Solution for all the problems of Nod32

Discussion in 'other anti-virus software' started by AlamoCity, May 10, 2007.

Thread Status:
Not open for further replies.
  1. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    First, Let Me Clarify The Problems I'm Referring To:

    1) As per the PC World review on Nod32, "it's overall malware detection is second-tier", with a detection rate of just 90%.

    2) The program has a long history of having a "second-tier detection rate", as evidenced by the posts in this forum. Consequently, many users throw up their hands in frustration and abandon the program, which obviously causes Eset to lose a lot of money in annual update fees.

    3) The developers have proven that they lack the ability to overcome the poor overall detection rate.

    4) A lot of virus writers love the program, so this alone tells you there's a significant problem.

    5) The 90% detection rate is absurd, ridiculous, and unacceptable. As all it takes is one virus to get through your defenses and knock you out.

    Now, For The Solutions:

    1) Scrap Nod32 period. Kill it off 100%.

    2) Make a new program called NodProactive, which is designed for, you guessed it, proactive detection only. (As simple common sense dictates that you should focus on what you do best.)

    3) By specializing in just proactive detection, the developers can save all the time they wasted on the "poor overall detection" part of the program, and use that time to increase the proactive detection rate from the current 79% to 99%.

    4) Make it compatible with KAV, as well as other good AV programs.

    Benefits For Eset

    1) Company executives will increase their income tenfold, virtually overnight, as everyone running Windows software will buy the program. Because it will be the greatest thing since sliced bread.

    2) Developers will be able to hold their heads high, and they will be genuinely proud of the program they produce. Thus productivity will be at an all time high, in terms of fine tuning the program and making it the best at what it does.

    Benefits For KAV Users:

    1) They will no longer have to make do with the mediocre 51% proactive detection rate of the KAV program.

    2) They will have the best of both worlds: KAV's superior 96% malware detection rate, and Nod's superior proactive detection rate. Then Kaspersky can drop the mediocre proactive detection part of their program, and channel their energies into increasing their malware detection rate to 99%.
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Well, I know it was supposed to be a joke, but it was a somewhat poor attempt...

    Actually, Kaspersky already has a 99% proactive detection rate. It's called the PDM. ;)
     
  3. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
    Or wait for V7 of Kaspersky and get hopefully the same thing...
     
  4. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    I can assure you that I did not intend for this thread to be a joke, in any way, shape, or form. As it's exactly what I would do if I owned Eset.

    Umm, sorry, but I was going by the PC World review of Kaspersky: "Proactive detection: 51%"

    I don't have a clue what you're referring to. Could you please clarify?
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    What do you mean it's not a joke?
    Do you collect malware for a living? And execute it on purpose, like 100,000 per week? I think you're safe...

    But hey, i'm sure Eset will follow your advice..
     
  6. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    How long before the bugs will be gone and it will be a stable program, 2008? And "hopefully" doesn't sound very promising.

    Also, if a greatly improved proactive detection rate is something KAV users can realistically expect in the future, then it's all the more reason why Eset should follow my advice. As their superior proactive detection is the only reason a large percentage of their users are hanging on. So if Kaspersky can duplicate that, I predict that Eset will go downhill very quickly. But that's just my opinion, which I'm entitled to, so I hope Nod32 fans don't take offense.
     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    What the....o_O

    Okay, sorry if I'm offending you because I admit that I have not fully understood what you are trying to say by making this post. Yet I'll try to clarify a few things. :)

    Its not the detection rate that mattered - 90% is good enough really. What did matter was that Eset's detection rates are not at the top of the pack, and considering that user sample submissions are largely ignored, this leaves a potential problem of customer satisfaction and NOD32's protection. The problem with NOD32's so-called "second-tier" detection rates wouldn't have mattered at all had Eset been more attentive to user virus submissions. Just because a user sends something doesn't mean that its crap and must not be detected. A real user out there could be infected with this, and when Eset refuses to detect it then it leaves a VERY sour taste in the mouth of the customer.

