Complete Transcript of Interview – Randy Abrams - ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
March 31 2007
Alan: If you go out and buy a brand-new computer, the odds are, that it’s already going to have a Microsoft Visa Operating System installed on it. But, then, are you going to be fully protected from all kinds of Internet Threats? Our guest today, is Randy Abrams, Director of Technical Education from ESET. And welcome back to Let’s Talk Computers, Randy.
Randy: Well, thank you Alan. It’s a pleasure being with you, again.
Alan: Usually, when we buy a brand-new computer, it already has some kind of anti-virus software package that has been bundled with it. Now, since we’re using the Vista Operating System that is supposed to be the most secure operating system available, will this by itself be enough to protect us from all kinds of threats and viruses?
Randy: The operating is only designed to be a platform on which programs can be run. Viruses and Trojans and other malware are just programs and so you need software that is designed to stop specific types of programs from running. You are going to need some good security software within the operating system and Windows Vista is no exception.
With Vista, Microsoft includes Windows Defender. Some people are under the mistaken impression that Windows Defender is an anti-virus program. Windows Defender is an anti-spyware program and - really at bare minimum, it is not even certified by any organization such as West Coast Lab, for spyware detection and removal. It’s definitely better than nothing, but it’s not a “top-end security product”. Depending upon what your computer came bundled with, you may or may not be protected at the level you need.
Alan: Well, let’s just talk about some of the testing that has been done, because when you test your software for virus protection, it’s supposed to be a “one-time shot” – pass or your fail – right?
Randy: Not necessarily. It depends upon the purpose of the test. An excellent example of this deals with Microsoft’s OneCare, which is their anti-virus offering, which includes Windows Defender. Microsoft’s been taking a fair amount of “heat” lately, because it they scored pretty poorly in AV Comparative Test. AV Comparative is an independent organization out of Austria.
Now, Microsoft came back and said, “Well, we don’t think this test is so important. We go buy respected tests such as ICSA Labs and Checkmark Testing. There are different types of tests. ICSA Labs tests for “In the Wild” viruses. Most people would think that when you say In the Wild, it means that these are all the viruses that are out there – but it does not. What In the Wild means in this case is a specific set of viruses that a specific set of people have reported seeing in the wild - and it’s only viruses; it doesn’t count spyware. It doesn’t count root kits and other Trojans, adware, anything like this, where the AV Comparative was much more comprehensive in scope.
But, to address your question, should it be a “one-time thing” – not necessarily. It depends on what the purpose of the test or certification is. For example, if I want to sell you a lamp that needs to be certified by Underwriters’ Lab as being as being “electrically safe”, if I pay Underwriter’s Lab to test this lamp I’m building and I fail, I shouldn’t be kicked out of the business for life. I need to fix my product and make it better and I’ll pay them and test it again.
Well, ICSA Labs and Checkmark, and West Coast Labs, what they’re going after is an Underwriters’ Lab’s type of certification. And so, for their type of testing, “re-do’s” are acceptable. But, when consumers look at tests like Virus Bulletin 100% Award, which OneCare has a 50% track record on or AV Test or AV Comparative, what they’re looking for is instantaneous test results – how did the product do this day on this test set?
Alan: Now, you came from Microsoft, didn’t you?
Randy: Yes, I worked at Microsoft for about 12 years and for over 7 years of that time my job was to make sure that Microsoft didn’t release” infected software”. And, I can tell you that if I was in the lab, doing that same job right now, I would use OneCare because I was required to, and because it’s really good for false positive testing, but not because I felt it was protecting Microsoft from releasing infected software at this point.
I expect, eventually, it will be a good product. They’ve got really smart people there.
And with the Virus Bulletin 100% Awards, what’s really important is the commitment to quality. None of these viruses in the tests are a surprise to anyone. All the major companies get what’s called, the “wild core”. This is the set of viruses; essentially this is used in the test. There may be some slight differences because of polymorphic viruses. The companies all had plenty of time to prepare. They knew what the questions were going to be on the test. And this Virus Bulletin 100% Award for failing to detect the virus does not speak well to the quality control standards.
Alan: Well, that’s like giving somebody a crib sheet that says, “this is going to be the test; these are the questions and the answers that are going to be on the test; just memorize them and you will pass”. But, then if you fail, that’s not saying much, is it?
Randy: Jimmy Kuo of Microsoft’s OneCare team admitted that they needed to fix some processes to make sure that, that doesn’t happen, again. But, OneCare is a young product and they’re probably have a lot of processes left, to fix, whereas you’ve got products like NOD32 that’s been out for several years and has since 1998 not failed a single Virus Bulletin 100% Award for missing a virus. We know the ropes; we’ve been around the block – we know the neighborhood – and we know what it takes to put together a quality process to make sure that we’re providing “top-notch protection”.
Alan: But, is it a true test of testing a virus program, to test a “not known” virus?
Randy: That’s very important. Testing the unknown viruses is what we call “proactive detection” and this where anti-virus companies use something call heuristics. And that was the reason I brought NOD32 into the labs at Microsoft, was because no product does a better job of detecting unknown threats than NOD32. In a recent test in a German magazine, CT Magazine, the test was done by Andreas Marx’s group at http://www.avtest.org. They found for in the wild viruses for three-month-old signatures we were detecting 78.5% of the new malware. Now, Microsoft OneCare was detecting about 10%.
