite poorly in most other tests. Of course the samples might come into question and there is always the argument that "NOD is a pure virus scanner," but still it makes one wonder. Especially if these same samples are detected by a few other respected AV scanners as legitimate virii. It would be nice to get some thoughts in from people here and possibly someone from Eset. I know they are busy people, and commenting on certain points made in the DSLR thread may be pointless. But I think when more and more people read that thread (without a respected source standing in for NOD), they will be inclined to believe the test results blindly and may not look as positively to NOD as they once did.

    Finally, I would like to say that I have the utmost respect for Eset and their product NOD32, and hopefully there will be some "quality" discussion about this subject. The key word being "quality."

    Hmmm maybe someone should test KAV against NOD32 with a dedicated troan scanner and wormguard :)
     
  2. With malice towards none, I'd like to take a stab answering your question... ;)

    I don't take nothing for granted.. I took those Virii and ran scans with NOD32, KAV Personal Pro, and NAV 2004...

    My results were CONSISTANT...

    NAV and KAV found them all... NOD32, nothing....

    You can see for yourself what the virii was, by reading through the thread and looking at the names of the stuff found on that thread... Realize, though, that I was AMAZED I wasn't I wasn't bashed at DSL Reports by the NOD32 users, at least not yet... The truth is the truth, plain and simple..

    Needless to say, I did not enjoy finding out that Vampirefo and others may have been right in the past.. In the past couple of months, in spite of the accomplishments NOD32 is capable of, I have seen NOD32 miss more stuff than find.. I am NOT a professional tester, so I am going to get bashed there...I expect it, so, I am prepared.. I am even asking for it, I guess.. Again, for me, the truth is the truth...

    Plain and simple.. I am not saying NOD32 isn't effective... I just think that for my purposes, I didn't see the point in renewing my license... Anyone can say what they want, but when you have 3 AV's that found the same stuff, and one AV that didn't, are those tests rigged? Have the viruses been tampered with? I don't think so.....

    No, I am NOT going to make up for NOD32's deficiencies by buying and relying on an AT.. An AT is simply for layered defense.. I expect my AV to find malware..I do have an AT too, (TH), so I can't say that I don't depend on one.. BUT... I find My AT is a good supplement, not a subsitute...

    I hope this post doesn't seem mean spirited because it isn't meant to be... Again, the truth is the truth... NOD32 users wanted proof, they got it... and even then a lot of them have a hard time accepting it.. Sorry......
     
  3. dave s

    dave s Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    19
    Hmmm...comments from ESET?

    ...keeping his bias (and money) for NOD,

    dave
     
  4. One more note.... bias is not a player here for me.. If NOD32 passed the little test at DSL Reports there would have been no argument.. The thread at DSL Reports started when a member asked if KAV and NOD32 are comparable... I didn't start it...
     
  5. dave s

    dave s Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    19
    Not a problem Straight Shooter....I appreciate the information (personally). I've not previously seen the discussion at DSL (and am reading it now). I'm finding this discussion most informative....and looking forward to a rebuttal from Eset.

    best regards,

    dave
     
  6. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    I'm still wondering if the fact that the tests noted in the BBR thread consist of zipped files has in part something to do with some of the tests results? Although it has been stated in the BBR thread that if an on demand scan doesn't catch it in a zip file, that means the AV can't detect it at all even when uncompressed, I question that statement given previous discussions here.

    I recall discussions regarding just that issue: NOD not alerting on archived files of viruses, etc. that were covered in the db but instead alerting on the uncompressed files. NOD 2's archive scanning I understood to be improved over the earlier version, but is it?

    While I don't claim NOD detects everything, still at a glance there are at least a few listed in the BBR tests I spotted that I suspect may be covered in NOD's current database and so should be detected unless it's a variant that simply isn't covered. But it's rather difficult to tell which ones used in the test might be covered by NOD due to the limited NOD db encyclopedia available and also potential differences in nomenclature.

    For example, Stoned is listed in the NOD db as one of the oldest family of viruses, with but with no specific variants noted. So one can't tell at a glance if the same variants used in the test are also covered and NOD would indeed detect them if it wasn't in a zip file. (Yeah, that sounds lame, but detection in archived files has been an issue with NOD.)

    So, my first question is, is NOD 2's archived file scanning so improved that it would alert upon scanning a zip if the virus is indeed detectable by NOD? Or is the detection of viruses in archived format still an issue?

    My second question is, are the viruses etc used in the tests covered by NOD at all? It's a fair enough question IMO.
     
  7. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    >So, my first question is, is NOD 2's archived file scanning so improved that it would alert upon scanning a zip if the virus is indeed detectable by NOD? Or is the detection of viruses in archived format still an issue?

