Good scores from independent testing labs. New UEFI scanner finds malware in firmware. HIPS component blocks exploits. Speedy full scan. Comprehensive device control.
So-so phishing protection. Device control too complex for most users.
- Bottom Line
ESET NOD32 Antivirus gets good scores in lab tests and our own tests, and its unusual new UEFI scanner can detect a malware infestation in your PC's firmware.
Some antivirus software sticks strictly to its assigned task of removing malware and preventing any further infestation. Others, like ESET NOD32 Antivirus, pack in quite a bit more. Among other bonuses, NOD32 includes device control, a Host Intrusion Protection System, and a scanner that checks for malware in your PC's firmware. In addition to the firmware scan, version 11 adds a tool to reverse malicious changes to system settings and web-based management of your antivirus licenses.
//Compare Similar Products
Prices and Licenses
You pay $39.99 per year to protect one computer with NOD32; additional licenses, up to a total of five, cost $10 per year. Kaspersky, Bitdefender, and quite a few others come in at or near that $39.99 price point for one license, and $20 more for three licenses. McAfee AntiVirus Plus costs $59.99 per year, but that gets you licenses for every device in your household, be it Windows, macOS, Android, or iOS.
The installer checks your system for conflicts and downloads the latest code. During installation, you must tell it whether to include detection of potentially unwanted applications. For testing purposes, I enabled this detection—you should do the same. After installation, it immediately launches a scan.
The main window includes quite a bit of whitespace, along with a large image of ESET's blue-eyed cyborg mascot. To launch a scan or an update, you can use either the left-side menu or a pair of large blue panels near the bottom of the window. If there's a problem with configuration, the green security banner changes to red. And if there's something needing your attention—the results of a completed scan, for example—you see a little number next to the corresponding menu item.
Like Symantec Norton AntiVirus Basic, NOD32 has a boatload of configuration settings. Also like Norton, if you know the name of the setting you want, you can just type it in the search box, rather than wading through pages of settings looking for it. But you may not need to search at all, since the product comes configured for optimal security right out of the box.
Very Good Lab Results
All four of the independent testing labs that I follow include NOD32 in their testing, and its scores range from good to excellent. Barely a quarter of tested products pass the banking Trojans test performed by MRG-Effitas; NOD32 is among that elite group. It also achieved Level 2 certification in that lab's broader malware protection test, meaning that although some of the samples managed to install, it wiped them out afterward. Only Kaspersky Anti-Virus managed Level 1 certification, meaning that it totally prevented installation of all the samples.
Testers at SE Labs capture real-world malicious websites and use a replay system to hit all tested products with the same web-based attacks. Products can receive certification at five levels: AAA, AA, A, B, and C. Like Bitdefender, Kaspersky, Norton, and a few others, NOD32 acheived AAA certification.
AV-Test Institute rates antivirus products on three criteria. The Protection score represents that all-important ability to prevent malware infestation. Performance refers to a low impact on system performance. For a good Usability score, the antivirus must not flag valid programs or websites as malware. With six points possible for each, NOD32 received 5.0 for Protection, 4.5 for Performance, and 6.0 for usability, for a total of 15.5 points. Kaspersky totaled a perfect 18 points in this test, while Bitdefender Antivirus Plus and Trend Micro managed 17.5.
At AV-Comparatives, they don't assign numeric scores. Every product that passes a test receives Standard certification, while those that do more than the minimum for passing can get Advanced or Advanced+ certification. Of the four tests from this lab that I follow, NOD32 received two Advanced+ certifications and two Advanced.
My lab test score algorithm maps each test onto a scale from 1 to 10 and creates a weighted average. Kaspersky came out with a perfect 10, and Bitdefender managed 9.9. AVG AntiVirus Free scored 9.4. Those are the only products that did better than NOD32's 9.2-point aggregate score.
I timed a full scan of my standard clean test system and found that NOD32 finished in 23 minutes. That's quite good, given that the average scan time for current products is just short of an hour. During the initial scan, NOD32 optimizes the system for subsequent scans, marking known good programs that don't require scanning. A repeat scan took 4.5 minutes.
NOD32 doesn't offer the quick scan option found in many antivirus products, but you have a number of choices for custom scanning. If you want to scan specific files, you can just drop them on the scan page. It automatically offers to scan each removable drive you connect. You can also choose to scan memory, boot sectors, or any local or network drive.
New in this edition, ESET includes a UEFI scanner. UEFI (Unified Extensible Firmware Interface) is what modern computers use instead of the antique BIOS. Any malware that managed to weasel into the UEFI's trusted storage would effectively own your computer. The UEFI scanner runs in the background checking for just this kind of problem. You'll never see it unless it detects an infection in your PC's firmware.
Very Good Malware Protection
Results from the independent labs are great to have, but I also do hands-on testing of each antivirus product's malware protection abilities. To start, I download my current malware collection from cloud-based storage.
As with Microsoft Windows Defender Security Center, I found that I couldn't extract the samples from their ZIP files because the antivirus quashed the whole process. I temporarily disabled NOD32 so I could extract the files.
NOD32 only eliminated a handful of the samples on sight. Even copying the collection to another folder and back didn't trigger detection. No problem; I simply started launching the samples to see its reaction. It cleaned some virus-infected files, leaving a virus-free file. It prevented some samples from launching at all. But in most cases, it handled the sample after launch. For those it detected as a Potentially Unwanted Application (PUA) it displayed a big popup explaining the problem. I chose to delete all of these.
Overall, NOD32 detected 93 percent of the samples and earned 8.9 of 10 possible points. That's better than many, but Webroot SecureAnywhere AntiVirus and Norton both detected every sample and earned a perfect 10 points.
To check a product's protection against current, active threats, I start with a feed of malware-hosting URLs supplied by MRG-Effitas, URLs detected no more than a day ago. I launch each one and note whether the antivirus prevents the browser from accessing the dangerous site, wipes out the malware download, or sits around idly doing nothing. I keep this up until I have 100 data points.
I noted that when the web protection component caught a dangerous URL, it both replaced the page with a warning in the browser and displayed a popup notification. If a program other than the browser, perhaps a PUA, attempted to access a dangerous site, you would just see the popup.
NOD32 prevented 90 percent of the dangerous downloads, split almost evenly between blocking access to the website and wiping out the malware payload. That puts it in the top third of current products. However, Norton managed a protection rate of 98 percent, closely followed by Trend Micro Antivirus+ Security with 97 percent.
Fair Phishing Protection
Phishing websites are fraudulent sites that imitate secure sites, hoping to steal your login credentials. Banks and financial sites are popular targets, but I've seen fraudulent versions of email sites, gaming sites, even dating sites. The URL in the Address Bar can be a giveaway, but enough people fall for this trick to make it profitable for the ne'er-do-wells behind it.
Phishing tricks and techniques are constantly changing. Rather than report a hard detection rate, I report on the difference between the product under testing and long-time antiphishing wizard Norton. I also put the product up against the phishing protection built into Chrome, Firefox, and Internet Explorer. Phishing sites are ephemeral, so I always use the newest ones I can find.
NOD32's detection rate lagged 26 percentage points behind Norton's. It tied with Chrome and handily beat the other two browsers. That's better than some—a goodly number of products I've tested came in with a detection rate lower than all three browsers. Many products have done better than NOD 32 in this test, however.
Norton has been my antiphishing touchstone for years, and few products outscore it. The only recent products that beat Norton at its own game are Trend Micro and Webroot.
HIPS Blocks Exploits
ESET's suite products add firewall and network protection, but, as with Norton, even the standalone antivirus has a Host Intrusion Prevention System (HIPS). To get a feel for this component, I hit the test system with 30 exploits generated by the CORE Impact penetration tool. NOD32 didn't stop any of them at the network level, but the HIPS detected and blocked many of the malware payloads that the exploits tried to drop.
None of the exploits cracked security, since the test system is fully patched. NOD32 detected almost 60 percent of the attacks, and identified about a third of those by the specific exploit number. While adaware antivirus pro also aims to block exploits, it caught just 30 percent. Norton is the current exploit-fighting champion. It blocked all the exploits at the network level, before they could even try to sneak malware onto the test system.
Elaborate Device Control
Device Control is a feature more often seen in security products aimed at businesses. Its purpose is twofold. It prevents exfiltration of company data onto unauthorized external drives. And it blocks USB-based malware attacks by completely preventing the use of unauthorized external drives. This feature is turned off by default; to enable it, you must reboot the system.
Device Protection in Avira Antivirus Prolets you whitelist or blacklist specific devices, and you can password-protect settings so nobody can mess with the lists. However, even when password protection is active, any user can whitelist a new, unknown drive. G Data Total Security and TrustPort Total Protection offer more advanced device control, and they do properly block unknown drives. Note, though, that these are top-tier mega-suites. ESET puts device control in its basic antivirus.
The Device Control system in NOD32 is the most elaborate of any I've seen. You can create rules for a wide variety of devices, including card readers, imaging devices, and Bluetooth devices, as well as more traditional external drives. Each rule sets an action for a device type, an individual device, or a group of devices. The actions include blocking use of the device, opening it in read-only mode, and allowing full read/write privileges. You can also set it to warn the user that mounting the device will create an entry in the log, and offering an opportunity to cancel.
For example, you might start with a rule banning all external disk storage devices, but then add one or more rules permitting access for specific, authorized devices. You can define a device using any or all of its vendor name, model, and serial number. Clicking a button brings up a list of attached devices, to help you get the necessary information.
There's also an option to define different rules for different users of the system. However, NOD32 relies on the awkward Select Users or Groups dialog from Windows itself, rather than providing a more user-friendly selection method.
NOD32 is a consumer product—ESET has a separate product line for business. I'm sure there are some tech-happy parents who will set up Device Control to ban the kids from connecting possibly infected thumb drives. But most users should leave this feature turned off.
Useful Security Tools
On the Tools page, there are several ways to examine what NOD32 has been doing. A Protection Statistics chart shows how many files the antivirus has examined, how many infected files it found, and how many it successfully cleaned. You can view logs of malware detections, HIPS events, and more. You can also dig into the quarantine to see any viruses or other types of malware caught by the antivirus.
If a NOD32 scan detected and removed malware but you still feel like you've got malware on the system, you can click to download ESET's SysRescueLive tool. This tool runs from a bootable DVD or USB, meaning Windows-based malware is powerless to resist it.
The name System Cleaner suggests a tool to wipe junk files, or perhaps erase traces of your internet and computer usage. However, that's not what NOD32's new System Cleaner does. Rather, it restores system settings that malware may have modified, for example to disable Task Manager or the Registry Editor.
Other items on the tools page aren't for the average user. A tech support agent engaged in a remote-control troubleshooting session might well want a list of all running processes and their prevalence, as reported by ESET's cloud-based LiveGrid system. Likewise, a live graph of file system activity might provide the agent with clues.
On the other hand, every user should run ESET SysInspector, at least once. This component logs details about your PC, things like active services and drivers, critical system files, and important Registry entries. More importantly, it can compare two logs and report what changed. You should, therefore, run it when everything is hunky-dory to create a baseline. If you encounter a problem, you can focus your troubleshooting efforts on just the things that changed. A tech support agent could do the same remotely, but only if you have that baseline.
Good for Techies
In tests by independent labs, as well as in our own tests, NOD32's scores range from good to excellent. Its full system scan is faster than most, and the unusual new UEFI scanner can detect firmware-level malware. If you're tech-savvy enough to need it, the Device Control system is the most comprehensive I've seen.
NOD32 is worth a look, but most users will be better off with one of our Editors' Choice antivirus tools. Bitdefender Antivirus Plus and Kaspersky Anti-Virus consistently earn top scores from the independent testing labs. McAfee AntiVirus Plus doesn't score as high, but it protects every device in your household. Webroot SecureAnywhere AntiVirus and Symantec Norton AntiVirus Basic both aced our hands-on malware protection test.
Other ESET Antivirus Software
Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips… More »
More Stories by Neil J.
- iolo System Shield
You can do better than iolo System Shield, which tanked in our hands-on tests. This antivirus even a… More »
- Does Windows 10's Security Boost Make Antivirus Obsolete?
Microsoft Windows Defender Security Center gets new features with the Fall Creators Update, but the … More »
- Trend Micro Password Manager