Date: December 18th, 2001
I have to confess that until a couple of months ago I had never heard of an antivirus program called NOD32. I’ve used a number of antivirus programs more or less successfully over the years, and most recently was using GriSoft’s AVG 6.0, when I received an e-mail from Rod at NOD32 which lead to an interesting exchange of data about virus protection in general, and the so far unfamiliar to me antivirus software NOD32. Curious about this software and the bold claims about its capabilities I agreed to take it for a test drive.
The first thing I noticed when downloading NOD32 was its cross-platform availability. NOD32 is available for all major operating systems including DOS, Windows, Novell, Linux and various flavors of BSD. The second thing I noticed was its small footprint. The setup file was only 2.5MB in size, which is very small compared with similar apps like AVG 6, Norton Antivirus, or McAfee VirusScan. Of course this might be due to the fact that for some reason the manual is not included in the download. Should you want a manual you will have to download another 4MB worth of data, and I recommend you do. For some reason the POP3 scanner manual is not included in the regular manual, so make sure you download that as well. Installation was pretty straight forward – follow the setup wizard and reboot.
NOD32 consists of three components that all utilize the same antivirus scanning engine:
- NOD32 On-Demand scanner is integrated into Windows Explorer. Available via the right-click menu it scans drives, folders, or files upon request.
- Amon On-Access scanner runs in the background and checks files as they are being accessed.
Configuration is logical and easy to understand, and once Amon is configured properly, there is usually no need to change anything.
Should Amon encounter an infected file it displays an alert window.
- NOD32 for POP3 is an e-mail scanner that inserts itself between the mail server and your e-mail client to check downloaded e-mail for nasty attachments.
Configuration is easy if you use Outlook or Outlook Express because you can import your e-mail account settings with the push of a button. If you are using a different e-mail client you will have to configure it manually. Should you have multiple e-mail accounts configuration is a little trickier because you’ll have to assign different port numbers, and here is where the manual will definitely come in handy.
NOD32 comes with an automatic update feature that retrieves the lastest virus definition updates every so many hours to ensure maximum protection without you having to think about it. This is an extremely important feature that any antivirus software must have, because without the latest updates the software is virtually useless.
Fast Scan Engine
I was very impressed with NOD32’s fast scanning engine. The program was able to scan entire hard drives with tens of thousands of files in just a few minutes. This of course varies depending on a number of factors, e.g. the number of compressed archives to scan, but overall this is probably the fastest virus scanner I’ve seen so far. Updates for NOD32 have been coming very regularly, new definitions are released on almost a daily basis.
NOD32 offers the ability to password-protect software settings of the individual components to prevent users of the workstation from tampering with the settings or disabling the software – a useful feature if additional users that cannot be trusted use the workstation.
Another useful feature is the built-in notification functionality. You can configure the program to send alerts via SMTP e-mail or over the network to inform other users or administrators of virus intrusions or program errors.
NOD32 is licensed to users on an annual basis. After purchasing a license for the first year, the user can renew the license on an annual basis for 70% of the original license price. This is actually pretty affordable because licensing not only includes virus definition updates, but also program updates. This means that as long as you own a license, you can download new versions of the software for your operating system when it comes out.
Does it work?
How do you determine whether antivirus software works? The main purpose of antivirus software is to identify and block viruses and trojans that are circulating in the wild. It doesn’t matter which virus software can recognize “the most” viruses, or whether it detects all viruses in a test collection consisting mostly of non-functional viruses, viruses that haven’t been in circulation for years, or artifical viruses that were created solely for testing purposes. Neither does it matter how many copies the software has sold or how many companies are relying on its protection. Antivirus software only works if it can deal with real-life viruses that make their way into your inbox, your browser, or your network right now.
Virus Bulletin magazine is a technical journal on developments in the field of computer viruses and anti-virus products. VB test antivirus software on a monthly basis and awards products that that detect all “In the Wild” viruses during both on-demand and on-access scanning in certain Virus Bulletin tests with its VB100% award. More details on what this award is all about can be found at http://www.virusbtn.com/100/whatis.html
The WildList – http://www.virusbtn.com/WildLists/ – that is used to test the antivirus programs is a cumulative list of viruses that are active and in circulation as reported by 64 virus information professionals, therefore representing a real-world environment of virus threats that any antivirus program should be able to deal with effortlessly.
