AntiVir, Avast, AVG, NOD32 and Kaspersky test update

[Sentinel]

A while ago, I did a quick review of some of these less bloated AV alternatives. Since I haven't posted anything useful lately, how about an update?

While evaluating these products earlier, I never really tested these products in "real world" situations. This is basically what this update is about. Granted, infecting a machine on purpose might seem a far stretch from the "real world", but, after some research, it seems that's exactly what many Internet users are doing every day. Please note that this IS NOT a detection rate analysis. I simply wanted to see how each product behaved against some samples I gathered from the Internet or packed myself using available tools. I used about a dozen Trojans, worms, viruses and some potentially dangerous .jpeg files for testing. Again, this is NOT A DETECTION RATE ANALYSIS.

The samples were move around, packed, extracted, renamed and even executed during testing. PLEASE DO NOT TRY THIS AT HOME. Default settings were used and all products were updated to the latest definitions.

AntiVir: Passed/Failed removal 6.29.00.02

This was a mixed bag during testing. A few versions crashed for no apparent reason. 6.29.00.02 passed. On demand scanner is still slow, but the resident scanner is fast and uses little memory. Installs without restarting the OS. Updates are still too large.

Avast: Passed/Failed removal 4.5.549

Since my last mini-review, Avast was updated to version 4.5. This added, among others things, a new Network Shield module that blocks access to certain ports vulnerable to exploits. Reaction time was average, but a nice feature was that samples were locked even if the resident scanner was crashed/disabled. Scanned the least files at default settings. IMAP mail needs manual configuration for protection with Thunderbird. Great support is available online through the official forums.

Edit: Avast's Virus Recovery Database is another feature worth mentioning.

AVG: Passed/Failed removal 7.0.296 Build 409

Here again, a new free version 7 was release to the public. Memory usage is higher and the new interface can be confusing. Some install issues as well. Reaction time was quick.

Edit: AVG has a huge user base, so help is easy to find when required.

NOD32: Failed/Failed removal 2.12.3

Fastest engine and also scanned the most files while running. Unfortunately, the default settings are inadequate and even tweaked, this product failed to pass all my tests. I didn't get a reply from Eset about this. This is too bad, because I really liked NOD. Heuristics are overrated, and this proves it.

Kaspersky: Passed/Failed removal* 5.0.227

Well, on average, this is surely the king of kings in the AV world according to various test sites. Reaction time could be better and Kaspersky leaves behind NTFS Streams after it is removed. You will need a third party tool to clean this up if you move to another product. Worked as expected otherwise. *Removal not available with trial.

Edit: Kaspersky apparently offers a NTFS Streams (ADS tags) removal tool "KLStreamRemover" if required.

The passing mark was given even if certain problems were noted during testing. NOD32 just failed repeatedly. Again, overall ability to stop infection was my goal, not specific detection rate.

So, what's with all the removal failures? Well, since I installed some nasties for testing, I also needed to remove the new/altered files during cleanup. None of the products passed all my tests in this regard. None. Trojans were left behind, etc. The moral here is don't compromise your machine in the first place. Any AV can miss a nasty, and common sense can save you loads of trouble down the road. Once something is loaded in memory, it's generally too late and your security software might be disabled in the process.

I actually perused through various forums for problems with each product, and the alarming thing is the number of people who report having 20 of more nasties on their machines. What the heck are those people doing? I spend way too much time online and I never get anything. I really had to hunt around to get some really "bad" samples (don't ask). For those who need help, there's a nice guide on this site about security; use it and stop downloading "you know what" while online

At this time, I have some serious concerns about NOD32 and I cannot recommend it as a main scanner. Otherwise, check my pros and cons in the previous thread for my opinion on each product.

BTW, you can purchase KAV as Defender Pro at some stores for a very low price.

http://www.defender-pro.com/

My original post can be found here:

NAV vs. NOD32

Edit: I should have mentioned that I waited 3 weeks before posting my results. I retested everything yesterday with the latest versions, so some results improved, which is a very good thing. Unfortunately, Eset didn't update their signatures to fix the issues I had, hence, NOD32 failed my little experiment.

