NOD32 is the Leader in 05/06 AV-Comparatives

NOD32 leads the list in the 05/06 AV-Comparatives Retrospective/ProActive Test online results found at http://www.av-comparatives.org Edit: removed direct link ~ Blackspear

Now, is everyone here smiling?

I know, I am.

All the best to everyone...

 

dthigpen, I have removed a direct link, only links to www.av-comparatives are allowed in accordence with their site rules.

Blackspear

 

which seems silly - but them's the rules... we have to live with 'em!

 

And the results show, compared to last "Retrospective/Proactive test" (November 2005), that NOD32 has:

- improved in detection of DOS viruses/malware
- improved in detection of Windows viruses
- improved in detection of Script malware
- improved in detection of Worms
- improved in detection of Backdoors
- degraded in detection of Trojans (from 51% down to 38% )
- improved in detection of other malware
- improved in detection of OtherOS malware

(macro viruses were left out? no idea if improvement or not)

But note the sample set used now seems bigger than the sample set used for previous "Retrospective/Proactive test".

 

The sample set is the new threats from during the three months of update freeze, so it will be different each time.

Cheers

 

Interesting comparison. Tks for that, kjempen.

Also, I wonder if the five false positives found by IBK in that test have been fixed by Eset?

 

I did not find any real new macro virus during the last three months, thats why there is no Macro category this time.
falses were submitted and fixed by all.

 

So if you want to run your av without updating for a while(3 months)your safer running Nod because that is likely to catch 58% of malware out there?!!
still not a good percentage is it! and who in there right minds would install an AV,any AV,not update it and expect to be safe?
I'm sorry but any test using def so out of date is totally worthless regarding real world usage of this type of product!
I suppose it does prove that the heuristics in Nod are the best(most of us knew or suspected this anyway!) but even those are a long way off giving anything like adequate protection on their own

 

I believe the purpose of the test is to see how well an antivirus can protect you against 0-day threats; threats that are new for which there exists no signature/definitions for yet.

If you are running Symantec Norton for example, there is a higher possibility you will be infected by a new worm than with NOD32 (for example), because NOD32's heuristics has a high probability of stopping it (shown already in the test performed by IBK).

 

The idea is that this test indicates which products offer better zero hour protection against new threats when they first emerge.
Many of the threats NOD32 didn't detect in this retrospective test, it probably would have if given all the updates until the one just prior to the threat emerging for the very first time.

Cheers

 

You have confirmed my thoughts(in a way!)Nod would have,I have no doubt,detected the missed threats if the bases were up to date,but if it missed these just using its heuristics,it doesn't fill me with too much confidence that zero day threats will be detected any better using this technology,I don't think zero day protection is ever going to be anywhere near 100% in reality and the best we can hope for is very fast updates,Nods are the best but are still not good enough to depend on for protection,and I feel that overplaying their effectiveness can lead to some users being over confident in their abilities to offer a defence

 

I guess I was suggesting just out of date rather than fully up to date.
I'm sure not anybody is suggesting on relying on heuristic detection alone - in fact I would think it ludicrous to try, but in combination with up to date signatures there wouldn't be too many things you would be likely to come across that would slip by it.
Historically when such a thing is discovered (that is, something that is not detected that you may be likely to come across) detection is added as the highest possible priority, the most significant thing that ESET needs to get done right then - even if it means people getting out of bed or whatever if the need so requires.

Cheers

 

Ho-hum. Not always, it seems. I sent an undetected sample of Backdoor.Win32.Haxdoor.gs to samples@eset.com on 5/24/06; it's still undetected.

 

I use both Nod and Kav(on dif machines before somebody say:-"you shouldn't use more than one av"lol)and I have got to admit the frequency ordinary updates and speed of critical updates from kaspersky does give me a slight feeling of extra security,although I have never had any problem with anything getting on to either machine so from experience really this shouldn't be the case(it might be that nod seems a little"too light" for its own good sometimes!)

 

Hi TNT,
I'm guessing you've read -->THIS<-- post (or one of several others by Marcos detailing similar), and that the sample was not just detected by other products but also working, completely undamaged, not benign when on it's own and not a just zoo sample, and that you were able to verify these things? If you can then you have my compliments and my recommendation for consideration for employment by ESET, otherwise be assured that all are added on priority basis, and thanks for sending the sample in - they all help improve the detection. If the sample you sent in hasn't yet been added then that would only be because the team has been very busy adding others that present a higher risk.

Seriously - if you can verify all those things you're doing well

Cheers

 

If it was not included because of one of the aforementioned reasons, they should have sent me a reply explaining this, don't you think? It seems reasonable thing to do, to me. Reasonable user support (actually, I'm not a NOD user, but anyway...)

Right now, after more than a week, I stil don't know the reason why a sample detected by almost everybody else is not detected by NOD.

 

That would definately be nice, to save you wondering one way or the other.

Cheers

 

I don't see any sample left undetected from that date, please PM me what email address you sent it from.

 

As for your question no, to be perfectly honest, I was not able to verify that this is not a damaged or non-working sample. Usually, for some simple executable found in the wild (this one was), all it takes is test it in a sandbox, with (external) application control and outbound/inbound connections monitoring. Also, known malware sites that actively use one or more exploits are very unlikely to push benign executables.

This one, though, doesn't even start within the sandbox. Of course, this definitely doesn't mean that it wouldn't work outside of it, as there is malware known to shut down immediately if executed in a sandbox. I could set up a VMWare machine and try it out there, but I didn't feel like doing it last time (and besides, analyzing it in a whole virtual OS could be quite a bit of trouble). Or, this could be part of a malware that needs other components to work at all.

Anyway, enough with the rant. All I really want is to have an answer by Eset. They make an AV I respect very much; if this is a false positive by many companies, it should be fixed by them, if it's not, Eset should add it. Simple.

 

Ok, apparently the e-mail was not received for some reason. Marcos contacted me and I gave him the url on which it was found and he confirmed that although it's not detected on file scanning the file it drops are immediately detected upon extraction.

 

I am a freshman ,i am glad to join you

 

I don't care what my AV solution detects with 3 month old signatures - it's NOT a real world scenario, and as such - has NO value to me as a "valid" test.

If a comparative gave a fully up-to-date test ALONG-SIDE the 3 month old, I could see it as more valuable - but the real important issue is how your AV solution performs to threats on the day you are using it, not crippled by 3 month old definitions and algorithms.

just my opinion though, and of course those that test in this way will justify it....

 

just explain how a retrospective test should look like in your opinion. and keep in mind that it has to be equal/fair.