What are the Major detection differences between 4.0 and 2.7?

I asked the AH heuristic question last night but no answer so let me pose this question.
I do not care about the new flashy GUI, I do not care about self defense (in my opinion if the AV all ready let something through that allowed it to kill it then the AV has all ready failed in my book).
I do not care about the better "cleaning" same reason for why I don't care about Self Defense.
So give me a reason why should I use 4.0 instead of 2.7?

Is the detection capability of 4.0 better?
Is the Advanced Heuristics in 4.0 better?
I know it does not run lighter and I know that the resource usage is huge when compared to 2.7 so there must be some improvement in detection but can anyone quantify that?
Is the 0-day, ITW detection better? (I guess it's same as Question 1 and 2)

I would like to see some number or at least some data as opposed to " YES, YES, YES, YES).

Thanks!

 

Yes and the gap will grow in time.

It's same for v2/v3/v4

Actually you shouldn't notice any difference unless you modify default settings and enable AH on file access/execution (v2 didn't support that). Unlike v2, v3 and v4 don't use any limitations for file scanning by default so you may notice delays even if you didn't with v2. If you come across a file that takes long time to get scanned by v3/v4, we'll appreciate if you report it to us. There are at least 2 ways how to identify such problematic files: 1, using v4 and the integrated statistics window, 2, using Process Monitor by Microsoft and filtering out operations performed by ekrn.exe (in the case of pop3/http traffic, another application may be cloaked as ekrn.exe as its traffic is routed through it).

 

So what has changed?
Since the detection capability is better, but if AH stayed the same then this means that there are different definition files?

From my understanding the only way that the detection could change is if there are either different definition files or different heuristics.

Otherwise, once the infection unpacks and decrypts so it can run in the memory then the AV should detect it...at that time the only players are the definition files and Heuristics, not unpackers.

Could you please elaborate?
Thanks!

 

I believe the ability to scan SSL data streams is new.

Sysinspector is integrated into 4.0.

More flexible options for alerts when using 'full screen applications' (games.) With 2.7 it is all or nothing (and desktop alerts can cause issues with some games.)

The 4.0 tray icon shows activity when scanning, unlike previous versions.

Easier to disable / enable from the tray icon with the option to turn off confirmation dialogs.

A few of these things I'm pretty sure is in response to forum feedback.

Unfortunately I don't have any data for questions about detection etc.

 

That shouldn't be a task for the user. You guys (Eset) need to agree that not every person has the skill or the time to look at what file/process is making ekrn.exe use a lot CPU, making sometimes, if not most of time, the computer be extremely slow.

Yes, the new version includes a statistics feature, but, it won't tell the user which file/process is causing the huge CPU spikes, unless the user also uses, for example, Windows taskmgr to check, real-time, which files/processes ekrn.exe is scanning when there's the CPU spikes.

This is insane. The user can spend hours and hours looking at this, and come to no conclusion.

I guess you haven't, yet, checked this thread I started - https://www.wilderssecurity.com/showthread.php?t=235064

I suggest Eset implements the same monitoring mechanism into EAV and ESS and report that at X hour, Y file/process made ekrn.exe take longer than it should to scan it, and the exact amount of CPU used.

This would be the best approach, not to tell the users they should be the ones trying to figure out (and waste a lot of time) what is causing such CPU spikes.

If you buy a car, and, after you turn on the engine, all your fuel is wasted, would you think you should be the one having to figure out what was causing that? Or, would you expect the manufacturer to do it's job? It would be the expect, since you paid for it.

People are paying for Eset antivirus and security suite, and, for some reason, many users have problems with the CPU usage. Some, only using default settings. Others, using advanced settings, which they paid for.

All you guys limit yourselves to do, is to warn users that turning AH on, would result in bad performance to the system. If that's the case, then, don't include such features. Why would people pay for a product, and not use it's full power?

Makes sense, no? Or, will users start to be refunded, for not using such features, because it makes their systems unstable, and they can't use what they paid for, and Eset tells them they're the ones that have to figure out why it is happening, on their own?

Wouldn't you agree?