And then with six-month-old signatures we were still detecting 73% and OneCare was detecting about 7%. Using NOD32 you’ve got a much, much higher chance of having unknown threats detected and being blocked so that you don’t get infected.
Alan: And in a March 20th article put out by InfoWorld, they’re talking about where all these virus writers are teaming up, doing a cooperation to come out with the best malware and botnet, to attack computer systems. Could this be something we should really worry about?
Randy: Yes and no. If you weren’t already worried about it before it came out, then you probably aren’t worried enough! This isn’t unexpected; but it doesn’t really change what you do. You have to have good security software. That’s a given; but, you also have to have good “computer hygiene”. You have to have good practices. You can’t go around running programs because someone says this is a funny file, you should look at it. Especially when you don’t even know who they are or know if they have good computing habits.
You can’t just go “willy-nilly” to any website and believe anything you read, like, “this is a free program and it doesn’t have any viruses” – come on, they are not going to say, “this is a free program, but we’re going to install adware for it.” So, you know…
Alan: But, if you have a friend that you always send email back and forth to, they send you jokes; you send them jokes and their computer gets infected, now their computer is going to be set up something like a botnet, where they are going to start sending out viruses and you will get one of the viruses from you friend that says, “click here to see this very important picture” and the odds are you’re going to do it. How does NOD32 protect us?
Randy: At ESET, we use a variety of techniques. We do use traditional signatures, because a lot of these attacks are known – they’ve been out for a while. Traditional signatures that detect the stuff that we know is one approach.
But, then we combine three different heuristics. Heuristics are a “rules-based approach” of solving problems. We use three different types of approaches to detect the unknown threats.
Alan: You also protect us when we are going out to the Internet, because NOD32 not only looks at email programs coming into us, but as we surf the Internet, it keeps us safe from going to sites that going to do, what we call do “drive-by installs”.
Randy: A great example of that was the very popularized Super Bowl website, where someone had compromised the Miami Dolphins’ website. It was serving up drive-by malware. And in June of last year, with NOD32, we were heuristically detecting that threat, which we believe was well before the threat even existed.
To protect http traffic, if you FTP a file down to your computer, as soon as it hits the file system, the on-access will check that. One of our competitors is telling people, “well, NOD32 doesn’t have their famous heuristics enabled by default for on-demand scanning”, which we don’t for on-demand scanning, but we have it for on-access scanning and you don’t get a file to scan to file to scan on-demand if you haven’t accessed it, first.
Alan: As hard drives get larger; and they are large now, because I know Seagate has a 750-Gig hard drive, and you want to scan all of it, it has to scan very quickly and NOD32 does that, doesn’t it?
Randy: NOD32 is an amazingly fast scanner. When I was at Microsoft, checking the products that Microsoft releases I didn’t have the luxury of really caring about speed. I had to care about what was going to do the best job. And it was just a pleasant surprise when I found that the Product that does the best job at detecting unknown viruses was also finishing the scan the fastest. We were scanning in dozens of terabytes of data every year and they were spending a lot more than that, now.
Alan: When you look at the Virus Bulletin statistics, you will see that NOD32 has the fastest scanner, bar-none.
Randy: Depending on the operating system, the speed is truly phenomenal. In Windows XP-64 bit, we were scanning more than 40,000 kilobytes per second – just head and shoulders above the rest! We been fastest on XP, we are very, very fast on Vista. You look for scans more quickly and the Product being a very lightweight Product interferes less with user activities while it is scanning.
Alan: And this is a Product that you buy a license for and you get free updates of the signatures, but you get free updates of the actual Program – so you’re never running last year’s Program.
Randy: We don’t believe in giving you our second-best technology. We’re not going to sell you NOD2005 and say, “now it’s 2006 so you have to buy a new 2006, even though you bought it in December 2005.” So the entire life of your license, if we have a newer Product, then you get upgraded that, for free. We want you to have our best technology.
Alan: Plus the fact that your Corporate Edition and your Home Edition are absolutely the same editions, so I can feel secure as a home user that I am getting the very best that my money can buy.
Randy: The only difference between the Home and Corporate Edition is that the Corporate Edition can be configured to grab updates from inside the corporation, instead on the network, but the heuristics, the signatures, the technology, the speed – all of that is exactly the same. There is no point in giving second-best to anyone.
Alan: And, what are looking as far as the price of NOD32?
Randy: For a single user, one-year license it’s $39 and then renewals are $27 a year.
Alan: And if somebody would like to find more information about NOD32, where would they go?
Randy: They would go to http://www.eset.com. Additionally, your listeners are welcome to email me askeset@eset.com if they have any questions or comments and I would be delighted to get back to them on that.
Alan: Randy, it’s been our pleasure to have you as our guest here on Let’s Talk Computers – talking about how we can keep our computer safe – and hope to have you back on the air again, real soon.
Randy: It’s a pleasure being with you again, Alan. Thank you.
