Solution for all the problems of Nod32

Well written Blue

I was one of many who were perhaps to quick to damn Eset's name after the latest comparatives. But i found that even though my choice of AV did not have the best statistics, it was the right one for me.

As Blue said, it is all down to personal experience, and what works best for you.

Matt

 

Well, I really agree that the best antivirus depends on the user. For me, the most important thing isn't the detection, but the capacity to run smoothly on my system. I've tried many antivirus products, and the one that runs faster on my system is Nod32, much faster than KAV. So, for me NOD doesn't need to have a 99% detection, and it's still my best choice.

 

After reading all of the posts in this informative thread, I have changed my opinion about NOD32. As I now comprehend why some people are willing to settle for second best in terms of detection. If I was experiencing buggy system performance, etc., I could even see myself switching to NOD32 if it provided stability that better programs couldn't offer.

But I would certainly never switch just for increased speed, just like I would never speed in my car in order to get somewhere faster. Because speed kills in more ways than just the highway. Meaning that I'm not going to intentionally risk some of my data being killed (I don't back-up enough) just to be able to scan faster.

In any event, I will not be using my recent lottery winnings to buy Eset and scrap NOD32, so all the fans can rest easy now.

 

Well Alamo, I think that's not an argument. The most important thing if you don't want to be infected is your head. Period. And the thing I hate the most, is having an AV speeding down my system. Cause in reality, you could have the best AV in the market and still get infected! So, let's stop being paranoids and start to enjoy our PC's in their best form!

 

Thank you for your opinion.

If you say so.

Huh? You just indicated a preference for a speeding AV in your last post: "the one that runs faster on my system is Nod32, much faster than KAV"

You could have the heaviest SUV on the highway and still get killed in an accident. But as long as you can afford the big SUV, you're not going to risk driving around in a Volkswagon. Why? Because the heavy SUV increases your odds of survival if you have an accident. Well, that's what KAV does, it increases the odds that your data will survive. And when you're on the information super highway, you need all the odds in your favor that you can get. Period.


So, let's stop taking foolish risks and start to protect our PC's the way they deserve to be protected!

 

But how often does a meteor crash into someone's home? And how often does someone suffer a serious loss of data due to a virus?

On your latter point, I have to dredge up my vehicle analogy again, sorry for the redundancy. If you only leave home once a month to get groceries, will you wear your seatbelt? Of course you will, because you could be killed if you don't.

Well, the information highway is no different. Even if you just log onto it once a month, your hard drive could still get killed during the time you're online. As again, how often does a virus cause data loss? The odds of winning a multi-million dollar lottery are obviously extremely low, but people win them all the time.

But I do understand your position, people simply view different risks in different ways.

 

I take it that you've never had to suffer through a serious loss of crucial data due to a virus? The not so funny reality is that many people prefer to routinely speed in their cars to get where they're going faster -- until they have an accident that paralyzes them. Then they change their preference for speeding.

As they realize why they should take all the precautions they can while they're on dangerous highways. By the same token, NOD32 users will come to a similar realization the first time they experience a serious meltdown of their hard drive, due to a virus their speeding scanner recklessly flew past.

Each to their own I say.

On the dangerous information super highway, those "few" percent can easily make all the difference in the world in preventing extremely serious 'injuries'.

 

Blue, all I can say is that I've come to the conclusion that you are not a member of the PCUA (Paranoid Computer User's Association).

"I've seen the light" since I started this thread. It all boils down to there being different markets for different personalties. Just out of curiosity, do you use any supplemental security programs on your NOD32 systems that you don't use on your KAV systems?

 

Sounds like superior heuristics to me. When presented with the choice of a virus activated meltdown of my computer and slower scan speeds, I'll take the slower speeds any day.

 

Thank you for this explanation.

 

Apparently not.

That's an interesting claim to make, especially since many people are using NOD32 primarily for it's advanced heuristic's, rather than just it's speed. So would you care to share the names of the HIPS programs you're referring to?

