NOD32 - CNet / ZDNet Trash NOD32 !!!
 
 
    Info
    About Eset
    Contact
    Press Center
    Awards
    Snake Oil
    Just for Fun
    Catch us if you can !!!
 
 
  NOD32 trashed by CNet / ZDNet review !!!
   
  April 2002 --- Ken Feinstein trashes NOD32
 


Virus Bulletin is widely regarded as "The Bible of The Antivirus Industry", and its VB100% Award is the award every antivirus vendor strives to win, but winning it isn't easy --- Virus Bulletin's test team are full-time professionals who vigorously test antivirus software against thousands of real viruses.

NOD32 has not missed a single "in the wild" virus in a Virus Bulletin test in the past four years, and it has several "clean sweeps" of every virus in every category to its credit --- and NOD32 holds more VB100% Awards than any other antivirus program in the world.

In his CNet / ZDNet review, Ken Feinstein, a part-time amateur antivirus tester with no credentials whatsoever in the antivirus industry, used a handful of Rosenthal Utilities simulated viruses to rate NOD32 much lower in virus detection than Virus Bulletin (or any other competent antivirus software reviewer) has ever rated it !!!



Ken Feinstein makes a "big deal" of the fact that NOD32 misssed all his pretend viruses!

Of course NOD32 missed them !!!  

NOD32 was designed to miss them !!!

Simulated viruses have been ridiculed by the antivirus industry for years! 

 It's either a virus or it's not --- and if it's not a virus then no decent antivirus program will detect it as a virus!

One would think CNet / ZDNet would have learned from their past mistakes, but it seems they still think their amateur reviewers know more about antivirus product testing than antivirus professionals.  

Joe Wells, Founder and Director of the WildList Organization, wrote a scathing commentary about Gregg Keizer's September 2000 CNet antivirus program review in an open letter to CNet, in which he said :

If a product does not report a simulated virus as being infected, it's right.  And if a program does report a simulated virus as being infected, it's wrong.  Thus, using simulated viruses in a product review inverts the test results.   It grossly misrepresents the truth of the matter because : 

  • It rewards the product that incorrectly reports a non-virus as infected.

  • It penalizes a product that correctly recognizes the non-virus as not infected.

Norton AntiVirus --- CNet's long-time "Editor's Choice" --- does detect Rosenthal's non-virus files as infected!

NOD32 --- rated as "Poor" in detection by CNet --- doesn't detect Rosenthal's non-virus files as viruses!

During the 18 months since Joe Wells informed CNet that their antivirus product testing methodology was fatally flawed, CNet has continued to use Rosenthal's simulated viruses in their tests and ha continued to reward Norton AntiVirus with "highest detection" ratings and "Editor's Choice" awards for detecting them as infected while penalizing other antivirus programs for ( correctly! ) not detecting them as infected !!!

 ( Joe Wells' open letter was co-signed by no less than 19 antivirus professionals!   Read the full text here )



In his review, Ken Feinstein states "NOD32 offers only e-mail support."

Ken Feinstein has never called Eset for phone support !!!

If he had, he would have known better than to make such a ridiculous statement !!!



In his open letter condemning CNEt's September 2000 review, Joe Wells said :

Most antivirus companies are under some form of self-imposed restrictions that prevent them from knowingly creating new viruses or virus variants. In addition, competent testing and certification bodies such as ICSA, Virus Bulletin, Secure Computing, and AV-Test.org, do not create new viruses or virus variants for testing.

Indeed, the consensus throughout the antivirus development and testing community is that creating a new virus or variant for product testing would be very bad and totally unnecessary. To do so would undoubtedly raise questions about their ethics.

Whether or not CNET knew this fact is unknown, but they did in fact create two new virus variants for their testing. Please note this fact as described in the "How We Tested" section.

We scanned for the I Love You virus in three different ways. In the first test, we left the code as is. In the second test, we changed every reference to love in the code. In the third test, we changed the size of the file by inserting a comment that did not affect the code.

