Followup re AntiVirus Scanners; Nod32, Kaspersky, etc

[_RR]

I read thru replies in another thread re AV scanners. Between that
and some online reports, it looked like NOD32 would be the best first
choice. The others that looked good were Kaspersky, Trend,
Bit-Defender, in roughly that order. (Anyone else have different
experience?)

So...I tried the NOD32 eval. Nod32 does look like it's very good with
system resources, CPU usage, etc. It did find some suspect files that
were not located by AVG, so it looks like it's probably a very good
choice all-around (I prefer not to have systems slow down
unpredictably).

Nod32's control panel also allows temp-disabling of 'AMON,' their file
monitoring program. I would love to know how to do the same with
DMON, EMON and IMON as well. Their disable buttons caution that their
entries will be removed from the registry. I presume that would
require a reinstall. Anyone know about this?

Another couple NOD32 anomalies: It sometimes reports "Error occurred
while scanning active boot sector of the 1 physical disk." (or the "4
physical disk"). Not sure what that's about, as I've run chkdsk
several times w no problems reported.

Also, NOD32 often reports problems opening some ZIP or RAR files. It
seems to get to others OK. Not sure why it would be inconsistent.

-----

Another suggestion from this group: Supplement a primary scanner with
online scanners. So I decided to try the online versions of the other
three.

Trend worked pretty quickly. It located about 10 files that were not
caught by NOD32. I was surprised at this. Of course some may be
mistriggers, but some were pifs embedded in .tbb files (Inbox
messages). That's stuff that I would not have opened, but I was
impressed that Trend caught this when NOD32 did not.

I decided to leave the suspect files in place and try Kaspersky
online. The current scan has been running for hours and only
registers 58% complete (I take it that Kaspersky is not the fastest
scanner). BUT so far it claims to have found 33 viruses in 392
infected objects (!!!!!) I admit to some skepticism, but I haven't
seen the final list yet. If it has found that many files that were
missed by both NOD32 and Trend, then it must be the best scanner
hands-down. Again, the jury is out.

I'll check back after completing other tests. Meanwhile, if anyone
knows about temporarily disabling the secondary NOD32 modules, or
about the other NOD32 problems, please feel free to follow up.

 

[Torrey Lauer]

In my experience, I have used McAfee, Norton, and Trend Micro's PC-cillian.
I would NOT EVER use McAfee at any point in my life again if their product
stays the way it is now. After McAfee, I went to Norton, and I really liked
Norton until, all of a sudden, about two years ago, our computers started to
become infected. This bothered me severely because 1) Norton didn't prevent
the infection and 2) Norton wasn't able to clean the infection.

I switched to a Trend Micro product (C/S/M) for our business servers and
comuters. I also used Trend Micro's PC-cillian for my personal computers at
home. I have to say that I LOVE Trend Micro. I actually swear by it. The
number of infections since we switched to Trend Micro have dropped to almost
zero (we get about one virus a year that infects a computer from a user that
opened something or went to a website that shouldn't have been to or done).
What is so great is that Trend Micro is able to delete the infected file or
clean it. Sometimes I've had to reboot the PC into Safe Mode for it to
clean or delete the file, but it still gets the job done unlike Norton and
McAfee.

The other really great feature about Trend Micro, especially for personal
computers, is that it's PC-cillian Internet Security product which includes
AV, fireall, spam blocker, URL blocker, etc. is really easy to setup
compared to Norton Internet Security product, AND it doesn't slow the
computer down to a crawl like Norton Internet Security.

If you can't tell, I'm a huge fan of Trend Micro. The reasons why are all
explained above. Norton let me down, and McAfee is just downright horrible
and useless.

--
Torrey Lauer
Modern Travel Services
moderntravel DOT net

Rainbow Sky Travel
rainbow sky travel DOT net

 

[GTS]

You're wise to look for something better than AVG. That's a greatly
overrated product. Take a look at ETrust from Computer Associates. As well
as being highly effective and light on resources it has a "snooze" feature
that's easily accessible from a simple right click on the tray icon.
There's a special one year free offer at http://www.my-etrust.com/microsoft/

I don't believe it's generally necessary to "Supplement a primary scanner
with online scanners". It is highly advisable though to protect against and
scan for spyware regularly as none of the AV programs are very effective
against it.
--

 

[Nightowl]

_RR wrote on Fri, 17 Jun 2005:

Nod32's control panel also allows temp-disabling of 'AMON,' their file
monitoring program. I would love to know how to do the same with
DMON, EMON and IMON as well. Their disable buttons caution that their
entries will be removed from the registry. I presume that would
require a reinstall. Anyone know about this?