[Fraoch]

Excellent post Sentinel!

Thanks very much for taking the time to do this! I've been evaluating several AVs for my company laptop lately. I haven't had the opportunity to test things out with real nasties as you did.

NOD32 did not run on my machine. It seems to interfere with Novell Netware.

AVG7 was good, but when my trial on that expired a few days ago I switched to Trend Micro Internet Security. I don't know if I'll stick with it. It seems to work well but updates are massive and it doesn't give you much information about what it's doing. I'm also leery of combined firewall and AV software.

I may give Kaspersky a try. What did you mean about NTFS streams though? Isn't that what the rest of them did too? (You indicated none could remove everything completely).

Thanks again for your excellent post. If we don't have enough stickies in this forum already, could this be made into a sticky?

[count minaba]

Very thoughtful testing and well written Sentinel... 10/10 :thumb

I will stay with AVG 7 (free) as it faired ok in your test. That's really all you can expect from AV these days with the huge amount of nasties on the web.

Thanks

[Briton]

Good read. I switched from NOD32 to Kaspersky about two months ago and have liked pretty much everything about it. I use Sygate as my firewall.

[wallijonn]

Thank you for the comments. I use McAfee and will switch over to Kaspersky when my subscription runes out.

Are you saying that Defender Pro works like Norton? (leaving registry "hooks" which are hard to remove). Or is it an observation of Kaspersky? http://www.kaspersky.com

[ABoard]

Quote:

Originally Posted by Fraoch

I may give Kaspersky a try. What did you mean about NTFS streams though? Isn't that what the rest of them did too? (You indicated none could remove everything completely).

This was an oft discussed issue on DSLreports / BroadBandReports security forums for a while.

Here is one of the main ones that I recall. You can search at the forum for KAV + ADS Tags, Streams, etc. for additional info:

http://www.broadbandreports.com/foru...te=kav+streams

[treyeod]

excellent research, convinces me to stay w/ AVG Free!

[Sentinel]

Quote:

Originally Posted by wallijonn

Thank you for the comments. I use McAfee and will switch over to Kaspersky when my subscription runes out.

Are you saying that Defender Pro works like Norton? (leaving registry "hooks" which are hard to remove). Or is it an observation of Kaspersky? http://www.kaspersky.com

You're welcome

No, the Streams are a hidden feature of the NTFS file system. KAV uses ADS tags to monitor changes to your files and speed up scanning. The problem is that Kaspersky fails to mention this and the tags aren't removed with the software. This doesn't otherwise affect the functionality of the software in any way. BTW, some nasties use this feature as well...

More about ADS here (or use Google):

http://patriot.net/~carvdawg/docs/dark_side.html
http://www.powerbasic.com/support/fo...ML/003677.html
http://www.giac.org/practical/gsec/D...artin_GSEC.pdf

[Sentinel]

Thanks guys, I hoped it would be useful

[Sentinel]

Quote:

Originally Posted by Fraoch

Excellent post Sentinel!

Thanks very much for taking the time to do this! I've been evaluating several AVs for my company laptop lately. I haven't had the opportunity to test things out with real nasties as you did.

NOD32 did not run on my machine. It seems to interfere with Novell Netware.

AVG7 was good, but when my trial on that expired a few days ago I switched to Trend Micro Internet Security. I don't know if I'll stick with it. It seems to work well but updates are massive and it doesn't give you much information about what it's doing. I'm also leery of combined firewall and AV software.

I may give Kaspersky a try. What did you mean about NTFS streams though? Isn't that what the rest of them did too? (You indicated none could remove everything completely).

Thanks again for your excellent post. If we don't have enough stickies in this forum already, could this be made into a sticky?

Hey, you're welcome

That's weird. Netware is quite common. Did you contact Eset about this?

