NOD32 vulnerability in Wikipedia article?

I am currently using NOD32 v3 (started with v2), and am quite happy with the product (though, of course, I have not had an occasion to put its capabilities to test). I have been recommending NOD32 to my friends and family, preferring it over Kaspersky's, Sunbelt Vipre, AVG7 and other products for various reasons. However, today a friend of mine - who is in the market for buying an antivirus product - pointed out a Wikipedia article about NOD32 which says "Eset Smart Security and NOD32 antivirus lack a Self-Protection module, making them vulnerable to viruses and illegal patches."

When he wrote to Eset customer service, they gave him a stock reply which did not address the concern at all, but referred him instead to a few web-based reviews of the Eset products. I found this quite unsatisfactory, and frankly, embarrassing, since I had been speaking so much in favor of NOD32.

Is it possible to have an honest opinion about this particular vulnerability mentioned in the Wikipedia article?

Thanks in advance.

 

In short the self protection of Nod is a joke.

but in its defense of running Nod for the past few years I have had no problem with a virus where it disabled Nod or any other part of the AV.

from what I have read they are working on self protection tho.

 

Hmm but I guess the whole point is prevention so malware shouldn't have been allowed to execute in the first place. Once malware runs, self-protection or not, you should be doing a scan from out side Windows (such as using a rescue disk).

 

I can't see any such claim on Wikipedia. Has it been removed?

 

It was removed in the latest revision.

http://en.wikipedia.org/w/index.php?title=NOD32&diff=236362381&oldid=236298072

 

frankly speakin i have seen a autoit.xx variant, which i handle mostly to have removed nod32 loading module from the startup entry, hence no security from startup....

and its true nod32 has no self protection module, which i think should be a major addon to the next version,

but i still strongly believe its the best, from the rest.
and hey!! dude no need to scratch u'r head for that wikiepedia stuff,
u can recommend to everyone for sure...

 

Thank you, everyone, for your replies. Though I continue to use NOD32, I think for the time being I shall refrain from recommending the product to anyone else, because - irrespective of whether anyone has seen it or not - the lack of self-protection is a serious issue.

If that feature is offered by a competing product, the consumer should perhaps choose that product. Frankly, I am at a loss to understand why they wouldn't include self-protection in their product!!

I like NOD32 mainly because its footprints on the system are relatively small and very reasonable. Kaspersky's usually gets a higher, or at least, an equivalent, rating in tests, but it has huge impact on system resources. The protection offered by AVG (at least till version 7.5) is not optimal. NOD32 appears to be a healthy compromise between system resources and functionality. And its updates are pretty regular, which I like...

 

Nod32 has no self-protection to speak of at all.

Also its virus-database is getting weaker and weaker. I have stopped using it because i cannot trust it anymore

 

i felt, its virus signature are not weaker...... the slowed drastically in updating the samples and new virus released, by the time update is avaliable, systems are already affected..... making ppl to think... false opinions bout ESET

I HOPE THE MODERATORS DO SEE THIS

 

Eset has been performing poorer in tests though, and this is a consistent trend.

 

Its not false, its a real threat.

I have seen 3 cases where malware simply disabled nod32, with the security gone it was free to download other malware and completely infect the computer.

 

It's worth pointing out that Vista users who have UAC enabled will be relatively safe, as malware won't be able to disable EAV/ESS without coughing up a UAC prompt.

 

Cool. Relatively is the right choice of words because there i an proof-of-concept exploit that bypasses UAC

 

Yeah.... But why are all the moderator or the ppl who has to respond, sitting silently
what are they waiting for....
do they want to climb the ladder after they reach the bottom...

see the update v3424 also came out just now...
still the virus i am uploading daily dozen times from almost 15 days...
thats almost 75+ uploads of a simple autoit.xx variant, hasn't been added to the updated definations....

PLEASE DONT MAKE ME CHANGE MY AVS FROM NOD32 TO SOMETHING BETTER.......
PLEASE

 

If you think NOD32 is crap, change AVs...It's not like you need to have brand loyalty to your AV.

 

Where? I haven't seen this pop up on any of the security feeds that I follow and privilege escalation like that should be a huge red light that people are screaming about.


