mattgadient.com

Windows 7 anti-virus: Kaspersky 2010 vs NOD32 4.0 vs Symantec

Oct 25 2009 Update: before plunking down money on a paid anti virus program with activation, you may want to read http://mattgadient.com/2009/10/25/anti-virus-software-and-activation-why-free-just-might-be-better-than-paid/

With the final version of Windows 7 finally being released by Microsoft on Technet, and having a subscription, I decided it was time to grab a copy and start playing with some anti-virus programs to see what the ideal paid anti-virus program might be.

The most commonly talked about AV’s tend to be the offerings from Symantec (Norton), Kaspersky, and NOD32. They all offer free 30-day trials, so away I went. I grabbed the following:

  • Kaspersky 2010 (not as easily found on the site, but they have a link stickied in the forums which installs as a trial just fine for those who want to do their own checking)
  • Symantec Endpoint Protection 12.0
  • NOD32 v4.0

Now a few may be wondering what the heck Symantec’s Endpoint is doing with the other 2. After all, the others are cost-effective consumer versions, while Endpoint Protection is a pricey business option. The reason is simple – I was looking for AV’s that aren’t terribly resource-intensive. Endpoint Protection is the successor to Symantec AV Corporate Edition which was known for being light on resources, and hence why I chose it.

In any case, neither of the 3 are claiming full Windows 7 compatibility in their products yet since we’ve still got a while to go before Win 7 is publicly available. That said, I encountered no issues in my limited testing, which means all 3 of these AV-makers have done a pretty good job so far of preparing.

Enough of that! On to the testing!

I searched around to find a couple files – the first being a keygen that had so many “VIRUS!!!” claims that I figured every scanner should probably flag it. The second actually had “trojan” in the file name and looked to be a poorly made custom program to zombify another computer.

For testing, I attempted the following with each:

  • Download from the web
  • Run the program

Before installing each anti-virus program, I made sure I had a RAR as well as an extracted copy available in case the AV program stopped it in it’s tracks at the download point.

Kaspersky 2010

Download from the web: Kaspersky detected both, and offered the options to either block the download, or allow it

Run the program: Kaspersky didn’t want to let me get that far. As soon as the containing folder was opened, Kaspersky detected each, and forced me to “delete” or “block” the program. Any time I chose to simply “block”, it would pop up the message again the next time the folder was opened. Finally, I tried running the program. The program errored out and Kaspersky again forced me to block or delete.

NOD32 4.0

NOD32 let me download the first keygen, unRAR it, and run it. It’s remotely possible that the keygen was simply a false positive, but something odd happened a little later on (which I’ll get to).

NOD32 detected the 2nd file (trojan) during the download and automatically quarantined it. I disabled the scanner long enough to let me download and unRAR it, then re-enabled NOD32. To my surprise, it let me run it without a peep!

Something pretty fishy was going on here. It let me do everything with the first keygen. It then wouldn’t let me download the 2nd file (trojan), but would let me run it?!

I peaked through the options in NOD32, and turned on “Advanced heuristics on file execution”, which is disabled by default because it hurts performance (NOD32 actually warns you about this when you enable it). Now it detected both files but with a huge performance penalty (5-7 seconds!) when trying to run them. The most unfortunate part was that the programs seemed to run anyway. Sure it detected them, but if it lets them run and do some damage before it actually does something about it… what’s the point?

One final oddity… after disabling the advanced heuristics on file execution, it still continued to detect both – I would have expected it to only continue detecting the 2nd.

Symantec Endpoint Protection 12.0

I can sum Endpoint Protection up fairly quickly. It doesn’t seem to actively scan within compressed folders (not RAR’s anyway). So both downloaded without being flagged. Once extracted, it did catch the first file immediately upon extraction. I disabled the AV long enough to extract a few copies, re-enabled it, and tried running them – each time the file was removed before I could run it.

Sadly, Endpoint Protection didn’t catch the 2nd file (trojan) at all and was quite content to let me extract and run it. A downside of Endpoint seems to be the limited options available. I looked through for something equivilant to NOD32’s “advanced heuristics”, but didn’t find anything. Perhaps I just missed something? I’m not sure.

Thoughts/Verdict

In these tests, Kaspersky clearly came out ahead. It nailed both files at every opportunity. In my opinion, Kaspersky has the absolute worst, most complicated and complex interface, but when it came to the detection it was miles ahead.

NOD was odd. Quite a few things happened that just didn’t make sense. I may do a retest again in the future because things really didn’t add up. The fact that it let me run a program even as it was detecting the baddies within it really soured things for me.

Symantec Endpoint handled the baddie it found very well. I would have tied it with Kaspersky (despite not scanning within the RAR) if it didn’t miss the 2nd baddie.

As far as interfaces go, I had screenshots I took all along the way, but they got destroyed during one of the reformats. Symantec has the simpliest, although when it detects something the window can get lost in the background. I’d rate NOD32’s interface as the best – a few options shown with the ability to go into further detail in a relatively clean sort of way.  Kaspersky’s is bloated and complicated in too many ways – I suppose some may like it, but I find it an annoyance (and I’d never dare to try to explain to someone over the phone how to find something in the log).

A few odds and ends….

  • Kaspersky has a “Gaming Mode” that can be enabled which amongst other benefits keeps notifications from bugging you during your game (for those who’ve had that happen to you – I know I sure have).
  • Symantec also has a “Gaming Edition” in their consumer-line (worth a mention simply because I mentioned the above).
  • NOD32 installs extremely fast. Really. It’s uncanny.
  • Symantec Endpoint is huge. As in almost 500 megs for the zipped installer (compared to under 40 for NOD32 and under 60 for Kaspersky). At least it didn’t feel that bloated 😉
  • NOD32 is awesome when it comes to submitting new files you feel may be infected. You can simply right-click the file from within Windows to submit it, or if the scanner finds a file which is suspect, you can just click the notification message to submit to NOD32 to be checked out.
  • Symantec Endpoint does not have a right-click context menu option to scan a file. That means if you download something and want to scan it, you’ll have to enter the program and do a custom scan.

