Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 6 May 2009

NOD32 ESS: 2 months on ....

I was graciously given a licence at the beginning of March in order to review the latest release, and thought I'd give an update on how it is doing.

Although it's got several major good points, such as being very low on resource usage, and popping up to notify me when an application changes (top left), it does have one or two niggles that are frustrating.

First and foremost, if you are using Outlook and have rules configured - be prepared to have them messed with. For example, I've got several rules configured to auto-filter certain phishing scams, so they're auto-forwarded to PhishTank. Sadly, whilst the e-mails are certainly still forwarded - NOD32 has decided it best not to leave them in the folder I told the rule to put them into, but is instead, moving them to the Junk and/or Inbox folder - very annoying (especially given the amount I receive).

The second issue is also with Outlook and at this point, it's a little confusing to say the least. When opening an e-mail, Outlook quite rightly marks it as read. However, I'm frequently seeing these e-mails revert back to unread status - something it never used to do before NOD32 was installed.

The third and final Outlook related issue, is with the speed in which e-mails are sent, downloaded and opened - unfortunately this speed has been greatly reduced, with 1MB of e-mails frequently taking upto and over 10 mins to download, whereas it was usually done within seconds.

These issues however, whilst annoying, are minor. One thing that I'd like to see (and it could be that there is an option, but if there is - I've not found it, and I've spent a considerable amount of time looking), is the ability to stop NOD32 adding it's tagline to every single e-mail.

One of the features I do like most, is it's quarantine dialog. When I am researching malware or malicious sites, and NOD flags it, it automatically stops the connection and/or quarantines the file for me. One rather annoying niggle with this feature, is that it doesn't have an option to ask me what I want to do with it prior to it's taking action (and again, I've been through the options and if it is there, I've not found it). I'd personally like to see NOD ask me what I want to do with the file and/or connection (in the case of malicious websites), and perhaps a little checkbox so I can tell it not to ask me again.



One bug I have found, is it's firewall log viewer. Unless your log is on the small side, you are going to find yourself looking at a "Loading firewall log" dialog, not a bug in itself, but it's cancel button does not seem to work (if I click cancel, it does indeed go away - but sporadically (not always) comes back again as soon as I try doing anything else, such as switching to a different part of the program).

Without a doubt, one of it's best features, besides the rescue CD creation, is the SysInspector, that allows you to create snapshots of the system state. Sadly, something they forgot to do, is prevent you accidentally starting the process twice (just done that myself whilst writing this, as it didn't start creating it the first time, so thought I'd clicked cancel instead). You also cannot cancel one of them whilst they're generating the snapshot - something I'd like to see added.



Bear in mind, your system WILL slow to a crawl whilst it's generating the snapshot, so make sure you're not in the middle of something when you create one (only took around 15 mins on this system (500Mhz, 320MB Ram), not exactly a long time.




One thing this could do with, is a simple "before - current" view, as the current options simply aren't intuitive enough. They need to provide a view here, much like most comparison programs do. An additional option would be advantageous, to have it filter so you can see what was added, and when - and only show that information (would greatly reduce the time required for analysis).

Other than the afformentioned however, the SysInspector provides an extensive amount of information on the systems state, so is definately a welcome addition to the program.

Sadly, one area it is failing in, is detections. Although I've not done a detailed test to date, I do research and analyse malware quite frequently, and sadly, whilst NOD does flag some of it - it misses the majority of it (some aren't detected by anyone, so this is to be expected, but some of it has quite good detections according to VirusTotal). Detailed testing and analysis would be required before detection capability could be properly and responsibly reported - something I'm planning to do in future.

All in all, Eset Smart Security 4, is proving to be an invaluable product, and a major improvement over it's previous incarnations. If detections are drastically improved, this could very well be the best of the best.

Please do bear in mind, that the information provided are my own findings. I am not reviewing NOD32 under the usual test lab conditions, but instead have it on my development "every day" machine (figured it best to test it under real world "every day" conditions). I do not consider myself an expert, so this should not be taken as an expert review.

References

Eset Smart Security 4: A first look
http://hphosts.blogspot.com/2009/03/eset-smart-security-4-first-look.html

No comments: