Nod32 interferes with Trojan Hunter!

Discussion in 'NOD32 version 2 Forum' started by Melkor, Dec 7, 2003.

Thread Status:
Not open for further replies.
  1. Melkor

    Melkor Guest

    Ok guys, got a problem here:

    I use Nod32 in conjunction with TH (much better suited for Trojans, and can even block unknown ones).

    The problem is, whenever TH tries to read a Trojan file that's already in the Nod32 definitions base, Nod32 pops up an alert window AND PREVENTS TH from analyzing the file - in the end TH does not detect it and sometimes FREEZES so I have to close it manually through the taskbar. VERY annoying :mad:. But when I disable the 'scan on "open"' option in the Amon setup, the TH can carry out its work unhindered.

    And I'd like TH to have "priority" over Nod32 when it comes to Trojans, for the reasones I mentionned B4.

    But I read another previous thread where it was highly recommended to leave the 'open' option on for Amon to be able to detect malicious scripts or something.

    An AV is not supposed to detect Trojans (ATs are much better suited and some such as TH even have Trojan heuristics, which no AV, not even Nod32 or AVP, does. Nod32 may be an allmighty virus hunter, fine. Let it do its job, let TH do its own, let none interfere with the other. That's the definition of a well-organized multi-layed defense.

    So anyone have an idea as to how I can get TH to read the files BEFORE Nod32 does?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Hi Melkor,

    Actually you are not going to be able to do this. In almost all cases (not just with NOD32) the resident Anti-Virus products running with on access/open settings will always take priority over other scanners. If the AV product in question has detection capability for the specific piece of malware in question, it will block access to it and alert the user since that is it's job - protecting the system.

    Now, I understand what you are saying about trojans versus viruses, but no AV product has the ability to know that it is your anti-trojan that is making the access happen. It doesn't care, all it sees is an access attempt to an infected file so it reacts.

    If you used KAV or NAV they would do the same thing. The option you do have is to disable your resident AV while doing scans with your AT product. Many people do that to get around this issue.
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    I personally recommend the following:
    AMON, IMON, EMON (If you have Outlook in corporate mode) all the time ON. And TH monitor's disabled, but is fundamental run TH and scan all your hard disk. Also I recommend to you disable AMON temporaly if you plan make a scanner with others AVs, TH, or something like that.
    I think that the trojan detection rate of NOD32 is decent, maybe KAV is better.
    Or you can have enabled AMON, IMON... and TH, if AMON detect a trojan, it will deny the access and you're safe, however if you're opening a trojan that NOD not detect but TH detect it, you're also safe.
    Best regards.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Exactly. That's why people have both their resident AV on-access protection enabled along with whatever form of on-access or in-memory protection their AT product provides as well. If one doesn't catch it, the other will.

    It shouldn't matter which catches it, so long as one does. In the example in the first post, the fact that AMON catches that specific Trojan doesn't mean you aren't as well protected if TH caught it. TH may very well be superior in Trojan detection, but whatever Trojans NOD32 catches are still caught, period. Those that get by AMON should be caught by TH's guarding process if enabled.

    And during any on-demand scans with another product (second anti-virus or an anti-trojan), disabling the resident product will prevent double scanning of all files.
     
  5. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    Yep yep yep. NOD32.....TDS-3.....Process Guard
     
  6. Melkor

    Melkor Guest

    Bah! As I said, no AV was ever designed for anti-trojan warfare. KAV may have a much larger trojan signature base for sure (even including dialers & stuff), but since like any other AV is lacks trojan heuristics, it is as powerless as any other AV when it comes to new, unknown trojans...

    I know, I know - in fact that's the very reason why I hesitated before starting this thread. But like I said, it's a question of organization. For there is one certainty: any trojan caught by Nod32, or even Kav, would have been caught by TH, TDS, or even a lower-end but decent AT.
    So let each do its job. That would spare having to disable the AV whenever one wants to launch an on-demand AT scan. Remember that the TH scanner freezes whenever it tries to read a file caught by Nod32. Fortunately, it is not so with the TH guard...
    Still, AV interfering with AT scanner can be very annoying at times.

    Besides I like watching TH in action unhindered. It's a nifty little prog, as clever as TDS yet like Nod32 uses very few resources...

    Perhaps a good idea would be to seperate the Nod32 definitions base into 2 distinct databases (Viruses & Worms for n°1, (non-infectious) Trojans for n°2) and have 2 tick-options for Amon: scan for viruses/worms, and scan for trojans, so that users could disable the second option! :D
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Okay, but if KAV (or NOD32) were to miss a trojan that your AT product recognizes, the AT product will still catch it. The fact that most AV products take first crack at a file does not mean that if they miss it, the AT product can't still catch it. You seem to be confusing an AV catching a piece of malware first, with that AV preventing an AT from catching a file it does NOT see as malware.

    Why? Caught is caught. If one package stops it then you are protected. It is not "more stopped" because an AT stopped it.

    But, regardless of all that... What you are proposing is not ever likely to happen. No AV package (not NOD32, NAV or KAV or others) will ever disable itself on the concept that an AT is running that will catch some malware.