Regards

 

Marcos:

I appreciate your outlining the differences between NOD32 v2.7 and v4.0, but since I've decided to upgrade to either 3.0 or 4.0, what I need to know is the differences between 3.0 and 4.0, to see if the additional resources needed by 4.0 are relevant to me (e.g. I don't have a domain server-client network anywhere in sight).

Please see my thread, "Choice between NOD32 v3 versus v4," at https://www.wilderssecurity.com/showthread.php?t=237468

In that thread, Saurabhsen gave me a useful response re speeds (although apparently I need to know if he was continually scanning files using Advanced Heuristics), but several key questions in my thread-opening post still need answers.

Another relevant thread with questions (some of them merely implied) that need answers is Gugarci's "NOD32 2.7 detection rate compared to 3.0/4.0," at https://www.wilderssecurity.com/showthread.php?t=237721

And the version 3 and 4 User Guides each need information about uninstalling NOD32 --- before uninstalling the next major upgrade (e.g. moving from 2.x to either 3 or 4, or moving from 3 to 4), and also experimentally to solve some other problem, or perhaps to switch to some other anti-malware software, although I currently have no plans to do that.

Roger Folsom
NOD32 user since 2005.

________________________________________________________________

P.S. The multiple threads dealing with alternative NOD32 versions are so scattered that they are difficult to find and summarize. At least one relevant thread, "v4 vrs v3," is buried in the Beta forum! ("v4 vrs v3" currently ends with a quick reply by Aryeh Goretsky that uses terms such as "new driver-based cleaning technology, integrated ESET SysInspector and so forth" without describing what they do and who would need them, and whether each of them use large amounts of resources, and without explicitly stating whether they are in v3 and v4 or only in v4, although the thread title does suggest that they are only in v4.)

Somehow a complete comparison, in a single location, of feature differences among v2.7, 3.0, and 4.0, including brief descriptions of the terms used, is badly needed, either here at Wilders or on Eset's website.

Longer run, each version's User's Guide (or else a separate document) needs a real "What's New" section, comparing it to the preceding major version, and explaining what each new feature does (or citing the User Guide section or pages that explains it).
Since I use POP3 email (Mozilla SeaMonkey; never Outlook or Outlook Express), the version 3.0 UG "What's New" mentions only one real security improvement for me: Improved Cleaning. None of the other security improvements scattered among different threads at Wilders are mentioned, much less explained.

And the version 4.0 UG "What's New" apparently is identical to the 3.0 UG "What's New," except for substituting 4.0 for 3.0 in the first line. Really? No improvements in 4.0 over 3.0? If true, that simplifies my life: I'll go with 3.0, to reduce the resources used by the non-existent improvements.

My apologies for the sarcasm. But Accurate Documentation Is Important!!!! If I do go with 4.0, need I bother printing the 4.0 UG, or is it essentially identical to the 3.0 UG that I have already printed?

Actually, it occurs to me that "flagging" new or revised UG sections or paragraphs (with an * or ~ or # or footnote number etc.) in the 4.0 UG might be a good way to point out the advantages (and disadvantages, if resource use is discussed, as it should be) of 4.0 over 3.0.

 

Difference between v2 and v3/4:
- worse detection due to different engines
- weak self-defense
- inefficient cleaning of resistant threats
- weaker protection of removable media
- much larger update files
- missing additional plugins and advanced setup options
...

Difference between v3 and v4:
- weaker self-defense
- inefficient cleaning of resistant threats
- weaker protection of removable media
- missing additional plugins (Thunderbird)
...

As for the User guide, I'll check it with the localization team as it seems some features listed in the What's new section of the help files are actually missing there.

 

Awesome!
So the engines did change.
That's all I wanted to know.
So the AH stayed the same but the underlying detection engine changed?

 

Yes, v2 and v3 engines are different and thus v3/v4 can detect more.

 

Marcos:

Thank you for those comparison lists. They really help.

Two questions:

1) What does the Mozilla-Thunderbird email plugin do? Does its absence in v3 mean that NOD32 v3 doesn't check downloaded Pop3 email that is going to Thunderbird?

