NOD32 is the Leader in 05/06 AV-Comparatives

Discussion in 'NOD32 version 2 Forum' started by Thiggy, Jun 2, 2006.

Thread Status:
Not open for further replies.
  1. Thiggy

    Thiggy Registered Member

    Joined:
    Apr 16, 2005
    Posts:
    82
    NOD32 leads the list in the 05/06 AV-Comparatives Retrospective/ProActive Test online results found at http://www.av-comparatives.org Edit: removed direct link ~ Blackspear

    Now, is everyone here smiling? :)

    I know, I am. :D

    All the best to everyone...
     
    Last edited by a moderator: Jun 2, 2006
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    dthigpen, I have removed a direct link, only links to www.av-comparatives are allowed in accordence with their site rules.

    Blackspear
     
  3. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    which seems silly - but them's the rules... we have to live with 'em! ;)
     
  4. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    And the results show, compared to last "Retrospective/Proactive test" (November 2005), that NOD32 has:

    - improved in detection of DOS viruses/malware
    - improved in detection of Windows viruses
    - improved in detection of Script malware
    - improved in detection of Worms
    - improved in detection of Backdoors
    - degraded in detection of Trojans (from 51% down to 38% :( )
    - improved in detection of other malware
    - improved in detection of OtherOS malware

    (macro viruses were left out? no idea if improvement or not)

    But note the sample set used now seems bigger than the sample set used for previous "Retrospective/Proactive test".
     
    Last edited: Jun 2, 2006
  5. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    The sample set is the new threats from during the three months of update freeze, so it will be different each time.

    Cheers :)
     
  6. minceypw

    minceypw Registered Member

    Joined:
    Sep 25, 2005
    Posts:
    22

    Interesting comparison. Tks for that, kjempen.

    Also, I wonder if the five false positives found by IBK in that test have been fixed by Eset?
     
  7. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    I did not find any real new macro virus during the last three months, thats why there is no Macro category this time.
    falses were submitted and fixed by all.
     
  8. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    So if you want to run your av without updating for a while(3 months)your safer running Nod because that is likely to catch 58% of malware out there?!!
    still not a good percentage is it! and who in there right minds would install an AV,any AV,not update it and expect to be safe?
    I'm sorry but any test using def so out of date is totally worthless regarding real world usage of this type of product!
    I suppose it does prove that the heuristics in Nod are the best(most of us knew or suspected this anyway!) but even those are a long way off giving anything like adequate protection on their own
     
  9. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I believe the purpose of the test is to see how well an antivirus can protect you against 0-day threats; threats that are new for which there exists no signature/definitions for yet.

    If you are running Symantec Norton for example, there is a higher possibility you will be infected by a new worm than with NOD32 (for example), because NOD32's heuristics has a high probability of stopping it (shown already in the test performed by IBK).
     
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    The idea is that this test indicates which products offer better zero hour protection against new threats when they first emerge.
    Many of the threats NOD32 didn't detect in this retrospective test, it probably would have if given all the updates until the one just prior to the threat emerging for the very first time.

    Cheers :)
     
  11. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    You have confirmed my thoughts(in a way!)Nod would have,I have no doubt,detected the missed threats if the bases were up to date,but if it missed these just using its heuristics,it doesn't fill me with too much confidence that zero day threats will be detected any better using this technology,I don't think zero day protection is ever going to be anywhere near 100% in reality and the best we can hope for is very fast updates,Nods are the best but are still not good enough to depend on for protection,and I feel that overplaying their effectiveness can lead to some users being over confident in their abilities to offer a defence
     
    Last edited: Jun 2, 2006
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I guess I was suggesting just out of date rather than fully up to date.
    I'm sure not anybody is suggesting on relying on heuristic detection alone - in fact I would think it ludicrous to try, but in combination with up to date signatures there wouldn't be too many things you would be likely to come across that would slip by it.
    Historically when such a thing is discovered (that is, something that is not detected that you may be likely to come across) detection is added as the highest possible priority, the most significant thing that ESET needs to get done right then - even if it means people getting out of bed or whatever if the need so requires.