    If NOD32 had 99% detection rate, then Eset's ignoring user virus submissions would be an OK thing, because with the top-of-the-pack detection rates, hardly anyone will need to submit a lot of samples. But NOD32 is neither at the top-of-the-pack, and neither does Eset take virus submissions seriously. And IMO this is the core of the problem.

    True to some extent, and true even when looking at a different perspective. But if Eset gets their product to the masses, who will never know how and when to send samples for analysis, they'll only gain customers....

    Maybe, or maybe not. I don't see one post which makes a CONCRETE statement that Eset cannot improve this in any sense at all. So at this moment, no one can say really :doubt:

    This isn't all THAT significant a problem, but a few other things are, judging from statements made in the past. Andreas Marx stated in the past that adding better unpack support and archive scanning in NOD32 will probably slow it down, which is probably why Eset relies so much on its generic unpack engine rather than having a good static + generic unpack engine, which is why they were late in adding some specific archives support like 7-zip for example {speculation} :)

    Obviously, NOD32's scan speed is a priority for Eset, but I'm not sure where this will go in the future, and nor is it my place to know or say anything about that. :)

    Having 90% detection rate is neither absurd, nor ridiculous, nor unacceptable. It is pretty decent, and the reason a lot of people are not liking NOD at the moment is due to what I've stated above.

    Yes, true, but this is also true for other AV products. Like I said, the difference between those other AVs and NOD is that they actually help you out and add your sample to the database in a reasonable time when you send it to them for analysis.

    For example, AVG isn't a top-of-the-pack AV. Its good, but not as good as KAV (for example). And even Grisoft/AVG doesn't add EVERY sample I send them immediately (But they do add mostly all the samples I send). But at least they have the courtesy to come up and tell me that they have the sample, the samples are infected and they'll add detection at a later date (and they do add detection a few days later). Eset, on the other hand, keeps mum, leaving you to wonder about whether they even care that you send them a sample. And maybe it will be detected by NOD32 a few days or months later. Such behaviour is very rude, or at least it appears so to consumers.

    No need for that as long as the product still sells well. :)

    You mean an entirely heuristics based program? Then NOD32 would become almost like just another HIPS. Besides, it isn't easy to create a very good heuristic, and Eset is to be commended for what is there in NOD32 today. :)

    51% is mediocre? :eek:

    Besides, with KAV 7 releasing soon, the new heuristic analyzer technology should drive the proactive protection to a higher level (actually I was inclined to say "through the roof" but hey :D)

    If it were that simple, everyone would be in economic tie-ups today :D

    Kaspersky already has Proactive Defense Module which provides a VERY HIGH proactive protection level in real-time. The PC World test only shows on-demand detection rate. Kaspersky's Proactive Defense Module DOES NOT WORK in on-demand scanner. With Kaspersky's new heuristic engine, the proactive protection will rise anyway....

    Anyway, I'm getting nausea typing all this. Sorry if I have made some strange/silly-ass/misstatements here, because my head is spinning and I'm not thinking as well as I should at the moment.
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    The exact opposite is true. If they want to stay alive.

    If KAV gets on the same level on that feature, what would be the benefit of using NOD? An absolute 0.

    PS: I never used NOD32
     
  9. besafe

    besafe Registered Member

    Joined:
    Mar 29, 2007
    Posts:
    222
    I think ESET has a loyal following, almost cult like. I can't see them going downhill quickly. They make a rock solid product in NOD32 (not perfect, but still excellent) and have a loyal customer base...I think they will be around and be a player for a while.
     
  10. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    any 90% av is fine, stop counting numbers and percentages.
     
  11. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Well, if that's the case, then I can name quite a few other antivirus companies who suffer from the same problem. Frisk and Alwil, for instance... though vlk has said that they're working on their submission system.

    You're perfectly right that 90% is a fine score, and not "second-rate" at all. However, it's just simply that NOD32's performance doesn't live up to its hype very well. For all of its reputation and the ballyhoo delivered by its ads, its real-world performance seem to rank it as, well, just another antivirus program.

    But an interesting analysis all the same. ;)

    And why does nobody seem to know what Kaspersky's PDM is? Has everyone never encountered a malware that evaded Kaspersky's signatures, or do you all just turn it off? o_O
     
  12. tamdam

    tamdam Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    88
    I know what KAV's PDM is, its very good, especially the rollback feature.

    To the OP, the "proactive defense" in pc-world is just heuristics. KAV PDM is more of a HIPS like feature. AV-comparatives did a review of KAV's PDM last year, and it detected ~99% of samples (smaller test set).
     
  13. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i think the problem is nod has been given such a reputation, that nod cant keep up with, its got great heuristics and a decent enough detection, i think people are just expecting 'too much' because of all the 'hype'

    nod is a great av, i dont see any differences from before, and it still remains a fantastic av solution.
     
  14. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    All I know is that I've read a lot of posts on this forum from people complaining about serious malware that Nod32 missed, which was subsequently detected by other programs.
     
  15. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    No offense taken, and thank you for your informative contribution to the thread.

    What about my opening post for this thread, doesn't it count? :)

    Then I'm making it my place to say something about it. :) Prioritizing speed over detection is simply bad business. As what good is speed when your computer gets knocked out by a virus that slips through. It reminds me of people speeding in cars to get to their destination one minute quicker, but having an accident that costs them a week in the hospital. Nod32 users will have faster scans, but at the risk of spending a week reinstalling everything after having to reformat.

    Okay, I admit I was being a little harsh. But I just couldn't get all the complaints out of my brain's RAM that were posted by users who had nasty malware sail right past Nod32.

    Yes. As that's what they do best.

    But they'd be the best, with a proven track record.

    I agree, they are indeed to be commended. With their current 79% heuristic detection rate, isn't that better than any other HIPS program available today? Are there any reputable third-party reviews on HIPS programs that list the detection rates? And don't HIPS programs have a history of being hard to get along with AV programs like KAV?

    Compared to Nod32, yes. If Nod32 can achieve 79%, then Kaspersky should be able to do it.

    I'll definitely be looking forward to the year it becomes stable. :)

    I was not aware of this, at all. Thanks for educating me, as I see now why there are so many KAV fans, and it gives me a newfound respect for the program. But it makes no sense why PC World would focus on just the on-demand detection. As it seems that real-time detection is a lot more important, since it will stop malware that uses malicious web sites to attack.

    Oh, I understand now. So I take it that Nod32 only has the on-demand detection? If so, and if KAV's real-time detection is comparable with Nod32's on-demand detection, I can't comprehend why anyone would want to use Nod32 instead of KAV. Since the overall malware detection rate of Nod32 is characterized as "second tier".

    In other words, forget speed, as the detection rate is the single most important thing in AV programs. So why would anyone accept "second-tier" when they can fly first-class with KAV??
     
  16. AlamoCity

    AlamoCity Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    149
    "not perfect, but still excellent"
    Sorry, but I don't see how you can make this characterization, in light of all the posts from users complaining about things that Nod32 missed.
     
  17. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    all av's miss things
     
  18. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Apparently you don't know too much about HIPS programs...

    79% protection rate is not "better than any other HIPS programs" out there, not by a long shot, unless the user has no idea what he/she is doing.

    PC World tested with ~900,000 samples. Are YOU going to click on ~900,000 samples one by one and reinstall the system every time the tested antivirus fails to block a piece of malware? :D
     
  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Not really, I mean the developers themselves haven't said this, and we can deduct such things, but it is of no use in the long run because no one really knows how Eset functions and how many staff they have and whethey they are capable of improving or not. :)

    But having the tag of being "the fastest scanner on earth" is good for the marketing team at least. There is a compromise/"gamble" being made here and so far the gamble has worked well enough. Since there has been no reliable test to gauge the unpack engines of AVs, there is no method to find out whether NOD32's unpack engine is good or not. Until then, if it is detecting at least something properly, then the gamble is successful for now. This is why I said that I do not know what will happen of this into the future, because gambling always has risks involved. :)

    Considering that none of us really know how NOD32 works, one can't make a very detailed analysis of this. :)

    If you notice, usually the complaints in the forum are posted only after the poster has already submitted the sample. In the end it all boils down to one thing: That Eset does not take virus submissions seriously. And this is why such complaints are rampant on the NOD32 forum.

    Not sure about this, because an HIPS will not disinfect the same way an AV/AS will. NOD32 will then become a second-tier vendor, and will become a smaller-scale company as NOD32 will need to be an addition to your existing setup, not a primary protection mechanism. The fact is a lot of users do not know what is an HIPS, they don't use AS or AT, they keep themselves protected with just an AV. So, if NOD32 isn't an AV, they are automatically losing part of their market.

    Because KAV's real-time proactive defense works on-execution. Its like a modified HIPS of a sort, except that its more fine-tuned for detecting specific malware than an HIPS, which is meant for handling any suspicious activity. One would need to execute each and every file in the sample set to find out exactly how good KAV's proactive defense module is. Understandably, doing this for 900,000 files is a difficult task, which is why people focus more on the on-demand detection. ;)

    Yes, I will agree on this. But in order to prevent system slowdown, sometimes there are compromises made on the real-time scanner to maintain the speed of the computer. For example, in the past (not now), Norton used to have all unpack support and archive scanning disabled in the real-time scanner. Many AVs still do not scan archives in real-time by default, and I believe Norman's Sandbox technology does not work in real-time in order to prevent system slowdown.

    Still, most AVs offer decent protection real-time today.

    No, NOD32 detects the same things both on-demand and real-time. NOD32's heuristics is based upon executing the file in a virtual environment, and also by looking at the code of the file. This works both on-demand and real-time. However, with KAV the case is different. Kaspersky uses behaviour-based analysis, i.e., when the file is executed, KAV catches malware by its Proactive Defense Module on the basis of analyzing what the file is doing after execution. If KAV suspects something, it gives an alert. Such technology is usually very effective, but very difficult to implement in on-demand scanners due to speed reasons, among others.

    The question is good, but for people with older computers, people working in high resource tasks and gamers, who will prefer to save every last bit of resources available to keep their applications running well (without slowing to a crawl) and save time, an AV which is "good enough" will do. Also there are other considerations such as interface design, corporate deployment etc. - Cost is also a factor.

    KAV's proactive defense, though very effective, can also be confusing to users who are not accustomed to the system or functioning of HIPS'. Such users will get discouraged from using KAV. And it is due to individual preferences that there is so much choice in the market. :)

    I'd call NOD32 "good", but maybe not "excellent". NOD32 has great potential, and decent detection rates. It is hindered only by Eset's bad response to virus submissions, and it is not a thing to their credit. :)
     
  20. tamdam

    tamdam Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    88
    Have you ever thought about the way they actually test programs? Having 900.000 samples just sitting on the HDD and getting AVs to on-demand scan is difficult, but doable. KAV's PDM requires the actual execution of program to block malicious actions. Have you considered how they would execute 900,000 programs within a reasonable time frame, and doing this for each and every AV program they tested? :p

    That's why I said AV-comparatives testing of KAV PDM was on a small sample set - for practical reasons. Theoretically the pc-world test is only testing signatures and heuristics, not behaviour blockers - in this regard KAV has a disadvantage. Which is why KAV's results are excellent just based on signatures (they have very little heuristics).
     
  21. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    This is why improvements are being made to heuristics, especially in v7. Time will tell how well that component of the AV works, but things look promising.

    The interesting thing is KAV/KIS v7 will have bolstered a three-tier protection mechanism in this version of their product line i.e. signatures, heuristics and PDM so one assumes one of those is bound to catch malware if all services are enabled.

    On the subject of the PDM, I recall IBK tested the PDM on its own in KAV v6 last year i.e. with no signatures, and it did very well. The test set comprised of over 6,300 samples, and, as has already been mentioned, the PDM detected 99% of this collection.
     
  22. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    You can forget speed if you wish, I choose not to.

    I have some systems with KAV WKS, some with NOD32 (ESS beta currently). On my main system it is NOD32 and it is for low system impact. I don't view this as second tier at all. I view it as my personal weighting of a number of traits to arrive at a personal optimal decision, and guess what, I don't weight things the same as you, and the next person is different from both of us.

    The fact of the matter, there are probably some characteristics of NOD32 (or any other product for that matter) that you could view as a problem and I could view as a benefit. That's why the marketplace can end up with multiple successful incarnations of the same product.

    Blue
     
  23. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Can you please offer some supportive proof for an over-generalizing argument like this?

    I'm not claiming the opposite, just asking for your rationale.
     
  24. The_Duality

    The_Duality Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    276
    Location:
    Liverpool, UK
    I wholeheartedly agree with you there. I currently use Nod32, and every time i swap it for the KAV trial, i end up going back. Why? Because i like the way Nod runs so light on my system. I love the great statistics that KAV gets in the tests, but i just prefer nod.

    Each to their own i say, there is no best AV solution. NOD may not be the best at adding signatures, but they are getting better:

    2002
    http://www.nod32sse.com/images/glib_2002.gif

    2005
    http://www.nod32sse.com/images/glib_2005.gif

    2006
    http://www.nod32sse.com/images/glib_2006.gif
    2007
    http://www.nod32sse.com/images/glib_2007.gif
    Graphs taken from www.nod32sse.com

    I am not a Nod "fanboy", I was literally one click away from buying KAV after reading those av-test results. No AV is perfect, and if you go to http://www.av-comparatives.org/seiten/overview.html, you will see that AV results change constantly. Hell, even KAV got a Standard rating once!

    So please can people stop picking apart AVs for the sake of a few percent?

    Matt
     
  25. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I can give you my rationale, which is probably similar to CSJ's, and it's anecdotal field-use experience.

    In general, I take the safe route and say that if you want to rough suggestion, go for a product that gets an Advanced+ rating on either or both the on-demand or retrospective tests at www.av-comparatives.org. One can argue the fine structure of the ratings, but in broad strokes all the products with this rating are extremely good.

    However, for personal information, I wanted to get a fell for how the lower end certified products faired in use, so I did a 5 month run with Dr Web and a 6 month run with F-Prot. Both were more than fine.

    Let's do some casual math for a moment..., how many alerts do you receive from your AV in a given year? A few dozen? Hundreds? Thousands? Whatever it is, where does it stack up relative to the scope of total malware covered by a given product and the % of currently circulating malware covered by that product? In general, these numbers are unknown. But if the signature base of a product is a few hundred thousand (most are in this ballpark), and you receive something on the order of an alert a week, again, do the math.

    Let's face it, from an extreme (and admittedly absurd) view, an AV product only needs to have a signature base of 1, and that's the next piece of malware that you're about to get, let's call it Omniscient® AV. If you're covered for the next piece of malware about to land on your machine, everything else is superfluous. OK, that is an extreme and not realizable state. However, everything that is actively circulating is a realizable state, will provide perfect coverage, and will do absolutely horrible on any of these comprehensive tests. So the product will work exceptionally well, but be impossible to market. There's a continual transition from that state to very comprehensive coverage as exemplified by products such as KAV and Avira. Any actively supported product should be quite current on actively circulating malware and protect extremely well - which is why VB100 certifications are not completely irrelevant.

    In principle, a meteor could crash into my home. Simply because that has a finite nonzero probability of happening does not mean I have to take action to further mitigate the risk even though the impact of that risk, if it comes to fruition, is rather devastating. Event frequency is an important attribute to assess and everyone has a casual sense of that based on the products that they currently employ or by their own manual examination of the state of their machines.

    If one's malware event exposure is continual, there may be merit going to know comprehensive (e.g. KAV, etc.). If exposure frequency is much more modest, protective measures can be more modest as well.

    Blue
     
Loading...
Thread Status:
Not open for further replies.