Apparently I didn't have a clue about the procedures used for the real-time testing of malware. I must have thought they'd test about 25,000 at a time, with software registering which nasties made it through. Then they'd simply empty the Sandboxie sandbox and start over.

 

I get it, they've carved out a niche of speed demons who prefer speed over superior detection.

This makes perfect sense. Because no matter how much marketing is done, the masses would probably never be motivated to use anything other than an AV program for their security.

It seems to me that KAV's heuristics are vastly superior to what's available with NOD32. In that KAV's real-time detection was 99%, based on IBK's test with the 6,300 samples. Plus, KAV also provides the secondary behavioral analysis detection method. Thus giving users a chance to detect any malware that slips past the real-time heuristics. Whereas with NOD32's heuristics, you've just got one chance for detection, period.

This makes perfect sense, you should be a computer science teacher!

Thanks for answering my questions. As your answers are the primary reason why I've decided not to buy Eset and kill NOD32. So the fans have you to thank for that.

 

I guess you could say that, but NOD32 also has the benefit of having the best heuristics in the industry (for the moment). This is a good backup to the fast scanner, as having a good heuristic also helps their marketing equally well, since the word "heuristics" means a lot to an unexperienced user (it did to me when I was not so well-oriented with computers). Thus the proactive protection in NOD32 makes it a second selling point.

Call it Proactive protection for KAV, not heuristics. Just for courtesy's sake.

But I'm still a teenage student at the moment

Did you win that much money in the lottery that you are in a position to acquire whole companies?

I wish I were that lucky

However, there is one thing that many (but not all) of us will agree is needed to be improved at Eset, and that is the virus submission system (I've mentioned the issue with it in a previous post on this thread).

 

I'd hope that no regular visitor here would be a member.

Actually, no...

With NOD32, it's LooknStop firewall - I'm hoping the ESS suite fills in for both. Occasionally I'll load up AntiExecutable or Prevx, but either are as backup.

Actually, on my wife's KAV WKS system, I installed Prevx a while ago. KAV is great, but over the past 5 years I've simply experienced too many incidents of corrupted updates that have effectively disabled all future updates without manual user intervention to not have some type of direct backup. I don't visit that machine on a frequent basis and in one case updates had been disabled for over 3 weeks. To be perfectly blunt, it is ridiculous to have a situation in which an update can kill further updates - heck LiveUpdate instability was why I moved from Norton in 2003. I hope KL starts to pay more attention to this piece of their product.

While there is enormous hand wringing over trivial differences in detection statistics in a controlled demand scan, my own experience with good products is that it is the unanticipated exceptional events - the killed updater, an update that kills the realtime engine, some other program failure - that are the real problem. They're not frequent, but they're also not always obvious. Since I can't guarantee everyone in the family knows what to look for, I do like one level of compatible backup - which is why I follow and use products like AE or Prevx. With every AV product that I have had or currently have licenses for (CA, Norton, McAfee, ArcaVir, Dr Web, KAV, NOD32, F-Prot,and maybe one or two others) - detection per se was never the main shortfall, it was something else that directly impacted detection. This is why I view detection statistics in controlled tests as just one of many factors to weigh.

I also generally have some form of direct AV backup available, but not running - I like standalone demand scan products like Dr Web's CureIt or ArcaBit ArcaMicroscan.

Finally, every system in the house is multiboot. If the primary system became compromised, and I couldn't handle it live, I'd simply boot from the alternate physical device and work from there at my leisure or use a Bart PE boot CD to accomplish the same goal. A multiboot system using distinct physical drives can be advantageous from many perspectives and it's not a major added cost these days.

I have one or two products running, but plenty of backup available - and that doesn't count the boot clone on the shelf for my main system...

Blue

 

Now this has to be a joke. I suppose all the other security vendors are chopped liver.

 

AlamoCity,
It seems that the tree is impeding you to see the forest.
Why wouldn't a heuristic-only engine serve ESET and end-users?
- None software is fool-proof/hack-proof/bug-free, so if ESET can make a heuristic engine with 95+ % efficiency (which would require breakthrough advancements in maths, algorithms and programming), it would quickly become a target for malware writers and they'll try to circumvent the engine. In a short time, its detection rate would fall. See the current situacion with Norton/McAfee/Trend; malware writers try to make sure that neither of them detect their new creation thus reaching a wider target.
- A heuristic engine like the one in NOD 32, which does code emulation/dynamic heuristics, requires huge amounts of processing power. To speed up the scanning, the AV vendors make a signature for malware detected by heuristics.
- How would you sell to average Joes the idea of a HIPS-like software? Average Joes only know about antivirus and firewalls to a lesser extent. Becoming a HIPS vendor would automatically wipe off the majority of ESET's sales target. BTW, corporations aren't very aware of whitelist/behaviour-based security.

 

Valid points. I was once victim to a backdoor virus that allowed remote access into my machine, and i, like many thousands of people on the internet, found themselves having to post on a specialized forum to get help cleaning up. So although i did not suffer disasterous data-loss, it was enough to scare me into getting a decent AV solution!

The best solution at that time, just happened to be Nod32. i tried the trial, and really liked it. So then i purchased it!

It turns out, however, that it is not the best in terms of detection. It is one of the best. Now the differences between those two terms didnt mean an awful lot to me until recently, but as i have learnt more and more about the subject i have found myself looking deeper into the comparative results.

So yes, i have to agree with you that 70-ish percent detection with heuristics, and average detection with signatures (but great performance) is not adequate for some people. I am not a 'high-risk' internet user, so it should be adequate for me. But; i am trying out other AVs. I keep switching between KAV and Nod, and eventually i will find out which is best for me. Nod wins at the moment, but the next av-comparatives results are out soon, and they will have a big impact on what i decide in the future.

May the best AV win!

 

Let me give my anecdotal experience.

I run NOD32 (your settings) resident.

I run AVK2006 (KAV+BD) as on-demand scanning everything I download.

I download way too much for my health and sometimes from sites in language I dont even know.

Of course, with files like these, I proceed with caution.

NOD32 does catch an occasional trojan dropper already at download phase (IMON).

However, the rest of the stuff gets blocked by AVK2006.

And the rest of the stuff after that gets spotted by virustotal/jotti/virusscan/norman sandbox.

The amount of stuff not spotted by NOD32 and spotted the rest of my toolkit is bigger than the stuff spotted by NOD32.

What anecdotal, completely unscientific and unconclusive evidence I draw from this?

That for me, on my surf patterns, NOD32 is not the best protection for me for zero day / obscure / on-the-fly-generated / multiple-time-packed trojans and rootkits.

Its not sufficient for me.

But I dispise KAV software so I wont install it resident (I like their engine/defs though). AVK2006 just isnt flexible enough to be run TSR.

So I run NOD32 as first defense and the rest of the stuff as second defense, on demand.

Sure, I'd like to have _single_ one AV that is "90% accuracy or more", doesnt bog down my system and finds the stuff that is a threat to my system.

But I havent found it yet.

Hence, I keep the setup I have now, until AVK2006 runs out and I have to change it to something else.

I tried HIPS/Sandboxes during my last re-install. Too cumbersome, too time consuming, too low level conflicting and requiring too much in learning. Not for me, on my system, using the software I use. Maybe in the future.

As such, based on my very non-generalizable experience, I stick with my setup which I think is better than "single 90% scanner" (out of the ones that I am willing to install).

 

Hmmm, I wasn't aware that I published my settings..., or at least that's news to me.

Sounds like a prudent idea...

I have run NOD32 and KAV WKS on the same system for over 3 years. I've never observed that type of behavior, on the other hand, I don't download with wild abandon.