As for self-protection, presently Nod32 does not have any kind of registry integration (I was told this feature was coming eventually) which means a process trying to screw with the kernel service is going to go unchecked unless a signature is already made for that threat. You can do things like putting a password on the MSI installation package (Symantec does this), but that is no in compliance with MSI standards. That and if something has the admin credentials to invoke msiexec to uninstall a package, it is going to have rights to screw around in the registry to remove a password protection scheme as well.

If you want proper protection, stop using administrator accounts for everything. There is no reason to be running your browser, mail client, or even explorer with admin rights on a day to day basis. Running things with admin rights means that any unpatched exploit will execute with admin rights and has full reign to really screw over your computer as it sees fit. At least UAC somewhat fixes that problem, but the big point is that there isn't a whole lot you can do to protect the install when you are handing out admin rights to every process launched on a system.

 

https://www.wilderssecurity.com/showthread.php?t=217301

Tried that, but it has way to many problems for my users and the programs we use.
What i'm currently working on is Advanced Comodo rules that block any unauthorized behaviour in my applications, effectively blocking unknown exploits.

 

Thankfully those are proof of concept papers and not actual in the wild exploits at the moment. DEP also does a good job of shutting many of them down, but the default behavior "opt-in" in XP and Vista leaves IE7 vulnerable because they didn't compile it with the DEP flags. Forcing DEP in to "opt-out" mode mitigates a lot of the risk. IE also needs to be launched with protected mode off for the kind of attack outlined there to happen, which thankfully is not the default behavior.

And I hear you when you say that running everything in user context can cause problems. Sloppy coding makes that a pain and I loath having to fire up filemon to figure out what security permissions I need to modified to make a program work correctly. Still, since going through that pain and removing admin rights from the last few of our users, I can only think of two instances where the actual system was compromised instead of just the user's profile getting trashed. It was worth the headaches up front to be operating under a proper security model.

 

There are a number of programs out there that will reduce rights of running programs - Online Armor does that and it's quite easy to use.

 

So, have we reached a consensus about the vulnerability I mentioned in the current avatar of NOD32? As one of the posters mentioned above, there needs be no brand loyalty. But I would hate to have to change to a new AV (Kaspersky's? Sunbelt VIPRE?) particularly after just renewing my license for 2 years!!

Any mods or NOD32 team members listening in? I am surprised that they don't seem to be!! Writing to the NOD32 support produces only stock replies.

Damn! I should not have been hasty in renewing my NOD32 license!!

 

Changing AVS for brand name wasn't my meaning,,,,,

i only mean the security of my computers...

be in my position and think, u got 2 samples of different Autoit.xx variants, u post it to the moderator and mail at samples(at)eset.com,
i gets updated after 1 week other gets updated after 20 days.... whats the meaning of it... almost same variants...i dont know...

and the same delayed addition of virus samples is a problem of NOD32 right from 1 year as i am seeing, coz i regularly send samples to eset and marcos

and the main thing...
i scanned those variants at virustotal.com and kaspersky and even the bad AVG is catching it.....but nod32....still they are not ready to update the definations...... why they delay so much to add definations? do they lack man power

i am just concerned bout my security.....

please reply u;r thoughts

 

Yeah if you through enough at it it will eventually run smoothly. The problem is that my users are home users, its their private computers and they need to be able to install software and games... Some computers i only visit once every 6 months. With LUA i had to visit them daily....

 

I would be pushing Vista as hard as possible if I was in your shoes. Microsoft dug themselves one hell of a hole with the absolutely terribly security model they made with DOS and kept of life support all the way through XP, hurting home users and corporate environments alike. At least UAC does something to address those problems. Hopefully by the time Windows 7 is out, the application coding requirements Microsoft is now enforcing for applications to run in a user context will have filtered down to most applications by then. The transition is just painful for home users who have no concept of the fundamental security issues on their OS.

At least XP is good for repeat business on end-user support.

 

Vista would be great. But these systems don't have vista drivers(too old) so the story ends there. (no $ to buy new systems)

 

Hello,

One thing to keep in mind about self-protection features is that they can introduce program incompatibilities and instability into a system.

This is an area which ESET keeps an eye on, however, any changes to the product to incorporate self-protection technologies will be done in a way to minimize the likelihood of problems occurring from their use.

Regards,

Aryeh Goretsky