Before anyone comes screaming, these are all thoughts and opinions based on my own testing. Feel free to do your own testing – all the AV programs I mentioned have free trials, so do some checking and tell me which AV you prefer and why.

5 Comments

 | Leave a Comment
  1. Thxs dude….this was a real help for me.
    Recently installed win7 and couldn’t make the decision of which AV to use, between kaspersky and nod32.
    Used Bitdefender on my vista…still kaspersky remains my favourite!!!

  2. Rohit Prakash

    Kaspersky 2010 has some major improvements. Fast installation, sandbox run etc. Detection rates are superior. Though their options are confusing and baffle a novice user. It is recommended for highly experienced users.

    Kaspersky’s customer support sucks.

    Nod32 has best heuristics.

  3. ATG/Mumbai

    I have also noticed this “bug” with NOD32. Once you disable NOD for a particular file, NOD32 will in future disable all scans or notifications for that file – even if it’s a known trojan or potentially unsafe by its heuristics.

    The reason I’ve recommended NOD32 and Kaspersky for so many years is that these are the only two great AV engines that will (in real world use, practically) give you 100% protection against all threats.

    NOD32 seems to have the edge over Kaspersky when it comes to being out of date; not updated for a while – Thanks to it’s advanced heuristics, giving it an edge when its virus signatures are not updated. So I recommend it to those who do not have an internet connection.

    Kaspersky seems to have an edge over NOD32 when it comes to virus signature database. For those who are online all the time, this one may be the smarter choice.

    Here is what I prefer doing. USING BOTH NOD32 AND KASPERSKY on the same PC, giving you the best of both worlds:
    <>

    1. Install Kaspersky first. Kaspersy needs that you do not have any other AV engine installed on your PC. It won’t install untill you remove your existing AV program. So install your existing AV program and install Kaspersy. Then disable it completely using the MSConfig tool. Reboot the PC, so that Kaspersy is completely disabled and is not running at all.
    2. Install NOD32. NOD32 is a bit more forgiving – and will install even with Kaspersky installed. Disable NOD32 also, just like you disabled Kaspersky – via the MSConfig utility. In addition to disabling NOD32 in the MSConfig tool, also enable Kaspersky now. Reboot, so that Kaspersky is now totally enabled and NOD32 is now completely disabled.
    3. The PC boots with Kaspersky protecting your PC. Kaspersky is now running; actively protecting your PC. We call this the “Resident” antivirus. NOD32 is disabled and will not be protecting you — UNTIL you right click on a file and ask NOD32 to scan that file for you. You’ll notice that NOD32, even though disabled, will run a scan on that file. We call this “On-demand” scanning.

    Thus you have the mighty protection of Kaspersky with it’s massive virus signature db AS WELL AS the super smart NOD32 protection with its uncanny heuristics.

    You cannot keep NOD32 as your resident, cos Kaspersy if disabled cannot be used for On-demand scanning. So you must have Kaspersky resident and use NOD32 for you on-demand scanning. Of course, you can also use Kaspersy for on-demand scanning – and it’s preferred that you first use your resident engine’s on-demand scanner BEFORE you go with NOD32. The reason: If NOD32 intercepts a virus, Kaspersky and NOD32 might end up in a fight over control of that file, since Kaspersky is resident. If you first scan using Kaspersky, NOD32 won’t interfere since it’s sleeping – and will come ONLY if you initiate it using it’s on-demand scan option. Once Kaspersky has scanned a file, it will either detect or fail to detect a virus. If it detects a virus, then it will take action. If it fails to detect a virus, either your file is clean or Kaspersky thinks it’s clean will allow that file to be used or run. Kaspersky won’t interfere then. So NOD32 can come on and clean it, if it’s found a virus within your file, that Kaspersky has failed to detect. Either way, you’re safe, as the threat has been detected.

    Also, you must install Kaspersky first – and then NOD32. As NOD32 will install over another antivirus, but Kaspersky wont.

    Cheers!
    Hope this helps.

  4. ATG / Mumbai

    Edit (Correction):

    USING BOTH NOD32 AND KASPERSKY

    1. …So UNINSTALL your existing AV program and install Kaspersky. …

    My bad. Sorry.

  5. ATG / Mumbai

    Update: Came across some malware on a friend’s PC that keeps infecting USB drives and affects the normal operation of Windows Explorer.

    NOD32 couldn’t do anything. It’s been years since I’ve seen something get past NOD32/kaspersky. (In fact, I can’t remember if anything ever did..)

    A solution was found in Prevx ( http://www.prevx.com ).
    PrevX took it out – and also found some more malware that got past NOD32. (I don’t know if these were false positives or really malware – cos I wasn’t around when my friend was trying this out..)

    This is one of the new generation of antivirus engines. Works online, rather than install on your local.
    I don’t know how good they really are. But it bust something that NOD32 was unable to handle. So it sure gets my thumbs up.

    I suggest (recommend) everyone augment their antivirus with this tool.

    Cheers!

Leave a Comment

You can use an alias and fake email. However, if you choose to use a real email, "gravatars" are supported. You can check the privacy policy for more details.

To reduce spam, I manually approve all comments, so don't panic if your comment doesn't show up immediately.