Hi _RR

I run the current full version (2.5) and only use AMON and the on-demand
scanner. I have the other modules turned off. For IMON and EMON, this
just unloads them, and enabling them again is simply a matter of
clicking on a Start button.

DMON when you disable it does give a warning that it will be
"unregistered from the system", but I have just tried this out in your
honour and it doesn't seem to be so. After rebooting DMON wasn't
running but I enabled it again just by clicking on Start, no reinstall
needed.

Another couple NOD32 anomalies: It sometimes reports "Error occurred
while scanning active boot sector of the 1 physical disk." (or the "4
physical disk"). Not sure what that's about, as I've run chkdsk
several times w no problems reported.

This one used to drive me crazy wondering if there was something dire
wrong with my HD until I found what it was. . . NOD32 was trying to look
at a Zip disk and there was no disk in the drive. When it starts up the
scanner tries to look at the boot sector of *all* your disks. Does this
make sense for you? Do you have a Zip or similar drive?

Also, NOD32 often reports problems opening some ZIP or RAR files. It
seems to get to others OK. Not sure why it would be inconsistent.

I do sometimes get reports of "archive damaged" when I do a scan, though
WinZip has no problem with the file. I don't know why this is. . . in
fact I think I'll email Eset about it and find out I can vouch for
the fact that their tech support is very good and very fast.

I've been using NOD32 for three years now and am very happy with it.
It's fast, light on resources, very frequent automatic updates and
excellent detection. Hope this helps!

 

[_RR]

In my experience, I have used McAfee, Norton, and Trend Micro's PC-cillian.
I would NOT EVER use McAfee at any point in my life again if their product
stays the way it is now. After McAfee, I went to Norton, and I really liked
Norton until, all of a sudden, about two years ago, our computers started to
become infected.

Hi Torrey,

I've found that most McAfee and Norton products tend to become large
and unwieldy. Unfortunate in the cases where they have absorbed
smaller companies with relatively good products (for ex, older Ghost
and Drive Image were relatively light-weight and effective).

So it's not surprising that you've had good luck with Trend. There
are a few people on this group with experience with a wide range of AV
software, and Trend is often listed. So is NOD32 and Kaspersky. When
looking at test data, it seemed that BitDefender would complement the
other two. Unfortunately seems that you can't install more than one
AV, so I thought the top manufacturers' online scans may be a
reasonable way to compare effectivenes.

I guess the online scans do what they are supposed to do (non-realtime
'static' file tests) but you'd think that manufacturers could put out
a light-weight version of their testers to do this. Then users should
theoretically be able to load several AVs. I suppose that none are
ready to concede 'ownership of the machine' and that's understandable.
Still, maybe they'll be pushed into that position if Microsoft bundles
free virus-scanning with their operating systems.

 

[_RR]

You're wise to look for something better than AVG. That's a greatly
overrated product. Take a look at ETrust from Computer Associates. As well
as being highly effective and light on resources it has a "snooze" feature
that's easily accessible from a simple right click on the tray icon.
There's a special one year free offer at http://www.my-etrust.com/microsoft/

I don't believe it's generally necessary to "Supplement a primary scanner
with online scanners".

Seriously, the online scans (recommended by some knowledgable people
here) were inspiring--They all turn up different virii. I'm not sure
if all of Kaspersky's were of major concern, but they did come up with
a long list *after* NOD32 and Trend had a crack at 'em. I've still
got to correlate those.

It is highly advisable though to protect against and
scan for spyware regularly as none of the AV programs are very effective
against it.

I know how the programs themselves differ (especially in intent) but
I'm not sure how the detection mechanism would be different for a
virus vs spyware. Many virus and spyware programs seem to use the
same tricks (Is no one just overwriting the MBR like back in the good
old days?)

After thinking about it, I'm not sure why various AV programs will not
coexist, but antispyware generally will. You'd think that both would
have the same types of resident monitoring that would interfere with
other programs of the same type...or not.

 

[_RR]

_RR wrote on Fri, 17 Jun 2005:


Hi _RR

I run the current full version (2.5) and only use AMON and the on-demand
scanner. I have the other modules turned off. For IMON and EMON, this
just unloads them, and enabling them again is simply a matter of
clicking on a Start button.

DMON when you disable it does give a warning that it will be
"unregistered from the system", but I have just tried this out in your
honour and it doesn't seem to be so. After rebooting DMON wasn't
running but I enabled it again just by clicking on Start, no reinstall
needed.

Good to know, thanks! I could have sworn that IMON and EMON gave the
same type of message. Good to know I don't have to reinstall.

This one used to drive me crazy wondering if there was something dire
wrong with my HD until I found what it was. . . NOD32 was trying to look
at a Zip disk and there was no disk in the drive. When it starts up the
scanner tries to look at the boot sector of *all* your disks. Does this
make sense for you? Do you have a Zip or similar drive?

Good observation, and I wish that was the case. If they're using the
same numbering system as the Disk Management console, those are hard
drives. Both relatively new, and tested (I run Check Disk surface
scan on all new drives a couple times before trusting them). Neither
are boot drives. One is a SATA and the other is standard ATA, and I
have other identical drives in the same system that were not flagged,
so I don't think it's a drive geometry issue.

I do sometimes get reports of "archive damaged" when I do a scan, though
WinZip has no problem with the file. I don't know why this is. . . in
fact I think I'll email Eset about it and find out I can vouch for
the fact that their tech support is very good and very fast.

Good. If you're a registered user, they'll listen to you. I'm just
trying out NOD. Everyone seems to like the program, and I agree about
the speed and functionality. But the archive errors, the unexplained
boot sector errors, and the fact that Kaspersky and Trend caught
(well, CLAIM to have caught) numerous things that NOD missed...those
are factors for me.

If I could verify archive errors, boot sector errors etc that would
put a different perspective on it, but my tests with WinRar, etc bear
out your own test results. This would also seem to indicate that
those files were not tested.

And I've got to find another program to test boot sectors now. I'm
betting that's a false alarm.

I think Eset/NOD needs to work a bit on presentation and UI. Even the
misleading unload message(s) from IMON, EMON, etc would indicate that.

I've been using NOD32 for three years now and am very happy with it.
It's fast, light on resources, very frequent automatic updates and
excellent detection. Hope this helps!

Certainly does. Those are the main factors for me. The other
artifacts and possible missed files were a surprise, but those bear
further investigation. (I did notice that a number of Kaspersky's
'finds' were in an old quarantine folder which NOD may have ignored).

 

[Rock]

_RR wrote:

Hi Torrey,

I've found that most McAfee and Norton products tend to become large
and unwieldy. Unfortunate in the cases where they have absorbed
smaller companies with relatively good products (for ex, older Ghost
and Drive Image were relatively light-weight and effective).

So it's not surprising that you've had good luck with Trend. There
are a few people on this group with experience with a wide range of AV
software, and Trend is often listed. So is NOD32 and Kaspersky. When
looking at test data, it seemed that BitDefender would complement the
other two. Unfortunately seems that you can't install more than one
AV, so I thought the top manufacturers' online scans may be a
reasonable way to compare effectivenes.

<snip>

There is nothing wrong with having more than one AV installed. Just
don't have more than one doing active scanning.

 

[GTS]

A few comments are noted below.

I know how the programs themselves differ (especially in intent) but
I'm not sure how the detection mechanism would be different for a
virus vs spyware. Many virus and spyware programs seem to use the
same tricks (Is no one just overwriting the MBR like back in the good
old days?)

The line between viruses and spyware parasites is definitely blurring. The
term Spyware is rather broad and there are sometimes technical differences
Viruses and Trojans tend to be contained in executable files and identified
by pattern matching against a database of definitions. Spyware/adware
parasites may be installed as BHO's (browser helper objects) or ActiveX
objects which traditional antivirus programs would not detect, to give a
quick example, as well as executable files. For similar reasons, the
mechanisms for removal may differ. Some AV programs are increasingly
recognizing common spyware parasites but are very inept at cleaning them.
There is a trend toward adding more spyware functionality to AV programs.

After thinking about it, I'm not sure why various AV programs will not
coexist, but antispyware generally will. You'd think that both would
have the same types of resident monitoring that would interfere with
other programs of the same type...or not.