That's very possible. However, I should point out (being a reasonably accomplished physical scientist) that some of the best science starts from anecdotal observation. In the present context, anecdotal simply means based on personal observation. Further, by anecdotal, I would just emphasize that is to underscore that it is not, a priori, necessarily applicable to all readers. My observations are quantitatively applicable to me, as yours are to you. If you wish to view it scientifically, put a little more control into the challenge and quantitation into the observation, and the approach can be sound in a rigorous scientific sense.

However, even if that were done, what's missing is a general risk categorization that says - OK, your risk level is 7B, use.... - nor is that ever likely to come to fruition simply because exposure risk is a fluid variable that is not only dependent on the user, but also dependent on the user environment. In other words, the controlled experiment by any one of us would yield information that, at the end of the day, wasn't any better than the initial anecdotal observation.

This may be a combo that is unachievable...

I believe I alluded to that in my last sentence in this post. You've captured fairly well why anyone asking for advice on how to approach their own situation to tread cautiously, and to cautiously experiment. By the same token, if someone out there reading this sees many similarities between your activities and their's, it's a useful lead that they may wish to pursue.

Blue

 

IMHO, relying on NOD32 for AV protection can't be justified unless you have supplemental protection similar to Blue. People who are not high-risk internet users need KAV at a minimum, if their only other protection is a firewall. High risk users should use a sandbox program, in addition to KAV and a good firewall.

 

I have a suspicion that you only read the opening post of this thread. Please read the rest of it and you'll see a conversion take place before your eyes as I'm transformed into 'one with the forest'. I would even use NOD32 myself if it was the only stable AV program available in it's class.

 

Amazing that you should say that, as I almost used the words "chopped liver" instead of "sliced bread"! But I didn't because it would have made the thread seem like a joke.

IMHO, the other security programs are like unsliced loaves of bread compared to a HIPS program that has a 99% detection rate.

 

I'm the president.

Could it be another program that's causing a conflict with KAV?

That's a good point, it's something everyone should keep an eye on.

So the benefit of a program like AE is that it prevents viruses and trojans from executing when your AV program fails to detect them? Is AE more compatible with KAV than Prevx?

You mean like "unanticipated exceptional events - the killed updater, an update that kills the realtime engine, some other program failure"? If so, it sounds like you've had more than your share of bad luck with bugs, etc.

Since many AV programs have a reputation for being overly sensitive to other security programs, could the problems you've experienced be attributed to conflicts with one of your other security programs?

Are you sure that "not running" really means "not running", in the literal sense? As my understanding is that demand scan products of this nature often have drivers running in the background that can conflict with overly sensitive programs like KAV.

Okay, with all that backup you have, as well as the additional security precautions you take, and the other options available to you, I have a more complete picture of why you're willing to throw the dice with NOD32. Right now, I'm just relying on firewall and AV protection, hence my desire to use the most thorough AV program available. But I definitely need to add some more layers of protection, since KAV is obviously not perfect.

 

Huh? Don't you mean the second best heuristics? What about KAV's real-time detection rate of 99%, based on IBK's test that was conducted with 6,300 samples?

And what are your comments regarding solcroft's claim in this thread that NOD32's "79% protection rate is not "better than any other HIPS programs" out there, not by a long shot, unless the user has no idea what he/she is doing".

You should put in a request to skip a couple of grades so you can graduate early and apply for a teaching position at your school. As it sounds like you know more about computer security than most teachers.

Absolutely, and I better not find out that KAV is still using ActiveX controls, or I'll buy the company before Norton does and remove that malware from the program myself.

Right now they don't have enough of an incentive to change their attitude, as there's too many speed demons keeping them in business for them to care. Wait until KAV 7 becomes stable. If the on-demand heuristics are comparable to NOD32's detection rate, Eset will become a lot less lazy when they begin to lose market share.

 

nods heuristics are way better than kasperskys,

seen as you like test results, kaspersky, got 7% heuristics detection compared to nods 53%.

sure there will be arguments about this, but kasperskys heuristics are not close to nods, and even v7 wont be i feel.