    Cheers :)
     
  13. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Ho-hum. Not always, it seems. I sent an undetected sample of Backdoor.Win32.Haxdoor.gs to samples@eset.com on 5/24/06; it's still undetected.
     
  14. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    I use both Nod and Kav(on dif machines before somebody say:-"you shouldn't use more than one av"lol)and I have got to admit the frequency ordinary updates and speed of critical updates from kaspersky does give me a slight feeling of extra security,although I have never had any problem with anything getting on to either machine so from experience really this shouldn't be the case(it might be that nod seems a little"too light" for its own good sometimes!)
     
  15. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi TNT,
    I'm guessing you've read -->THIS<-- post (or one of several others by Marcos detailing similar), and that the sample was not just detected by other products but also working, completely undamaged, not benign when on it's own and not a just zoo sample, and that you were able to verify these things? If you can then you have my compliments and my recommendation for consideration for employment by ESET, otherwise be assured that all are added on priority basis, and thanks for sending the sample in - they all help improve the detection. If the sample you sent in hasn't yet been added then that would only be because the team has been very busy adding others that present a higher risk.

    Seriously - if you can verify all those things you're doing well :)

    Cheers :)
     
  16. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    If it was not included because of one of the aforementioned reasons, they should have sent me a reply explaining this, don't you think? It seems reasonable thing to do, to me. Reasonable user support (actually, I'm not a NOD user, but anyway...)

    Right now, after more than a week, I stil don't know the reason why a sample detected by almost everybody else is not detected by NOD.
     
  17. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    That would definately be nice, to save you wondering one way or the other.

    Cheers :)
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I don't see any sample left undetected from that date, please PM me what email address you sent it from.
     
  19. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    As for your question no, to be perfectly honest, I was not able to verify that this is not a damaged or non-working sample. Usually, for some simple executable found in the wild (this one was), all it takes is test it in a sandbox, with (external) application control and outbound/inbound connections monitoring. Also, known malware sites that actively use one or more exploits are very unlikely to push benign executables.

    This one, though, doesn't even start within the sandbox. Of course, this definitely doesn't mean that it wouldn't work outside of it, as there is malware known to shut down immediately if executed in a sandbox. I could set up a VMWare machine and try it out there, but I didn't feel like doing it last time (and besides, analyzing it in a whole virtual OS could be quite a bit of trouble). Or, this could be part of a malware that needs other components to work at all.

    Anyway, enough with the rant. All I really want is to have an answer by Eset. :p They make an AV I respect very much; if this is a false positive by many companies, it should be fixed by them, if it's not, Eset should add it. Simple. :D
     
  20. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Ok, apparently the e-mail was not received for some reason. o_O Marcos contacted me and I gave him the url on which it was found and he confirmed that although it's not detected on file scanning the file it drops are immediately detected upon extraction. :thumb:
     
  21. woodpecker

    woodpecker Registered Member

    Joined:
    Jun 3, 2006
    Posts:
    1
    I am a freshman ,i am glad to join you
     
  22. leehigdon3

    leehigdon3 Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    132
    Location:
    Plano, TX USA
     
  23. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
     
  24. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I don't care what my AV solution detects with 3 month old signatures - it's NOT a real world scenario, and as such - has NO value to me as a "valid" test.

    If a comparative gave a fully up-to-date test ALONG-SIDE the 3 month old, I could see it as more valuable - but the real important issue is how your AV solution performs to threats on the day you are using it, not crippled by 3 month old definitions and algorithms.

    just my opinion though, and of course those that test in this way will justify it....
     
  25. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,819
    Location:
    Innsbruck (Austria)
    just explain how a retrospective test should look like in your opinion. and keep in mind that it has to be equal/fair. ;)
     
Thread Status:
Not open for further replies.