I don't use Thunderbird, but I do use the Mozilla-SeaMonkey Suite (browser and email), and SeaMonkey does share some code with Thunderbird (and Firefox) --- and the sharing will increase as SeaMonkey develops (current version is 1.1.15 and 2.x is on the horizon).

So I'm wondering whether NOD32 v3 and/or v4 are missing a SeaMonkey plugin, and if so what consequences that will have.

NOD32 v2.7 does check my SeaMonkey email; over the years it has caught some bad stuff as it came down, although lately its email downloading checking has missed some Trojans buried in an email's attached zip file. Of course, NOD32 2.7 did catch these trojans on the next "in depth analysis" scan.

2) After I replace 2.7 by either 3.0 or 4.0, in order to reduce resource use, I will probably use Webroot's SpySweeper only for demand scans, and not for continuous monitoring.

But I'd still like to know the answer to my Webroot question, in thread "Choice between NOD32 v3 versus v4," message 1, at https://www.wilderssecurity.com/showpost.php?p=1433599&postcount=1

An updated version of that question is:
"Can NOD32 3.0.684 or 4.0.417 and Webroot SpySweeper 5.5.7.124 run (i.e. be monitoring) simultaneously, in 'real time'? For demand scans using either one, I do shut down the other program.

"The NOD32 3.0.684 Quick Start Guide and User Guide make clear that you cannot run NOD32 and another antivirus program simultaneously. But in those documents I haven't seen a similar statement about NOD32 v3 or v4 and another antispyware program. And in years past, running multiple (at least two) antispyware programs was a common recommendation."

As always, thanks for any comments, suggestions, and especially specific answers. <grin>

Roger Folsom

 

In theory, plugins allow EAV/ESS to check incoming/outgoing email regardless of the protocol used. With ESS, plugins allow spam filtering.

Email received via POP3/POP3S can be scanned regardless of whether a plugin is enabled and integrated in a mail client or not.

I cannot answer this question, but maybe someone who uses v4 in conjunction with SpySweeper will let you know.

 

Isn't this what self defense is all about. A weak self defense might let a program kill the AV and then start the infection of your computer. The process that kill the AV might be almost any kind of program and not a infected file. When the AV is killed that process might download or uncompress some files to start the real infection. That makes it really easy since the AV is no longer fuctioning. So i would say that a good self defense is also about NOT let something through.

You probably mean that the AV should detect that process that is trying to kill the AV as a threat, but since that process might be clean and do not contain any dangerous code the detection cannot be done before that process is trying to stop the AV. And then we are actually talking about self defense. I think self defens is very important because it's way to easy to kill nod32 v2 and then it doesn't really mater how good the detection is since the detection won't work when the AV been killed.

 

I believe that v3 and v4 is the result of further development of v2.7. People asked for features and enhancements like better detection, cleaning, self defense and a lot of other stuff and the result is v3 and v4. I don't think version 2.7 is really competitive with other AV software available now.
The main thing about av software is the protection so i don't understand why the GUI is that important. Some would probably say that v2 is much lighter then v3 and v4, but the main reason for that is not the change of GUI. If all the features of v4 where added to the v2.7 GUI then v2.7 would no longer be as light as the original v2.7. Would it be better to have a none competitive av just to keep it as light as v2.7.

You make it sound so simple. Maybe sometimes to enhance the heuristics further it might be necessary to change the engine as well. I don't think Eset or any other av manufacturer will give away a lot of details how it works in the public. I'm pretty sure they do what they do for a good reason to enhance the product.

 

Marcos:

Thank you very much for explaining (in this thread's message 12) what email plugins do.

Roger Folsom

 

For whatever it might be worth, I finally did install Eset's NOD32 Antivirus version 4.0.424, and so far it is working with no problems (including no problems with Webroot's SpySweeper demand scan, and no problems with my Danware NetOp Process Control firewall 4.0) and no noticeable loss of speed compared to 2.7 (although that may be because I have, at least temporarily, disabled SpySweeper's otherwise continuously running "Shields").

For details (and some implied questions), see my post at https://www.wilderssecurity.com/showpost.php?p=1458595&postcount=13

Roger Folsom