They tend to hook different kinds of system services. I think it likely
that more conflicts will surface as more resident spyware protectors are
used. Also, some very good spyware protectors (like the free
SpywareBlaster) don't actually load resident services, or load fewer
services. SpywareBlaster, for example, adds many common infection sources
to the browsers restricted sites zone. Some update the host file for
similar purposes.

 

[Nightowl]

_RR wrote on Fri, 17 Jun 2005:

Good. If you're a registered user, they'll listen to you. I'm just
trying out NOD. Everyone seems to like the program, and I agree about
the speed and functionality. But the archive errors, the unexplained
boot sector errors, and the fact that Kaspersky and Trend caught
(well, CLAIM to have caught) numerous things that NOD missed...those
are factors for me.

Hmm, yes. . . well, everyone has their favourite they will champion and
I'm no exception. I am sure Kapersky and Trend are good programs. But I
would be really surprised if they had caught a long list of things NOD
missed. NOD consistently outdoes both of them on Virus Bulletin tests.
But of course you've got to have faith in the AV you choose, otherwise
it's pointless.

If I could verify archive errors, boot sector errors etc that would
put a different perspective on it, but my tests with WinRar, etc bear
out your own test results. This would also seem to indicate that
those files were not tested.

Yes, I really don't know the answer to the archive file problem. I'll
definitely email tech support and see what they say -- I could let you
know if you're interested?

And I've got to find another program to test boot sectors now. I'm
betting that's a false alarm.

I am sure it is. The message I used to get was that there was a problem
with "the 1 physical disk", the same as yours. I thought it was
referring to drive C: and worried and tested and pulled my hair out
until I accidentally left a disk in the Zip drive and found I didn't get
the error. The Zip was drive D: on my system. I no longer have the Zip
installed (pass-through port wouldn't work with my printer under XP) and
no error messages

 

[_RR]

_RR wrote on Fri, 17 Jun 2005:


Hmm, yes. . . well, everyone has their favourite they will champion and
I'm no exception. I am sure Kapersky and Trend are good programs. But I
would be really surprised if they had caught a long list of things NOD
missed.

The Trend list was relatively short. Kaspersky may be cheating, in a
way. A bunch of the files that K picked up were from an old Norton
Quarantine folder. On the other hand, those may be regarded as
legitimate virus samples. If a virus detector decides to get
'intelligent' about specific folders, then virus writers could also
take advantage.

I have to admit that I was surprised to see those in Kaspersky's list.
I had forgotten all about them, and both Nod and Trend had a nice
folder full of quarantined samples waiting there. Both missed 'em.

Another possibility: Maybe Norton encrypted them or otherwise rendered
them inert, and Kaspersky's engineers know how to capitalize.

(PS: Norton has been uninstalled for a couple years. That folder was
on an old WinME partition that doesn't get booted any more)

NOD consistently outdoes both of them on Virus Bulletin tests.

I've seen some of those tests and I've spoken to some vendors who
recommend NOD32. They are convincing.

Also, I had removed the files originally flagged by NOD32 before
running trend or kaspersky. I should probably have left them in
place. Who knows...maybe T & K would have missed those.

I also suspect a lot of false triggers. Since I'm getting curious
about various testers, I ran BitDefender's web version on another
system. First of all, it has been running for two days, and still
says it has about an hour to go. Nothing like optimism.

BD has flagged lots of text files, many from tech newsletters that
I've subscribe to. I've looked at the files and I don't see anything
embedded that looks like it could cause harm.

Again, I'll take a closer look later after they're all finished with
their iron cage match. I have to admit to rooting for NOD32, but the
things that I mentioned (rars, boot sector, etc) do bother me.

Yes, I really don't know the answer to the archive file problem. I'll
definitely email tech support and see what they say -- I could let you
know if you're interested?

By all means. Thanks. I'll also try to follow up here as I have more
info on the Kaspersky and BitDefender-flagged files.

 

[MAP]

NOD32 has a new version released today or late yesterday version 2.50.25
You may need to do a manual update depending on how you have setup the
update part of the program.

Mike Pawlak

 

[MAP]

Another couple NOD32 anomalies: It sometimes reports "Error occurred

while scanning active boot sector of the 1 physical disk." (or the "4
physical disk"). Not sure what that's about, as I've run chkdsk
several times w no problems reported

Download the installation guide (the top one) and scroll to page 38.
http://www.nod32.com/download/manual.htm



Mike Pawlak

 

[Nightowl]

MAP wrote on Sat, 18 Jun 2005:

Download the installation guide (the top one) and scroll to page 38.
http://www.nod32.com/download/manual.htm

Sorry Mike, I can't see anything on page 38. . . unless you're referring
to the "Access denied" messages?

 

[Nightowl]

_RR wrote on Sat, 18 Jun 2005:

Again, I'll take a closer look later after they're all finished with
their iron cage match. I have to admit to rooting for NOD32, but the
things that I mentioned (rars, boot sector, etc) do bother me.
[Nightowl wrote:]

Yes, I really don't know the answer to the archive file problem. I'll
definitely email tech support and see what they say -- I could let you
know if you're interested?

By all means. Thanks. I'll also try to follow up here as I have more
info on the Kaspersky and BitDefender-flagged files.

Hi RR

As promised I did email NOD32 tech support about the problems with some
archive files and the boot sector damaged message (and took the
opportunity to put another couple of questions of my own, heh

I've had a reply from Mark James of Aspect Systems, who do NOD support
here in the UK. He says:

<begin quote>

As our software improves and as people who write software to
infect new files increase we find it necessary to check new types of
files which would account for messages that you may have not see before,
Nod will try to open the archive and scan its contents normal files are
easy i.e. exe, com, bat but as there are no industry standard rules for
filenames some companies might use file extensions for their own use and
not as Nod may think they are to used for. A typical example is the .dat
file many companies use them and it is beyond Nod's means to be able to
open them all.

['Archive damaged' message]
As for the archive damaged section it is again Nod trying to
open a file it cannot, if Nod cannot open it, it is 99.9% unlikely a
virus can infect it.

['Archive damaged -- the file could not be extracted' message]
It is able to open the archive but is unable to scan the file
same reason as above

[...]
[Boot sector error message]
If you have a Zip drive or a second hard disk or a memory card
reader it will attempt to scan the boot sector if one exists, you will
get an error message as it cannot be scanned.

</end quote>

I told you they were quick to reply! <grin> I hope this helps some with
your queries. While NOD isn't perfect, it's very good indeed and I'm a
very happy customer

 

[_RR]

Hi RR

As promised I did email NOD32 tech support about the problems with some
archive files and the boot sector damaged message (and took the
opportunity to put another couple of questions of my own, heh

I've had a reply from Mark James of Aspect Systems, who do NOD support
here in the UK. He says:

<begin quote>

....

['Archive damaged' message]
As for the archive damaged section it is again Nod trying to
open a file it cannot, if Nod cannot open it, it is 99.9% unlikely a
virus can infect it.

This doesn't take into account that a virus can be deliberately zipped
or rar'd. They seem to open some but not others. I've seen no
general pattern to differentiate those that they can open and those
that they can't. (With one exception...they seem to fail to recognize
RARs that start with the extension .001)

[...]
[Boot sector error message]
If you have a Zip drive or a second hard disk or a memory card
reader it will attempt to scan the boot sector if one exists, you will
get an error message as it cannot be scanned.

I've got 5 hard drives in the system that I scanned. The boot drive
has a primary partition, of course. The four others are extended/
logical. Two of those are ATA, two are PATA. All Seagate 300GB.
NOD32 consistently picks drives 1 and 4 to report (one ATA drive and
one SATA). I don't see any pattern there either.

</end quote>

I told you they were quick to reply! <grin> I hope this helps some with
your queries. While NOD isn't perfect, it's very good indeed and I'm a
very happy customer

Thanks for forwarding the info, Nightowl. NOD does seem to be very
effective in what it does. One other positive thing...it doesn't look
like they're searching for every possible reason to send up a red flag
just to look better than the competition. To be honest though, I
would rather have heard "known problem...we're working on it" but I
understand that this is not ESET themselves, so there's one level of
indirection.

Speaking of sending up red flags: I just ran an eval scan from
Webroot Spy Sweeper and it flagged a completely empty registry key as
"Cool Web Search." (That'll get your attention!). It also flagged a
file within HijackThis. Given the false alarm on the CWS villain, I
didn't dare delete the latter...probably part of Hijack's
pattern-matching data. I found that others mentioned similar
scenarios with Spy Sweeper, so that's probably their M.O. This
actually puts me way off from using their product, as it seems they
could (and would) flag just about anything, problem or not.