    Why is this important? A zipped file is HARMLESS! I could care less if NOD detects it while zipped. Why do you consider this an issue? Having said this, I have noticed a big improvement in NOD's ability to detect a virus in zipped form. That is ...as long as you use command line adv. heuristics to scan the file. Since IMON uses the adv. heuristics, I assume the improvement is seen there also. I do not use IMON so I can't speak to that.
     
  8. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Indeed, the Truth is the Truth. The people (and companies) I have admired most in life are those who could face the Truth about themselves no matter how much it hurt; most people (and companies) in fact cannot be honest with themselves. Most companies advertise themselves as "the best" at whatever, and most of us feel that we are always right in a particular argument, yet we all know that all companies cannot be "number 1" and I personally believe that even the smartest of us are wrong about half the time about everything, just look at all the opposing views there are about everything; how can anyone one of us be so arrogant as to actually think that we are the one person who is always right all the time, yet most of us do just that. (Heck, even someone as brilliant as Einstein was wrong about Quantum Mechanics.)

    Acadia
     
  9. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Mele: Asking whether or not NOD can detect a virus in its database when zipped is a relevant question, since a) many users prefer early detection as many other AV's provide (even AVG as I recall) and b) tests are run by people who proclaim success or failure of an AV based on detection of archived files since major AV's provide that capacity.

    And when such a test is apparently "failed" it's good for all to know if it is indeed a total failure of the AV in coverage for that malware or if it's a technical matter of not detecting malware in archives but the AV does detect some, most or all of the malware before the user can be infected.

    For example, if NOD would detect all those viruses, etc. in the BBR tests if they were not archived, then the test would not be a completely valid test of bottom line virus detection but instead of the program's ability to "candle" archives. Even so, that would be a source of criticism, given other AV's performances, but not a total invalidation of the AV's protective abilities in regard to those specific specimens.

    Thus the question of detection of archived malware is a matter that should be clarified IMO.
     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    OK. I see your point, but why give credence to those tests done by the NOD haters in the first place? I don't buy a thing any of those persons said. They will go to any lengths to discredit NOD. Personally, the very reason I use NOD is because it is NOT like the "PACK". Eset thinks differently and I for one appreciate that ....I don't have a herd mentality.

    (edited to correct spelling)
     
  11. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    My 2 cents as for virus tests. I can say i have good xperience as a pro in virus testing. Gimme a virus scanner and i can perform a test where the results will be as you wish. I can bring them to the heaven or slash them with a hammer and my tests would be reliably replicable.
    All I need to do for this is just carefull selection of test sapmles. Couple of intented viruses, couple of fp, misses and malware and voila... I can produce such a result as desired ... :cool:

    What is relieble virus testing?

    1. You need to have well defined test set
    2. You must know what do you want to test
    3. If you are testing viruses, ALL the samples must be able to replicate. If they fail to, there are no viruses at all....
    4. You have to specify how did you perform the test
    5. You have to publish how did you compute the results
    6. You have publish you result (tables, counts, per cents|

    Above are just basics.... If something from the above is missing the test was just a fun and not real test ....

    Plus if you want to boost some particular product, just include lot of copies of file which is not detected by the rest of the pack ...

    I rest my case
     
  12. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Well as a customer I'd like to know and others who really are just trying to tell what AV would be best for them would be better served by having some generally agreed upon facts (as hard as those may be to come by, given the climate at times).

    I've certainly nothing against KAV. At the time I was in the market for an AV I would have picked KAV if it weren't for the resource issues of 4.0 which was the current version at the time. On an old W98 PC, I was juggling resources as it was to keep performance and resources at an acceptable level and run all the programs I wanted to. Hence my choice of NOD.

    And perhaps some of the samples in those tests aren't all that critical to be covered. Some do not appear to be the latest and the greatest so personally I'm not particularly concerned that I'll run into them and I suspect at least some may be detected by NOD but perhaps just not in the zipped format.
     
  13. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    mrtwolman: oh yes, I've seen "cherry picking" of samples in tests before (as I mentioned at BBR) and there are some people I have no doubt would do that to prove their case. In this instance with that poster I've no real reason to suggest that, although why those specfic specimens were selected was not discussed.
     
  14. Mele20, LOL.. I get a good laugh reading your posts sometimes.. I am not a NOD Hater.. I used to root for NOD ALL the time...
    The files I tested the AV's with were all UNZIPPED, Openned with Power Archiver First.. So, this thing about zipped or not doesn't apply.. I am sorry, I would've answered sooner, but I had to go to sleep...LOL...

    PS... I never said NOD32 was no good.. and I am not a NOD32 hater... But I'm not so sure now after the past couple of days...LOL

    PS... Here is a thread that McAfee also found the viruses.. So, they are REAL ...LOL...

    http://www.dslreports.com/forum/remark,8201352~root=security,1~mode=flat~start=200#end
     
  15. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    I'm not an expert but I've been using both McAfee & Norton AV for a long time untill I recently switched to NOD32 simply because it finds lots of viruses both mcafee & norton don't.

