DRWEB vs. NOD32...My conclusion.

Discussion in 'other anti-virus software' started by Barney, Sep 24, 2003.

Thread Status:
Not open for further replies.
  1. Barney

    Barney Registered Member

    Joined:
    Jun 17, 2003
    Posts:
    120
    Nameless, I have been using DRWEB for over two years now and have not had a single problem with it. It scans your hard drive almost as fast as NOD32 and can catch viruses very effectively. True, every so often you will get a false positive, but this is usually easy to spot if you are somewhat experienced. I would definately give it a try.
    The only thing that bothers me is that everytime you make a settings change with the on access scanner, it requires a reboot. There is also a new antivirus out there that uses the same DRWEB engine. It is called Viruschaser. I tried it out and it seems to be pretty good. See ya later. :D

    Barney
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    There has been some discusion on how many virus defs nod32 has in it's list. This isn't all but if you want an idea how many follow the links and it will show you the defs from version 1.133 to 1.624 all the individual virus's. Keep in mind this not all it detects. this is only back to v1.133


    http://www.nod32.com/support/info.htm#CurVersion


    http://www.nod32.com/support/infoarchive.htm
     
  3. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,119
    Location:
    Hawaii
    Agree!

    Isn't it possible that folks who are too uninformed to deal with a false positive are pretty much the same folks who never use {or never even heard of} any AV other than NAV or McAfeeo_O {I think this is somewhat analogous to the reasons why my dear old Grandma Lily drove Fords all her life, & never went shopping for a Ferrari.}
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    How many 0-day viruses have you proponents of overly-strong, malfunctioning heuristics come across, where your heuristics actually saved you? I am not merely asking if your heuristics ever flagged a virus that had no signature; I want to specifically know when your heuristics have ever saved you after you actually ran some virus that had no signature. For example, did you get MyDoom in an email message, when it first hit and there were no signatures for it yet, and actually open the attachment--and had your heuristics save you?

    For that matter, have you ever heard any report of any individual, anywhere, activating a malware and being saved by heuristics, where that person hadn't done something ill-advised?
     
  5. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I am not a particularly strong supporter of "overly agressive heuristics" but I definitely feel it has its place in an AV. Though I see where you are coming from... the question you pose seems a little unfair. Why not say the same thing about signatures in the context of email scanning (your example). What value do they have in that situation if one has a properly configured email client... downloads no attachments, all emails in plain text, no preview option etc etc. By doing those things you would have probably avoided mydoom as well.

    Please correct me if i am wrong, but the point I feel that you are trying to bring up is that, misdiagnosing false positives that are generated from "overly agressive heuristics" can be just as dangerous as having an infection from a virus/worm. Or that it will perhaps cause needless worry for the end user. There are obviously quite a few negatives. So I will not argue this point, as I think we are in agreement if that is what you meant. But if one is aware of the possible downfalls and uses heuristics "responsibly", why cant heuristics be seen as more of an "extra" feature to go along with good signatures. Of course detection rates and quality signatures I still feel have a higher priority.

    Awww I was with you... until you mentioned "stupid" ;)

    Edit: I would just also like to add that depending on the vendor and product, heuristic signatures can also be revised and updated to avoid false positives, it is up to the users to take some time and perhaps submit a suspicious file to the vendor before taking action on a heuristic detection. Just like how users should submit an infected file that isnt detected by a particular scanner. This in itself can prevent a number of heuristic related mishaps.
     
  6. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    My point had to do with how I saw novice users being derided as incapable of handling false positives, when in truth, false positives should not be construed as a welcome problem to be solved by a capable specialist, but rather a malfunction of technology. And if someone is going to try to bolster the case for strong heuristics, based on the premise that "they're great; but they're not for novices", it is a failed argument, because if you're capable enough to dig into false positives, you should also be capable enough not to need heuristics in the first place--because you shouldn't be activating 0-day malware. And if you're going to stand by the need for heuristics even in light of that, then tell me of even a single case where they saved someone who hadn't done something ill-advised. (And BTW, I edited out the word "stupid".)

    In other words, I agree that heuristics are good to have and use, but false positives are a very, very bad thing. The reason is that novices are not only the ones who can't figure out what is a false positive and what is not; they are the ones who need heuristics to work reliably in the first place, because they're more likely to have a misconfigured firewall, and more likely to open whatever the email god sends them.

    People who brag about being able to dig into a heuristically-flagged malware to see if it is a false positive should not have needed it to be heuristically-flagged in the first place. So how does it make sense to say that malfunctioning heuristics are good, "because I'm smart"?

    I am dreadfully in need of sleep, so this is probably more akin to babbling than anything else.
     
  7. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Sorry I misinterpreted your point. I do not however feel that heuristics (as a whole) are a malfunction of technology. But I think ive pretty much exhausted my opinion on where and how highly i view heuristics.

    Despite how capable one may think they are about malware (whether they be a newbie or network admin), the truth is, a lot of us still prefer that we place our trust in the hands of people who deal with malware every day. If anyone, they would be the ones who are most aware of trends and similarities that might develop in malware. And they will probably adjust their heuristic signatures to match these needs as they see fit. So perhaps one might not be saved today from a heuristic detection, but no one can say for sure that someone wont be in the future. And I am sure there are people who have been saved by a heuristic detection but have just not made it known in a public forum.

    Dont get me wrong, I do see your point. And that is why I added that small point about submitting suspicious files to your vendor before taking action, in my last post. But then again I dont think it is completely fair either to blame heuristics or say it is useless because of the actions of novices. Being a novice myself it takes awhile to learn certain aspects about computer and internet security. Very rarely is someone there to hold the hand of each and every new novice that make their way onto the internet. So it can not be expected that heuristic technology meets every(one/novice)s needs and then perform flawlessly in that regard.

    Personally, I have tried to take into account many factors when choosing the security products I register with. And I try to choose products based upon my needs and what i feel are legitimate threats. I have actually recently renewed my 5 user license with DrWeb, and while the fee is partly for its updates, I like to think some of it is for support as well. So why not take advantage and submit a suspicious file to be sure :) The thing with DrWeb is that heuristically detected files are usually clearly marked as being "probable" (I think thats the word that is used, dont exactly remember).
     
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    No, heuristic malware analysis is a technology. False positives are a malfunctioning of that technology.
     
  9. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    With all the respect I do not agree with the above statement. No doubt, heuristics is a technology. But false possitive are not malfunction of the technology. They are result of matter of facts. Maybe you never heard of Cohen's theorema. Back in 1983 Dr. Cohen proved that there is no way to distinguish with reliability of 100 per cent if some code is virus or not using automated system (like AV program).
    False possitives are price you have to pay for change to detect some malware as an additional protection. Notify scanstrings are result of having the malware in the virus/trojan etc. collection of the vendor. This can be called passive aproach. Heuristics is contrary to the scanstrings pro-active aproach... Can detect some reasonable portion of the malware before if gets in the hands of vendor...

    Regards....
     
  10. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,233
    Malfunction
    Verb: To fail to function, or to function improperly

    Proper
    Adjective: Marked by suitability or rightness or appropriateness

    If heuristics are functioning "properly", they won't give false positives. I am not saying that it should be expected for heuristics to function properly 100% of the time; I am simply saying that when they don't, they are functioning improperly. If an innocuous file is flagged as malware by heuristic analysis, that file was something that was not appropriate to flag. How can one argue that it is "appropriate" to flag harmless files?

    Just because something cannot be made totally reliable does not mean that it always functions properly. Facial-scanning technology is not 100% reliable, but I think it's safe to say that if you were arrested at the airport because your face was flagged as belonging to a terrorist, you'd find that conclusion inappropriate. Maybe in the middle of your body-cavity search, you'd even think it was a "malfunction" of the facial-scanning technology.
     
  11. Barney

    Barney Registered Member

    Joined:
    Jun 17, 2003
    Posts:
    120
    It has been quite a while since I first started this thread, but I am back with more opinions these two antivirus programs.
    I'm still a die hard DRWEB fan, but I am starting to see prloblems creeping up in their latest releases. DRWEB is rock solid in XP, but has become unstable in Win 2000. Every time I boot up, my system spontaneously reboots after I enter my Windows login password. The only way to get around this problem is to manually start Spidernt after windows has started. I still use DRWEB, but when my license is up, I may be going back to NOD32 as my on access scanner. I remember NOD32 as a fast, stable program, so this may be the one I go with. Hopefully DRWEB will fix their bugs soon, we'll have to wait and see.
    What do you guys think? Is this a good move, or do you have a better antivirus solultion for me?


    Barney
     
  12. Fedorov999

    Fedorov999 Registered Member

    Joined:
    Sep 13, 2002
    Posts:
    182
    KAV v4.5 is still champ as far as I'm concerned, might not be as low on resources as others but for detection it is very hard to beat - very configurable, not the best interface but you just get used to it. I'm staying away from the newer KAV v5.0 for at least 6 months as it still appears to be in beta rather than release state if you ask me.

    Fedorov.
     
  13. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    An option that could be worth looking into is F-Prot. It seems that you are looking for something with strong heuristics and a light footprint. F-Prot is lighter that both DrW & NOD32 and also features comparable heuristics. It's other options are pretty barebones (ex. no dedicated email scanner) but I guess that keeps it light. Also F-Prot 4 is coming around the corner.
     
  14. Barney

    Barney Registered Member

    Joined:
    Jun 17, 2003
    Posts:
    120
    I bought F-prot a few years ago and was very impressed with it's light footprint. F-prot is also one of the fastest scanners I have ever seen. I may very well look into F-prot when version 4 comes out.
    Kaspersky 4.5 is also very good. I don't think any virus gets unnoticed by KAV. It's one of my favorates.

    Barney
     
  15. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    Have had no problems at all with Dr Web on my Win 2000 desktop, SP4, even with the recent version release.

    IMO, some instabilities with Dr Web may be seen with 'older' OS installs. With a fresh install of an OS, I have found this AV to be very stable.

    Maybe if you try a fresh format and then load on Dr Web, it may become more stable on your Win 2000 system?
     
  16. bellgamin

    bellgamin Registered Member

    Joined:
    Aug 1, 2002
    Posts:
    8,119
    Location:
    Hawaii
    DRW is very stable in my ancient WinME box -- & that's saying a lot. :D
     
    Last edited: Nov 11, 2004
  17. larouse

    larouse Registered Member

    Joined:
    Sep 26, 2004
    Posts:
    157
    Dr. Web is very Good but NOD32 has better detection and is a Excellent Company, has a lot experince vs Dr. Web, Dr. Web would be low resource but NOD32 would be same with better quality product,
     
  18. BrainWarp

    BrainWarp Registered Member

    Joined:
    Aug 26, 2004
    Posts:
    289
    Well i've tried many antivirsus.I will give Dr.Web the thumbs up.It does it's job and uses very little resources .

    I still like nod 32,but it's resource usage is too high for me.


    If ya want the best to get those nasty pest get the doctor--Dr.Web that is :D
     
  19. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    The same on my computer, DrWeb is working great...I give it three thumbs up.

    :D
     
  20. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    Let me add, running great on my rather old Laptop. Im going to replace Panda with DrWeb on the desktop now that Panda Platinum is history and my free deal is running out. Panda is just a bit too pricy and also a bit heavy on resources. :D
     
  21. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I just down loaded Dr. Web and who ever said it was light on resources is nuts. I don't even have the email scanner enabled (I thought it didn't have one..I don't want one and one reason I am trying it was because I thought it was a bare bones av like F-Prot). It is using 69MB memory on my XP Pro box! It is running TWO instances of SpiderNT.exe. Plus, it is VERY slow to do a full scan. It takes longer than KAV 4.5. It thinks Script Sentry is a virus but other than that it was accurate in the full scan I ran.

    I found the latest NOD32 to be full of false positives. That is one reason I did not renew my license last month. NOD32 was a much better av when I got it two years ago than it is now. It is bloated now. Still, it is much lighter on resources than Dr. Web and a little faster scanning. F-Prot is the winner as far as low resources and extremely fast scanning.
     
  22. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,024
    Location:
    Christchurch, UK
    I have never heard of anyone, reporting this usage with any AV, never mind Dr Web which is noted for its very light footprint. Have you updated the program since you installed it? There have been some bugs with the latest version but these have been corrected of late.
    This is normal.
    Not on any of my systems with KAV 4.5 as a backup scanner.
    Again most people will not see this. NOD version 2 takes up more resources than Dr Web.

    I have suggested in another thread what to try on your system to give a fair trial and appraisal of Dr Web. With all the previous AV's you have tried of late, the debris left over from these programs is conflicting with the normal operation of Dr Web. Further, it prefers to be the first AV installed on any system.

    The extraordinary memory usage you report indicates that there must be a conflict somewhere. Again you cannot project this resource usage on all other potential systems. Your observations on Dr Web are not normal and are unique to your computer.
     
  23. Barney

    Barney Registered Member

    Joined:
    Jun 17, 2003
    Posts:
    120
    Blackcat, I did what you suggested, but rather than reinstalling windows, I ran a really excellent registry cleaner on my system. DRWEB starts up perfectly in Windows 2000. Well, looks like DRWEB is back to #1 on my list.
    Mele20, that is very weird that DRWEB was using a lot of resources on your system. I have it running constantly and see almost no hit at all on my system. I don't know if you still have Nod32 on your system, but if you do, this could be what is causing the problem. Nod32 and DRWEB do not get along at all. I have tried several times to have both programs installed on the hard drive, but always ran into problems. Once you get DRWEB running smoothly, your antivirus search will be over.

    Barney
     
  24. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I think that there have to be something wrong in your PC concerning DrWeb's memory consumption. In my PC, look at the picture, where "drwebscd.exe" has the highest value of DrWeb processes.

    Best regards,
    Firefighter"
     

    Attached Files:

  25. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Perhaps, Mele you are experiencin' this .
    Check spiderNT’s vitural memory usage, it should be low.


    tECHNODROME
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.