What’s really interesting are the comparative results of the VB 100 tests as you can see at http://www.virusbtn.com/100/vb100sum.html. This statistic shows how many times an antivirus program was submitted for testing, how many times it succeeded to detect all “In the Wild” viruses during both on-demand and on-access scanning, and how many times it failed. To make the results easier to interpret, I created a small table with each program’s stats, and calculated the success ratio of each software by figuring out the percentage of how much the program succeeded out of all the times it was tested. Check out the results:
It’s interesting to see that not a single program was able to take care of all viruses any time it was tested. But the scary part is to see the success ratios of the programs tested. NOD32 stands out with a success ratio of 93%, failing only once in the 16 times it was tested, making it by far the most reliable antivirus software in this round-up. Other known software like PC-Cillin, AVG, Panda, McAfee, and InnoculateIT look pretty pathetic in comparison.
Of course this is only one possible test scenario of many, and it is not the ultimate test, but it is a very good and realistic representation and gives a good indication of antivirus software capabilities.
As far as virus detection is concerned, NOD32 so far has worked very well for me. All 3 components did reliably and consistently identify and block known viruses such as Sircam, Anset, and Badtrans, as well as the Eicar test virus that came in via Outlook 2000, were saved on my hard drive, or were attempted to be downloaded.
Like any other software, NOD32 is not perfect. During my testing I ran into several issues, oddities, and things that could use some improvement.
At one time, the Amon on-access scanner stopped functioning for no reason. Even though it was supposedly running, I was able to launch an infected attachment. Rebooting fixed the issue. This was on my main workstation while running numerous other programs, and I was not able to reproduce it again.
Amon does have a noticeable overhead when accessing files, opening programs, etc. I noticed that applications were loading a tad slower, and that MP3 playback skipped momentarily when opening certain applications and files. While it did not cause any problems, it did affect performance a little bit.
Most antivirus programs offer a scheduled scan feature, allowing you to automatically scan your machine on a regular basis, but NOD32 does not offer this option. One could argue that NOD32 prevents the machine from getting infected to begin with, and in case of infection a manual scan will take care of things, making the scheduled scan superfluous.
Weakest Link: The POP3 Scanner
The POP3 scanner was the component that in my opinion could use the most improvement. First off, it is not automatically configured during installation. It requires varying degrees of manual configuration, depending on which e-mail client you use. For users of Outlook and Outlook Express, e-mail account information can be imported automatically with the push of a button. Users of other e-mail clients like Eudora or Netscape need to configure each account manually, which can be a bit confusing for beginners. The manual, again a separate download, for the POP3 scanner is definitely needed for initial configuration. Since it requires also modification of the e-mail client settings, it’s important to record the original settings before making changes.
Once the POP3 scanner is up and running, it monitors all incoming e-mail for viruses. While it performs that function well and consistently offers a pop-up window with a warning if a virus-infected e-mail is downloaded, it does not offer the option to delete or quarantine the item.
It also does not monitor out-going e-mail, which in my opinion is an important feature in this age of self-propagating worms. Again, one could argue that NOD32 prevents a virus or worm from launching in the first place, but virus protection should always consist of several layers.
The most important function of antivirus software is to detect and block viruses. NOD32 does this very well, and proves its reliability in the tests detailed above. It also has superior heuristic scanning abilities, making it very effective in detecting unknown viruses. NOD32 claims that not only did it detect and block big-gun viruses like CIH, Melissa, LoveLetter, etc. a long time before any competitor, but also the “gnomes” in the ESET virus lab are extremely fast and good in analyzing viruses and releasing blocks and fixes well before competitors do. This degree of protection makes NOD32 a clear winner in my book.
While the weak points mentioned above are mostly minor issues, enhancement requests, etc., fixing those would really put the cherry on the pie. Ease-of-use, easy setup and configuration is important for the user. Nowadays these attributes are almost a requirement. As sad as it might sound, good software can fail if it is tough to use, while bad software can succeed if it looks good and is easy to use.
Overall, NOD32 is a first-rate antivirus program that offers several levels of superior protection combined with ease-of-use. That makes it a winner in my book.
Submitted by: Alex “crazygerman” Byron