Changing an existing virus results in a new virus. If a testing body does this, they brand themselves with, as it were, a scarlet "V" (as has CNET at this point). They mark themselves as a virus creating organization in the eyes of antivirus experts worldwide.

In his September 2000 review, Gregg Keizer states, "We scanned for the I Love You virus in three different ways. In the first test, we left the code as is. In the second test, we changed every reference to love in the code. In the third test, we changed the size of the file by inserting a comment that did not affect the code."

In his April 2002 review, Ken Feinstein states, "To test the I Love You virus, we copied and pasted the virus's code into Notepad and tested it three different ways. In the first test, we left the code untouched. In the second test, we changed every reference to love in the code. In the third test, we changed the size of the file by inserting a comment that does not affect the code."

In his September 2000 review, Gregg Keizer states, "CNET Labs used Rosenthal Utilities, a program that simulates viruses, to test for virus detection in main memory, in the file sector of floppy disks in A: drive, on the hard drive, and in the boot sector of floppy disks in A: drive."

In his April 2002 review, Ken Feinstein states, "We used Rosenthal Utilities, a program that simulates viruses, to test for virus detection in three places: main memory and the file and boot sectors of floppy disks in A: drive."

In his September 2000 review, Gregg Keizer states, "We also tested email protection by sending scrap files to the test computer. The scrap file (.shs) we tested will, when executed, attempt to reformat any disk in A: drive. Finally, we tested the current Outlook-specific email virus called KakWorm."

In his April 2002 review, Ken Feinstein states, "We also tested e-mail protection by sending a Scrap Object (SHS) embedded in a DOC file to the test computer. This object, when double-clicked, attempts to format whatever disk is in A: drive. Finally, we tested an Outlook-specific e-mail virus called Kakworm."

( Read "How we tested" from the September 2000 CNet review by Gregg Keizer here )

( Read "How we tested" from the April 2002 CNet review by Ken Feinstein here )

One could be forgiven for wondering :

  • Why does CNet continue to create new viruses for their detection tests ?

  • Why does CNet continue to use pretend viruses in their detection tests ?

  • Is "Ken Feinstein" also "Gregg Keizer" ?

  • Did Ken Feinstein modify the "I Love You" virus in exactly the same way as Gregg Keizer modified it, despite the fact that Joe Wells clearly told CNet "They mark themselves as a virus creating organization in the eyes of antivirus experts worldwide" back in October 2000 ?

  • Did Ken Feinstein actually test NOD32 (or any of the other antivirus programs in his review) at all --- or did he simply plagiarize Gregg Keizer's comments from his September 2000 review, modify them slightly, and include them in his own April 2002 review ?


In his review, Ken Feinstein states : "To test NOD32's disinfecting power, we infected a system with the Gibe worm. The AMON real-time monitor immediately found the virus running in system memory, deleted it, and removed Registry entries that would have launched the virus at start-up. However, NOD32 left a few virus-created files in the Windows directory and deleted them only after we ran a manual scan of the hard drive."

This highlights Mr Feinstein's complete lack of understanding of On Access Scanners!

On Access Scanners are designed to detect virus infiltrations when an infected file is accessed.

No On Access Scanner in the world would have detected Mr Feinstein's "a few virus-created files in the Windows directory" !!!

If Ken Feinstein had deliberately infected TEN THOUSAND files with Gibe for his test, AMON would have detected the virus ONLY in the file he executed, in memory, and the virus-created Registry entries.

By detecting the Gibe infection when it was triggered, AMON did exactly what it should have done !!!

NOD32's On Demand Scanner would have detected and disinfected the other 9,999 Gibe-infected files --- just like it detected and disinfected Mr Feinstein's "a few virus-created files in the Windows directory".


In his review, Ken Feinstein states that NOD32 doesn't scan ZIP files.

Obviously Mr Feinstein didn't bother looking at NOD32 very closely!

NOD32 does scan ZIP files --- and it scans RAR, ARJ, LZH, and LHA files too !!!


In the "Ability to catch wild and currently circulating viruses" section of his April 2002 CNet / ZDNet review, amateur antivirus program tester Ken Feinstein rates NOD32 as "Poor".