    A friend of mine who is using Norton recently sent me a file that was infected. He thougt I was joking when NOD32 found the virus but I told him to buy NOD32 instead because I've seen how often both norton & mcafee misses viruses that NOD32 finds.

    The point is that no AV is perfect... One AV product will always miss some viruses that another will find, I bet you could do a test that would show that KAV misses viruses that NOD32 picks up aswell.

    Sorry about my bad english.
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    The entire basis for this thread is being stretched to the limits of credibility.

    To me "NOD32 in the real world" means this: every instance of an email virus on this computer was caught by NOD32 and disposed of without problems.

    Every instance of my kids getting my computer into trouble was picked up by NOD and taken care of by me, afterwards, with no problem.

    THAT'S "real world" - day-by-day single-home-user regular life Internet activity protection.

    And that tells me that NOD is more than good enough for me. The only "test" I need to see here is my computer being protected daily. Pete
     
  17. GuruGuy

    GuruGuy Guest


    I would question how up to date the definitions were for your friend that is using Nortono_O??
     
  18. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Well I haven't had time to check on these things to see if these test specimens are indeed something that are worth even discussing or if it's a case of intending to "shock and awe" people with with things they'll never encounter in ordinary use. If 8tunes is any indication of the threat level of the test set, one might have cause to suspect the rest.
     
  19. I would have to say that if NAV, KAV, McAfee, and Dr. Web ALL detected them as viruses, thenit would be a puzzle as to why NOD32 isn't detecting them...

    I think the best thing for ESET to do is "fess up" and admit.. Then add the definitions into their daily updates, rether than try to discredit All the DSL Reports users who are pointing this out... or try to say anything else..
    :)
     
  20. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Shooter, I don't bother going over to DSLR ;) - in principal the fact some AVs flag positive doesn't provide proof - at least not to me. Sig's latest post seems quite to the point.

    Feel free to submit the (zipped) files to me; my addy is in my profile. You might even post some nasties names as well as screen shots ;)

    Grin...hold your horses for a while. I for one would like to have proof we're talking about real hazards here; it's up to you to provide samples to make this possible. In case you feel inclined (and there's no reason in any way to doubt that) provide the samples to samples@eset.com as well ;)

    I've been reading this thread carefully - and fail to see Eset discreting anyone. That said: what goes on over on DSLR is their business, and this board has nothing to do with it as goes for all sortalike boards having their own threads. If people want to discuss an issue regarding for example Eset/NOD32: this is the place to be - not DSLR or forum X,Y, or Z ;)

    regards.

    paul
     
  21. mvdu

    mvdu Guest

    I'm the one who started the thread over there at dslreports when I was questioning if KAV was the best resident scanner for me, or if I should go with NOD32 resident and KAV backup. It's been very interesting and so far I'm sold on KAV being the right one for me. Something I experienced on my own helped confirm it, though - NOD32 was late to add all those java exploits (like ByteVerify and Needy) that were infecting me. But I am open minded, and would like to see more tests.

    BTW, how many virus signitures does NOD32 have in its database? Are they keeping this a secret? Don't tell me about advanced heuristics, because I'm still interested in the amount of sigs.
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Welcome! You might as well register, in order to avoid name spoofing ;)

    People might agree, others won't. In the end it's up to you (and anyone for that matter) to make his own decision ;)

    A matter of opinion - making sure one installs the needed Windows patches in time surely makes sense as well.

    I for one do like an open mind ;)

    It's irrelevant actually: check for example the signatures from DrWeb (30,000+) and NAV (approx. 70,000+). The difference could worry you. In reality, it's a marketing ploy IMHO. Fingerprinting each and every variant surely does impress people - but does not imply DrWeb does 50% worse then NAV. Just an example, no more, no less ;)

    regards.

    paul
     
  23. mvdu

    mvdu Guest

    Thanks for the welcome - which is NOD closer to in signitures - Dr. Web or Norton? Can you at least answer that.

    I really like the feel of NOD32 and do want to use it - I'm open-minded by nature but even more so where NOD32 is concerned.
     
  24. I have to ask the gentleman who sent me the stuff if it's okay to send them to you ... I think it's only fair... but I don't see a problem... I'll let you know..or send them to you.. and ESET...

    Some of these Threats have been out for WEEKS... I suggest ESET look over the posts from DSL Reports and match the names with their competitors databases.. I don't think I have the time for this.. I have been very busy lately...





    Thanks
     
  25. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    My pleasure ;). As for the signatures: I'm not part of the Eset staff, therefore I could only guess - and that's not in my nature. Although I've tried to point out it's of no relevance at all, in case you feel like it you can always ask this question by sending an email to support@eset.com

    I applaud you for being open-minded: it's a virtue most of the people lack :rolleyes:

    regards.

    paul
     
Thread Status:
Not open for further replies.