What sets NOD32 apart from the rest?

Discussion in 'NOD32 version 2 Forum' started by Close_Hauled, Jul 18, 2004.

Thread Status:
Not open for further replies.
  1. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    I have been a network engineer for quite some time now. Only now am I hearing about NOD32. I first heard about it here on this furum site. Then recently, I saw an ad in PC Magazine. The statistics mentioned in the ad seem impresive. What sets NOD32 apart from McAfee and Norton, both of which I have been using professionally for years.

    Close Hauled
     
    Last edited: Jul 18, 2004
  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Re: What sets NOD32 apart from the rest/

    More frequent updates, a lighter resource hit, and here recently much more unpacking support has been added, as well as many troajn detections, which was one of NOD's faults. Eset has made quite an effort in this area recently to rectify this however. Additionally, as long as your license is current any new version releases are free of charge.

    Personaly, I dislike both $ymantec and McAfee, but that is just my opinion and you know what they say about opinions. You will get both positive and negative feedback here as some of us love NOD, some hate it, and some tolerate it, again opinions. The best thing I could suggest is to download the trial, and see what YOU think, and how it works on your system
     
  3. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Re: What sets NOD32 apart from the rest/

    They need to make more effort as NOD32 recently missed some trojans on my PC that KAV found, and it seems that trojans are becoming more and more prevalent these days.
     
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Re: What sets NOD32 apart from the rest/


    Please submit the missed trojans to either samples@nod32.com or support@nod32.com, this will help them make that effort even better.
     
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I'd say that it's a design philosophy that emphasizes small resource footprint, a focus on present and past active threats - as opposed to zoo based malware which could but have not yet appeared in the field, and a focus on malware only (not the integrated security center approach), and an increasing emphasis on heuristic (i.e. behavioral in a program sense) based identification of malware.

    Blue
     
  6. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Re: What sets NOD32 apart from the rest/

    Already have :)
     
  7. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Re: What sets NOD32 apart from the rest/

    sard,

    Were they active trojans or potential java based exploits that were flagged? Just wondering.

    Blue
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: What sets NOD32 apart from the rest/

    Sard,
    just wanna give my 2 cents: not all files reported by other AV as infected are actually functional viruses. Maybe NOD does not have as large virus database as the competitives have, but it does not detect files which only give an error that the application you are attempting to run is not a valid Win32 app.
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Marcos, Any updates on the issue with IRC/SdBot.AIG trojan?
     
  10. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    This is the file NOD doesn't detect, Discovered: Apr. 3, 2004 apparently.

    http://www.trendmicro.com/vinfo/vir...yclo/default5.asp?VName=BKDR_SDBOT.HU&VSect=T

    TDS3, KAV and online Trend Micro scanner detect it.

    If you want to test it yourself I'm briefly hosting it in a password protected ZIP. Password is nasty. Do so a your own risk of course.

    edited to remove link - BlueZannetti

    I sent a copy to ESET. There was another one but I deleted it without thinking unfortunately so haven't sent a sample.
     
    Last edited by a moderator: Jul 18, 2004
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Thanks Sard, if you sent it to support@nod32.com I'll be able to check it. If you sent it to samples@eset.sk or samples@nod32.com, our guys will analyse it and let you know shortly.

    To Flyrfan:
    The fp has been remedied in update 1.815. Please update NOD32 to the most current version.
     
  12. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Well they got back to me very quickly I just received this email.

    thank you for the sample. It's repacked (with ExePack) IRC/SdBot.AGH trojan.
    We'll add detection as soon as possible.

    Thank you for your cooperation.


    According to this webpage http://www.nod32.com/support/infoarchive.htm NOD32 was updated with a definition for this trojan on the 26 April 2004, so am I right in assuming NOD32 failed to detect it because it was in an ExePack archive? Would NOD32 have detected it if I'd been unlucky and the exe had been executed thus unpacking the trojan?

    This webpage http://www.nod32.com/products/nt.htm says
    NOD32 Scanning Engine Key Features Virus detection in compressed or protected executable files, such as Pklite, Lzexe, Diet, Exepack, CPAV, UPX, AsPack, FSG, Petite, Neolite.

    So why did it miss it. Are there some settings I have wrongly configured.

    Thanks for all the help.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Did you scan it with the on-demand scanner and scanning runtime-packed files enabled before?
     