NOD32 was awarded ICSA Certification --- with 100% "in the wild" virus detection --- in the same month he wrote his "Virus Underdogs" review --- and ICSA tests against thousands of real viruses --- not just a few pretend viruses!

According to Virus Bulletin's professional reviewers,
NOD32 is the only antivirus program in the world which has not missed a single "in the wild" virus in a Virus Bulletin VB100% test since it was first tested in May 1988 !!!

Obviously Mr Feinstein didn't bother looking up any of the many professional reviews of NOD32, or he would have wondered why his own detection figures were so ridiculously low and would have checked into it further.

It's Ken Feinstein's review --- not NOD32's ability to catch wild and currently circulating viruses --- which is "Poor" !!!


Now we start getting into Ripley's Believe It or Not territory !!!

According to Ken Feinstein, NOD32 "couldn't even detect Kakworm-infected e-mail within a mailbox file when we manually scanned the entire file."

Mr Feinstein's statement that he manually scanned a mailbox file with NOD32 is very interesting !!!

Either this test was never performed or the tester had no idea what he was doing !!! 

The NOD32 Antivirus System does scan email --- the POP3 Scanner scans icoming email on arrival, and AMON monitors incoming email attachments --- but --- NOD32 doesn't scan mailboxes AT ALL !!!

Even if we ignore all the other mistakes in the review, this alone shows that ( giving him the benefit of the doubt and assuming he tested NOD32 at all ) Ken Feinstein's testing methodology was at the very least sloppy and amateurish!

His "review" and its ridiculous "findings" cannot possibly be taken seriously !!!

( You can read Ken Feinstein's April 2002 review of NOD32 here )


Addendum - 08 May 2002

What you read on CNet's website now is not the original review!

After we complained about Ken Feinstein's review, CNet added the following text :

But NOD32's track record with the 200 or so circulating wild viruses tops the charts. In our tests, we also check how well an antivirus program handles the current viruses in the WildList as an indicator of a program's performance. And Virus Bulletin's 100% Award, handed out only to programs that spot every virus making the rounds, shows that NOD32 performs as well as Norton AntiVirus.

"as well as Norton AntiVirus" ???

Let's take a look at the real facts and figures!

NOD32 is way out in front of Norton AntiVirus in VB100% Awards !!!

  • NOD32 has won 17 out of 18 submissions!

  • Norton AntiVirus has won 16 out of 22 submissions!

According to Virus Bulletin's published tests on thousands of real viruses :

  • between February 2000 to February 2002, NOD32 missed a total of 227 viruses!

  • between February 2000 to February 2002, Norton AntiVirus missed a total of 1,597 viruses!

Virus Bulletin's figures clearly show that NOD32 performs significantly better than Norton AntiVirus --- against real viruses !!!


Addendum - 10 May 2002

CNet has added the following text to their "corrections" page :

In some of our original reviews of antivirus products, we acknowledged the test results of a British publication, Virus Bulletin, while in other reviews, we did not. We have updated all the reviews where appropriate to include links to the Virus Bulletin 100% list. The additions do not change any product ratings.

"The additions do not change any product ratings" indicates that, despite all the evidence to the contrary, CNet still thinks their review of NOD32 was fair and and factual. They don't seem the least bit inclined to admit their review and its ratings were extremely unprofessional and grossly misleading --- nor do they seem inclined to apologize to us or their readers for publishing such blatant hogwash.

The fact is, apart from using a fatally flawed and unfair testing methodology ( a testing methodology which CNet has known is fatally flawed and unfair for nearly two years, but which they continue to use !!! ) to produce a ridiculously low virus detection rating for NOD32, the review contained a number of demonstrably false statements about NOD32's features and performance!

CNet's sloppy and amateurish review unfairly trashed NOD32 !!!

A couple of lines of weasel words do not repair the damage caused to NOD32's fine reputation by CNet's "review" !!!

A couple of lines of weasel words do not compensate us for the sales we undoubtedly missed thanks to CNet's "review" !!!

How about a little fair play, Cnet ???


