Why does Nod32 NOT block rogue scamware???

LiKe Security Tools scam ware, Antivir 2009, etc?

 

I saw ESET to be one of the very few AVs to detect them proactively or detection was added very quickly, among first AVs. If you have any undetected samples, submit it to ESET per the instructions here, maybe they are corrupted or brand new variants.

 

I havent been to these forums recently, but was surprised when I came here today to find this comment. Nothing personal Marcos, but I have been reselling Nod32 back from days of version 1, and a still say one of the best. HOWEVER, it is not picking up MOST of the new rouge anti virus's out there today. I have dozens of customers bring computers with this type of malware each week, many of them with Nod32 Antivirus that we sell them ( and up to date) and they ask the question why doesnt NOD32 pick them up.

I dont know if its just the AV that doesnt pick them up, should we move people to ESS ?

I would love to submit stuff to eset, and will probably begin to do so after reading this but its a time consuming procedure which takes up time i do not have.

I do however think its a little unfair to say that Nod32 add these "quickly" when Malwarebytes or Combofix can fix many of these problems WEEKS before Nod32 does.

 

You can find instructions for submitting suspicious undetected files to ESET here. I've checked today's variants of specific rogue software, currently they are detected by ESET, Antivir, Sunbelt and Fortinet. No AV will ever detect 100% of all threats, especially from the very first moment they are released. I wouldn't take Combofix into comparison, they often remove a lot of legit files and put them to quarantine which is unacceptable for commercial security software used in production environments.

 

hence the use of Combofix, in itself an invaluable app, is not advised unless under guidance of an trained user

 

I understand the basis of what you are saying, but in reality, the use of Combofix v's Eset for one of these infections is the difference of having an operational machine or not. Its all based on the perception of the situation.

What the customer see is "Nod32 was on my system and I was still infected"

What I see is "Nod32 didnt protect this system, It wont clean it even with rescue disc. Combofix, whilst it may remove "legitimate" files, can get this system to an operational state which I can work on to clean up"

What you see/are saying is " My database of "known" malware is up to date so Nod32 will clean it as far as I know.

In a real world scenario, that customer just thinks Nod32 is crap, which we both know to be untrue, but its hard to argue with perception.

 

There are lots of variables within ESET itself which can determine how successful it will be at cleaning and detecting on the fly. I highly recommend the "strict" cleaning setting for the real-time file protection, and that you select potentially unsafe applications as well.

As someone supporting 3300 laptops currently running ESET AV 4 which are in the possession of college students (certainly amongst the most "adventurous" type of users for where the go and what they download via the Internet), I can vouch for the fact that ESET is in fact blocking this type of spyware for my users. I have additional "graduate" machines running AVG 2011 (they cannot be running ESET due to license restrictions) and those machines ARE routinely compromised by Security Tool, etc.

 

As Marcos said nothing catches everything 100 % of the time, there's an old adage that goes, the computer is only as safe as it's user ... for this ESET offers stand-alone malware and rogue removal tools.
For all else there is expert help available *24/7*, Here & Here

 

I believe this is Eset's weakest area, and that's why I use Prevx, Malwarebytes or something similar to fill in the gap. Yes, nothing will catch 100% of in the wild malware, and i don't expect them to. I do strongly believe they need to improve in this area! I believe as a company they need to dedicate a team solely to improving detection of rogues if they have not already. Missed rogues has been the biggest issue i have seen posted on this forum. Besides that it seems Eset does an excellent job at detecting all other categories of malware.

 

Quite the contrary. Even according to my personal observation, ESET is almost always among 1-3 AVs that detect new rogue tool variants.

 

Please read the following, it summarizes the general scope of what you can expect from an AV vendor and not.
https://www.wilderssecurity.com/showpost.php?p=1632032&postcount=19

 

I'm not comparing it against other AV's. I'm stating that Eset is Excellent in detection of Malware such as viruses, botnets, worms, trojans Spyware, but i feel its weakest area is in detection of rogues. That's comparing it against it's own scores, and not against the competition. I believe if the right test were ran then you would see that its lowest score would be in detection of rogues. I believe there is much room for improvement. I believe cloud based analysis could help in faster detection of newly mutated malware such as rogues which change very frequently. This is not a fact, but what i believe from what i have seen posted here at the forum.

 

I was talking specifically about rogue AVs / tools. ESET is among the first, usually one of 1-3 other AVs, to detect them. If you come across an undetected sample, submit it to ESET for analysis per the instructions here.

 

Again, each environment / user will have their own experience, but for me ESET has been extremely strong in defending against rogues and new variants (see Proactive detection rating in the graph below)

http://www.virusbtn.com/vb100/RAP/RAP-quadrant-Apr-Oct10-600.jpg

Per Virus Bulletin, testing methodology found here.

Yes, I also bundle Malwarebytes & Spybot Search & Destroy on machines for on-demand needs. Yes, I have detailed instructions available to send to my users on Safe Mode / Combofix-related deep scans. But for the vast majority of my users, these steps are never necessary.