    It's an interesting concept, but no AV could ever know for certain that an AT is running active, and will handle the malware. It just doesn't work that way.
     
  8. Melkor

    Melkor Guest

    Negative, I'm NOT - it's obvious, too: if AV catches it, no need for AT to read it (but as I said, it would have also caught it anyways), but if AV misses it, AT will still catch it.

    The problem is when the antivirus DOES catch the trojan!!!

    It's just that, well, seems silly but it would be more "elegant" if each app focused solely on what it was meant to catch. Nod32 hunts down viruses and does a good job, and so does TH with trojans. Nod32 having added trojans do its base (that TH would ANYWAYS detect) is just a waste of memory AND resources, that's all - notwithstanding the possible consequences of having an AV interfering with an AT in case the AV DOES catch a trojan (app freezes & so on). See now what I was getting at when I spoke of 'organization'?

    Well should anyone be wise enough to implement my idea ( :D), I think the guidelines would be fairly simple. I know that there exist virus/trojan hybrids (take the magistr worm for example). So a "pure-blooded" trojan would be code that 1) does NOT replicate & infect other programs and 2) does NOT carry any destructive payload (file deletion, disk format or BIOS flashing routines, etc...). So any modern AV should be able to tell between such pernicious apps as viruses/destructive worms and trojans/non-destructive worms that simply try to access the Net and possibly spread over the Net, but without trying to inflict any damage...
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    People are always getting the definition of "layered security" wrong. What you describe isn't layered security, but rather compartmentalized security. To have layered defenses is to have redundancies in place, which in this case would mean having an "AV" utility that detected trojans, and having a dedicated AT utility as backup.

    It is for this reason--because I believe in layered security, that is--that I really think AV utilities should detect trojans. And apparently, the AV vendors agree with me, as more and more, they are adding detection for trojans.

    Speaking of TrojanHunter's "trojan heuristics"... Has it ever actually caught a new, unknown trojan? (Just a question.)
     
  10. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    >The problem is when the antivirus DOES catch the trojan
    Why you consider it as a problem?
    The main matter is the following: Try to have the computer the more secured possible, independent if NOD detect the "X" trojan for example or TH detect the "Z" trojan. The important is that the computer will not get infected by adware, spyware, keyloggers, virus, trojans, worms, etc independet of the on-access monitor that detect those.
     
  11. Melkor

    Melkor Guest

    Fine - nothing wrong with that - but in that case AV utilities might as well complete the job & start implementing trojan heuristics too, so as to have "real" built-in AT capabilities. Then we could really call it 'multi-layered' defense when using AV in conjunction with an AT, perhaps. Nod32, Kav & others just having a trojan signature base is not enough...

    ...and a good one, too. Switching off the signature detection is not possible with TDS or TH, so I was unable to check this one myself. :doubt: Besides, there are no "self-mutating" test trojans to be found on the Net, making the task even more difficult. It is one of the few that can block & clean the 'beast' trojan without terminating the host process & without needing a reboot, but then again, I'm not sure this has to do with its heuristics feature. The follwing thread [si]seems[/i] rather objective as it was not written or sponsored by any AT software developpers:
    http://www.anti-trojan-software-reviews.com/
     
  12. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    IMFO, that reviewer is a complete nitwit. He harps on BOClean for not having a file scanner, but that's the whole point of BOClean--it watches out for stuff that gets by your other file scanner! And in the same breath, he praises an AT utility that doesn't even operate in real time. This makes no sense to me.

    But as for TH's "trojan heuristics", who is to say it's not just a gimmick? I was seriously wondering if it has ever caught anything that lacked a signature.
     
  13. Melkor

    Melkor Guest

    um...U sure about that? Check again: he does place it in the "Highly Recommended" category and says:

    "With BoClean running we could detect no effect on the performance of our PCs. Even with the slowest machine, a 450MHz PIII, we couldn't perceive even the slightest decline in responsiveness. BoClean is a very resource efficient product, the best of any product we tested. The only way you know it's there is from the presence of the task bar icon and it's brief, once-every-ten-second flash.

    Lean it may be but it's mean as well. BoClean really pounced on the trojans in our signature file currency test. It did well in both our 2002 and 2003 tests and there can be little doubt that that the people at BoClean are doing an excellent job keeping the signature file database file up to date.

    Overall we were impressed by BoClean's monitor. In our opinion, it's the best anti-trojan monitor in the business."


    So except for the fact that in the end he mentions the lack of a file scanner (isn't it nice to be able to launch an on-demand scan on a particuliar file? ;)), the overal review on this AT seems more of a praise to me.

    As for "praising a utility that doesn't operate in real-time", I guess U mean TDS - perhaps it does hog the CPU, nevertheless, it has acquired, one way or another, its "N°1 place" amongst ATs - like it or not. Figure out how...

    huh-I don't know. TH is a young program (like Nod32) that only a few years ago did not receive such high ratings as today. Programs evolve. Remember that at the time of the 'ILoveYou' virus epidemic, there was apparently only one AV that caught it - Viguard, I think. It is only "recently" that AVs such as Nod32 started to rise up & distinguish themselves from the rest of the pack. The same thing could apply to TH.

    Anyways U still seem to believe in TDS' heuristic capabilities, for they are well known (but I'd like to be able to test these as well - any test trojans out there?). You seem puzzled by the fact that according to reviewers TH can do almost the same job as TDS, but in real-time. But IF, unlike TDS, THguard scans in memory instead of scanning the files, whilst using the same heuristics as TDS, that might explain the apparent contradiction.

    It's only a pity TDS uses that much resources. (I value my RAM & CPU). Otherwise it would make a perfect permanent choice, given the reputation. There a few ATs out there that are known to have trojan heuristics: TDS, TH, Digital Patrol & possibly Pest Patrol. There may be others...

    The following is another shareware site listing some famous AT products, but - here we go again - TDS is still rated no1, just to warn you so you don't get a bad surprise :D
    http://www.wilders.org/anti_trojans.htm
     
  14. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    TH is a young program (like Nod32) that only a few years ago did not receive such high ratings as today.

    Wrong assumption. NOD32 can prove at least 13 years of history. And remember - users were those responsible that trojan detection has been added to AV programs...
     
  15. Melkor

    Melkor Guest

    When I say "young" I mean "young as one of the BIG AVs".
    Remember the 'ILoveYou' virus - at that time, no standard AV could catch it. Same with the deadly Magistr. Nod32 (and others) may have gone a long way since then, nevertheless it is still "young" as a "good AV"...
     
  16. iztok

    iztok Guest

    HI!

    KAV detect all version of ILoveYou, without update!!!

    Protection from even unknown viruses
    Kaspersky® Anti-Virus Personal is powered by a unique integrated technology for unknown virus searching, based on the principals of second-generation heuristic analysis. Because of this, the program is able to protect you from even unknown viruses. The highest effectiveness of Kaspersky® Anti-Virus is proved by the fact that it was the only anti-virus in the world that repelled attacks of all "ILOVEYOU" virus variations without any additional anti-virus database updates.

    This text is from Kaspersky web page:
    http://www.kaspersky.com/buyonline.html?info=25
     
  17. Melkor

    Melkor Guest

    I know, I know - that's the case TODAY for most good AVs (KAV, Nod32, Dr Web, F-Secure, NAV, etc...). But I was talking about the past, when 'ILoveYou' first appeared.

    BTW I like the link U mentionned - very objective... :D
     
  18. iztok

    iztok Guest

    When ILoveYou appeared KAV detected without upgrading!!!!

    Bye
     
  19. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    No, KAV detected the most in-the-wild variants without update, but some encrypted variants need an special update, and in the web page of Kaspersky said that detect IloveYou variants without update, it's true, but via KAV Script Checker and NOT via the typical bases or standar heuristic.
     
  20. Melkor

    Melkor Guest

    That's certainly not what I heard, but huh - if U say so. Nevertheless, KAV is not that recent an AV, so that was the least one could expect of it even at that time...
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Dear ladies and gents,

    Please don't turn this thread into a "NOD32 vs other Antiviruses" thread, and stay on initial topic.

    In case anyone feels the need to discuss NOD32 in regard to other antiviruses, the "other antivurises" forum is the place to go - and has been used for that purpose in the past.

    Thanks in advance,

    paul
     
  22. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
     
    ROFL

    Just to set the record straight .........

    When LoveLetter appeared, I owned AVP Australia ... so I'm not just quoting some marketroid snake oil ... I know what I'm talking about.

    AVP was very fast with an update ... one of the first (if not the first) in the world ... but AVP did not detect LoveLetter without an update!

    If AVP had detected LoveLetter heuristically, Kaspersky Lab and all the AVP distributors (including me) would have been shouting about it all over Usenet and the Internet ... but we weren't ... see http://groups.google.com/groups?selm=391180d6%40grissom&oe=UTF-8 for the very first AVP Usenet post about LoveLetter.

    A little-known (at that time) opposition antivirus program called NOD32 actually did detect and block LoveLetter (and its subsequent variants) heuristically, as an unknown virus ... but of course I didn't say anything in Usenet about that. :)

    Check the records ... NOD32 has detected and blocked more new viruses heuristically (including Big Name "killer" viruses like CIH/Chernobyl, Melissa, Anna Kournikova, Homepage, Marburg, Frethem, Klez, Sobig, Opaserv, Yaha, Swen, and many more) than any other antivirus program in history ... including the grandfather of heuristics, Frans Veldman's awesome ThunderBYTE!
     
     
  23. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    And, as usual, the people running the most powerful heuristic engine of all, CSH or "Common Sense Heuristics", didn't get hit with it either.

    KAV and NOD32 are both good products. Can we shut up about it now?
     
  24. Morgoth

    Morgoth Guest

    Darn! Never heard of this new technology. Is there a trial version available? :D
     
  25. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Based on what I see, I think the product has been discontinued.
     
Thread Status:
Not open for further replies.