NOD32 in Windows Vista–Sleek and Dangerous
First published—18 November 2006.
Updated—07 January 2008.
Introduction
[Update 11-Feb-2007] The following article is about version 2.7 RELEASE CANDIDATE. I have checked the latest version 2.70.31 FINAL and found it improved since then, therefore the issue with emulator is not found anymore.
NOD32 antivirus looks very solid and mature. Proactive Real-Time Detection, Integrated Protection, ThreatSense Technology—all these nice terms may give you the sense of security “in the digital world” as stated on ESET.com website. The reason I’m reviewing it here is because in this release it is supposed to work just fine with new Windows Vista. Let’s have a look at this security tool.
I’m mostly interested in design side of this application—usability, and, of course, the effectiveness.
The ThreatSense® Technology is especially exciting as it is promising “detection of malware not specified in the signature database. It proactively decodes and analyzes executable code in a protected virtual environment in order to identify increasingly sophisticated malicious behavior.”
I find interesting is the quote mentioned later on that webpage: “Archiving & Packing are techniques used by malware writers to circumvent signature-based detection. ThreatSense® includes a generic unpacking and emulation technology to decode virtually any hidden malware, in wrappers or modified by runtime packers. This sophisticated algorithm thwarts virus writers' efforts to go undetected. “
Very good, because as I remember in the past that lack of proper emulation was mentioned as one of the weaknesses of NOD32 (Russian computer magazine Xakep). Let’s perform a simple test in this regard. But first things first—Installation.
Installation
Installation went smoothly. Once completed, hard drives scanning started. NOD32 found two files of malware which I keep for testing purposes. But look at the available options:
“Leave”—whatever it means is not a fantastic choice, right? If it says "can be deleted"—why not to delete?
Functionality and User Experience
I quite like Graphical User Interface of NOD32 in the sense that it is very easy to access all required functions, it is logical and straightforward. The idea of two detachable panels maybe nice, but not convenient in my opinion, as contains a touch of surprise feeling, which is not good for interfaces in general. [screenshot]
![[screenshot]](img/nod32/information.png){kind=link}
When you select folders in the scanner on demand NOD32 marks them with red ticks, which looks more like exclusion to me—I would make them green.
Update via web works seamlessly. [screenshot1] [screenshot2]
![[screenshot1]](img/nod32/update.png){kind=link}
![[screenshot2]](img/nod32/update2.png){kind=link}
NOD32 contains several main modules targeting different security zones: AMON—file system monitor, DMON—Microsoft Office document monitor, EMON-Microsoft Outlook email monitor, IMON—internet monitor, and NOD32 on demand scanner. On demand scanner has got a nice set of options, basically covering everything that we could expect from modern antivirus. [screenshot1] [screenshot2]
![[screenshot1]](img/nod32/setup1.png){kind=link}
![[screenshot2]](img/nod32/setup2.png){kind=link}
I did not detect any significant system performance degradation due to NOD32 on my Windows Vista RTM build 6000, 32 bit.
So far so good. Let’s do a simple test.
Test
I found a well-known virus to test. Worm Bagle (AKA Win32.HLLM.Beagle) is one of the top viruses today in its numerous incarnations. First of all, I made sure that NOD32 would easily detect the monster.
Then I used ASPack compressor to pack the virus executable. That method can also be used by malicious authors, as quoted above from the NOD32 webpage, to hide the true code from antivirus. That’s why a good antivirus is supposed to have a good emulator to discover these threats on-the-fly.
So I packed two different versions of Bagle and asked NOD32 to fetch it. NOD32 smiled back to me and said … "Number of threats found: zero". Surprise, surprise. [screenshot] This is simply not acceptable.
![[screenshot]](img/nod32/nod32_vs_aspacked_virus.png){kind=link}
To show you how it should be done, please look at the screenshot. DrWeb can still see the virus through the ASPack schield. (DrWeb is not perfect as well. Look at the conclusion). I used ASPack compressor to pack the virus executable. That method can also be used by malicious authors, as quoted above from the NOD32 webpage, to hide the true code from antivirus.
Conclusion
By accident I looked at the antivirus/malware protection testing report and noticed Ewido Anti-Antimalware software as the winner. I’ve never heard before about this software. Curiosity brought me to their website and I started online scanning. Surprisingly, it found all the mentioned viruses (including the ones modified by ASPack) PLUS one virus, which was not detected neither NOD32, nor DrWeb. I knew it was a virus, but that was identified for the first time.
Bravo Ewido! By the way, Ewido was recently acquired by AVG and transformed to AVG Anti-Spyware. Have a look, seems to be interesting.
Although the visual side of NO32 antivirus deserves a high score, I’m greatly disappointed with NOD32 in connection to my test. Again, it failed to recognize simple virus masquerade, which means it's lacking the ability to see inside packed code. It is not good at all. Besides, I do not think it only applies to Windows Vista. I would bet the same is happening to Windows XP. I hope it will be improved, giving high ratings of NOD32 and its usability.
[Update 11-Feb-2007]: I could not detect the above mentioned problem with version 2.70.31. I really hope Eset managed to improve the emulator.]
Popular Searches
Windows Vista Firewall Outbound Protection