 

http://malwareresearchgroup.com/category/malwareproducttesting/

 

Thanks for the post Vtol!

 

Seems to be another "tester" who doesn't adhere to AMTSO principles.

 

This paper is very useful, malware testing is not an easy task.
Snipped: this document is not intended for the public even though it contains very valuable information about how easy is to skew test results that normal users are not aware of. It was presented at the last Virus Bulletin conferrence.

 

When the viruslab colleagues read complains about undetected rogues they are often asking:
“Where are those undetected samples?”
and expecting those who complain to submit the undetected threats.

It is very good to include the sources of the infection in the reports as well when they are known. This help us to understand the malware distribution channels and to improve the detection.

 

easy to discredit anyone testing outside the box... question is whether those are emulating real world scenarios. does not help to test in the lab environment whilst users getting infected when in a real world. and what about the annual AMTSO membership fee of 2,000 Euros for a few useless membership benefits?

perhaps a good idea to prove the cited testimonials about MRG as faked:

 

as being cited various times by Eset staff the NOD build-in sample submission feature is not favored by Eset, although being very much limited by file size it is an easy click and send method. instead for any larger file above 2 or 3 MB and as so often requested by Eset the user shall take the more laborious route of emailing a password encrypted archive.

Not sure whether you look a the human part in the process. if NOD misses something the user at first will not be happy about NOD, assuming that it should have prevented the infection in the first place. although it may seem illogical to you but I reckon the majority is under such circumstance not that motivated to go through the laborious method of sample submission.
Moreover I trust that most people would panic upon an infection of their machine and seek instant healing, either themselves or somebody with knowledge at hand. those tools come to use would then get rid of the infection but not report the data to Eset. And I very much doubt that the majority of happy users with cleaned machines want to look back into the infection and spend time to collect the relevant data - which may have been entirely eradicated already by other tools.

maybe Eset can get into a broader alliance with the vendors of those tools able to detect and disinfect things missed by NOD, to collect the necessary data. and perhaps think of new ways to interact with the end user in case of suspicious files, to make it easy and convenient to submit even if another tool detected and cleaned of what has been missed by NOD.
from the forum there is only one (sort of dead) thread about the future development of NOD where users can post ideas - sometimes there is feedback by Eset, mostly not, what however is visible is the scarcity of NOD versions implementing ideas. how about polls about new features, a roadmap, feedback on new ideas like eventually sprouting here?
open up the mind to new ways of testing your software instead of hastily discrediting those thinking outside the box - because the guys actually writing the bad do think outside the box quite a lot - and succeed when bypassing/defeating the security product.

 

Early this year at our office: One user got his PC infected by Antivirus Plus with Eset AV 4.0.474 installed - a scan of the computer brought no reaction, NOD32 didnt find anything. A scan with Avira found infected files and quarantined them.

I submitted the files to ESET, few days later NOD32 too was able to detect the threat.

So again: My personal expirience is quite contrary to yours. But maybe some users here a just a bit less biased to your product than you are.

I only wish that ESET would listen more carefully to their users than just rejected any criticism.

 

I'd have several remarks:
1, when comparing reaction times at the beginning of the year and now; samples are now processed almost immediately after they are received and a reply is sent after they have been processed. A lot of things have improved in the mean time.
2, we've now added detection for a quickly changing famous rogue AV that was detected only by one antivirus not mentioned here. There's a big chance ESET will be the 2nd AV to recognize that new variant and some others thanks to heuristics and generic detection. When a particular AV detects a threat that the others don't does not make it the best and it does not mean that the AV will protect the user against other threats as efficiently as the AVs that missed that threat. One should also take into account the level of danger a particular threat poses and the level of damage the threat may cause; missing a rogue tool that merely pops up fake alerts and lures the user into purchasing it is less significant than missing a file infector that can corrupt files on the disks. The same holds true for bankers/password stealers that may steal sensitive information and use them to transfer money from a user's bank account.

 

Hello,

As mentioned previously, the "future changes" message threads are read by many ESET employees, and participating in them is an excellent way to let the company know what enhancements you would like to see.

That said, messages saying something along the lines of "make X better" without providing any explanation or qualifications for what better means are not particularly helpful. For example, ESET's virus lab is constantly working on improving threat detection, so asking about detection for a particular taxonomy (i.e., Adware) or family (i.e., the Virut family of viruses) of threats is somewhat redundant.

Regards,

Aryeh Goretsky

 

AV-Comparatives appears to be undertaking an additional form of testing which may emulate more closely those "real world" scenarios, albeit on boxes which would be more vulnerable than the average current machine (e.g. IE 7, XP SP3, etc)

~ Removed Direct PDF Link as per AV-Comparatives Request - See Whole Product Dynamic Tests page for the actual PDF ~

Should be interesting to see how it develops over the coming months.