I'm not a big fan of combined software either. AntiVir is very slim, but like you said in your post, it's not cheap for commercial use. That's what I use on my notebook BTW. If Kaspersky doesn't work out, maybe Avast would be worth a try... Check my other post for more info about the ADS tags used by KAV.

I started testing software firewalls and the results weren't good at all. I'll need a lot more time for a fair review. So far Sygate was the best "simple" option for me. Look n' Stop was another small and well rated option, but it didn't work on my main system. I didn't like the "new" Kerio. If feels bloated...sadly, many vendors are going this way.

[ABoard]

Hi all. I tested several automobiles for crash safety / speed.

Honda Civic - Failed / Failed

Saab 900 - Passed / Failed

Porsche 911 - Failed / Passed*

Kia Sportage - Failed / Failed

Hummer H2 - Passed / Failed.

*WOW!



Hope this helps. At least it will prevent you from having to read through officially sanctioned, scientific tests conducted by experts & professionals who actually bother to list test parameters and other technical triviata.

[KingTermite]

Great post, Sentinel. As a NOD32 user this has my ears perked. If you do hear back from Eset, could you please post their repsonse?

[Sentinel]

Quote:

Originally Posted by ABoard

Hi all. I tested several automobiles for crash safety / speed.

Honda Civic - Failed / Failed

Saab 900 - Passed / Failed

Porsche 911 - Failed / Passed*

Kia Sportage - Failed / Failed

Hummer H2 - Passed / Failed.

*WOW!



Hope this helps. At least it will prevent you from having to read through officially sanctioned, scientific tests conducted by experts & professionals who actually bother to list test parameters and other technical triviata.

And that's helpful? I really feel like flaming you. Any vendor can contact me for that information. Have you read any AV reviews lately? How many will print what they did for testing unless it is requested? NOD32 failed for a good reason: it didn't detect available malware even 3 weeks after I contacted Eset. I don't think that's normal or acceptable from any reputable vendor. It's easy to make fun of others, but you seem to be unable to get the point out of a very simple review.

If I can download and install one piece of malware, then, yes, it is a failure. My system is compromised, and the product didn't do its job. Simple. BTW, NOD32 missed 3 in my very small sample size. And it was not a detection rate test (those are available online). Furthermore, what I did to test the samples was stated very clearly. The only thing omitted was the samples. I did that on purpose. Telling everyone what to do to get pass NOD32 would be a great idea, wouldn't it? This is where your reading skills and common sense come in Mr. Board. If you have enough samples for a complete detection rate test, please PM me and I'll consider doing a "real" review with full methodology. I wrote enough science papers, I know what they look like. Otherwise, why don't you keep your condescending remarks to yourself.

Edit: BTW, I spent time with each sample trying to trick/find flaws with the products; that would not have been possible with a detection rate test requiring thousands of samples. Imagine playing with a sample, installing it, trying to clean it up, do a format/image restore and then repeat 20 000 times!! Also, gathering new samples that won't be detected to make products fail is easy. That wasn't my goal either, otherwise this update would have been posted 3 weeks ago.

[Sentinel]

Quote:

Originally Posted by KingTermite

Great post, Sentinel. As a NOD32 user this has my ears perked. If you do hear back from Eset, could you please post their repsonse?

Sure thing. I will contact them again on Monday as well, and hopefully I can send them what they need to fix the problem.

The engine works very well, so it's probably just a signature issue...

[wayne_abx]

Was each test done on a freshly installed OS per AV application?

Since I have had a major problem in regards to using Tm PC-cillin IS 2005 and SFX archives recently, I was searching for a replacement, I settled on NOD after re-testing it. Everything I through at it was caught including a head'in virus in a 3-L archive including URL droppers.

Granted, default settings are not advisable thus I made adjustments prier to my testing (Higher Efficiency settings) with the newer version of NOD. Also I didn't exibit FP as I have had with the older version of NOD.

-wayne