  14. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Yes if you mean these settings

    http://uberish.fastmail.fm/4.jpg
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    I believe Marcos is asking about the desktop icon on demand scanner.
     

    Attached Files:

  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Sard,
    you posted a screenshot of IMON setup. Would you please confirm or deny that you had the Runtime packers check-box in the on-demand scanner setup (see Ronjor's shot) ticked before?
     
  17. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Oops, sorry. The on demand scanner boxes for runtime packers and archives weren't ticked. I have since changed my settings so they look the same as ronjor's but NOD32 still can't detect the file :(

    Would you like me to send you a copy of the file to support@nod32.com ? I don't want to waste anybody's time at ESET as I've already sent it once to samples@nod32.com but I'm just wondering if there's something wrong with NOD32 on my PC or if NOD32 definitely can't detect the file in this incarnation.
     
    Last edited: Jul 19, 2004
  18. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Would you like me to send you a copy of the file to support@nod32.com ? I don't want to waste anybody's time at ESET as I've already sent it once to samples@nod32.com but I'm just wondering if there's something wrong with NOD32 on my PC or if NOD32 definitely can't detect the file in this incarnation.[/QUOTE]


    If you are worried about your settings, you could upload the file at www.virustotal.com and see if their version of NOD detects it. As well as 11 other scanners I think, it is similar to KAV's online checker except that they email you a response.
     
  19. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    It has been very interesting reading all of the responses these last couple of days.

    Ironically, I received an e-mail with the latest Bagle variant attached. McAfee will not detect the virus, even with todays definitions. Will NOD32 detect this with and without updated definitions?

    Close Hauled
     
  20. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    https://www.wilderssecurity.com/showthread.php?t=42010
     
  21. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    See: https://www.wilderssecurity.com/showthread.php?t=42010
     
  22. sard

    sard Registered Member

    Joined:
    Apr 18, 2004
    Posts:
    175
    Location:
    UK
    Cool website thanks for the link.

    These are the results;

    BitDefender 7.0/20040719 found [Win32.P2P.SpyBot.Gen]
    ClamWin devel-20040517/20040719 found [Trojan.SdBot.Gen-79]
    eTrustAV-Inoc 4641/20040718 found nothing
    F-Prot 3.15/20040719 found [W32/Sdbot.OU]
    Kaspersky 4.0.2.23/20040719 found [Backdoor.SdBot.ja]
    McAfee 4378/20040719 found [W32/Spybot.worm.gen.a]
    NOD32v2 1.817/20040719 found nothing
    Norman 5.70.10/20040719 found [W32/Malware]
    Panda 7.02.00/20040719 found [W32/Gaobot.OE.worm]
    Sybari 7.5.1314/20040719 found [W32/Sdbot-HY]
    Symantec 8.0/20040718 found [W32.Randex.gen]
    TrendMicro 7.000/20040719 found [BKDR_SDBOT.HU]

    So assuming they've configured the AVs with optimal settings, it's a problem with NOD32 failing to detect the file even though they've released a definition for it and supposedly support Exepack.

    It's a shame www.virustotal.com doesn't show how the various AVs perform over a period of time.
     
  23. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I guess it looks that way. OOPPSS!
     
  24. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    I just received a second e-mail that looks like it is a different variant than the one that I received this morning. The body of the text has a line added that says “Password:” and has a bitmap image of a password after it. Here is an example;

    >Lovely animals


    Password: <<Bitmap Here>>

    The attached file is 66k, where the previous was 29k. Who can confirm if this is another variant?

    Close Hauled

    BTW: I sent them both to VirusTotal. No word from them yet.
     
    Last edited: Jul 19, 2004
  25. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Being a Network Administrator and/or engineer one can enjoy the fact that the IMON module in NOD32 terminates attacks from Lovsan and other network exploits. We had 2 laptops come onto our network. Lovsan and the DCOM Exploit were blocked on over 500 machines. Albeit all the machines had the patch(es), but it is the comfort factor for similar attacks.

    Log Details
    attack from computer xx.xx.xxx.xxx - Win32/Lovsan worm

    Log Details
    attack from computer xx.xx.xxx.xxx - Win32/Exploit.DCOM worm
     
    Last edited: Jul 19, 2004
Thread Status:
Not open for further replies.