Here are just a few of the many feedback comments on the review, from CNet's website

" The Best! Period! "
You need a knowledgeable reviewer and a credible hypothesis before undertaking any type of technical review. Unfortunately, both the criteria are missing! This rating that CNet has published looks entirely bogus. Good results are made to look bad, and bad results are made to look good.

" Simply The Best "
I see by the ratio of "Thumbs Up" to "Thumbs Down" votes that there are a lot of avid NOD32 fans out there. I'm not one of them (yet) but I'm VERY impressed with the program and we will be purchasing a licence for our network soon. We were hit badly by a Klez Worm which came in E-mail last week. NAV 2002 detected hundreds of earlier Klez Worms in E-mail, but it missed this one. The Worm destroyed NAV 2002 and infected thousands of files across the network with the Elkhorn Virus. I was never happy with the bloated NAV 2002 anyway, so I took this opportunity to go looking for a replacement anti-virus program. I found a free fix on the NOD32 web site, and I cleared up the Klez Worm and the thousands of Elkhorn Virus infections in less than one hour. I installed the free trial version, and it has performed flawlessly ever since. Incidentally, the comment "NOD32 missed 47 viruses and caused my PC to crash" defies logic. Unless the complainant is a "virus collector", it's doubtful that any scanner in the world would miss 47 viruses on his PC, let alone the only scanner in the world which appears to have an umblemished detection record in Virus Bulletin tests.
Dr. Raymond Jamieson, Ph.D.

" 6/10 ?   You've got to be joking! "
Your sloppy review of NOD32 and the other 4 programs is highly misleading. You link to NAV on every page of the review. The whole thing reads like one big Norton ad. Your own help.com used to warn against using simulated viruses to test anti-virus, but that item has been removed. How convenient for Ken Feinstein! Why should I believe your ridiculous 6/10 when ICSA and VIRUS BULLETIN rate NOD32 10/10, and NOD32 holds the world record for VB-100%25 awards ? You people owe the NOD32 guys and the other anti-virus companies an apology for publishing such rubbish!

" The Best "
I never did trust magazine reviews of software, and CNet's review is no exception. I trust much more laboratories such as Virus Bulletin, on which NOD32 does very well. As one user states, they use real world viruses. Anytime I see Rosenthal or any such synthetic viruses that were used to form a review, the review loses all credibility. Give me a real world test with real world viruses any day. Symantec's NAV also does very well in Virus Bulletin tests, but it is a bloated resource hog whose scan is as slow as a snail. NOD32 takes up little resources and scans very quickly, the fastest in fact. A real review would consider such issues instead of how the interface looks.

" No Bloatware for me "
NOD32 not only outperforms in terms of efficiency and system performance any of the "top" anti-virus programs its heuristics are 10 years ahead of the competition. In our test of 1200 PCs NOD32 takes care of the lower end PCs. It can run on a 386DX! NOD32 is written in machine code. Other ant-virus programs are written in higher level languages, making the PC "think" more than it should. Two thumbs up from me.

" What's your agenda, Cnet ? "
Considering the opinions of respected Anti Virus testing organizations and my own experience, I must question the intentions of Cnet and this seemingly biased report. I have used NOD32 for quite some time now and it has stopped every virus and worm that has hit my inbox -- including the ONE Cnet said it failed to detect. Cnet, what do you hope to gain by this obviously incorrect report ? You certainly have lost any respect I ever had for your "opinions".

" Hey CNET, read this "
I wonder if CNET would care to comment on this quote from the ICSA Certification Lab ? "NOD32 ICSA Certification is yet another mark of quality of ESET's sophisticated product. Complete detection of all virus samples of NOD32 system was combined with impressive scanning detection rate and surprisingly low system footprint," commented Larry Bridwell, ICSA Labs Content Security Programs Manager, after completion of the tests.

( You can read a lot more feedback and add your own comments here )

( Our Snake Oil page is recommended reading. You can read it here )


The bottom line is
  Who has more credibility in the antivirus world --- CNet and Ken Feinstein, or ICSA and Virus Bulletin ?