I heard that the new Norton AntiVirus 2009 is suppose to be very light on resouces and was wondering .....

1) Does anyone know whether, the new Norton AntiVirus 2009 uses a "Proxy Tunnel" design like NOD32 and some of the other AntiVirus Pgms ???

2) Does it have any type of WebGuard that scans Http traffic for drive by downloads and web page scripts ?

3) Also, does it have the option where you can enter folder and file exceptions for the Auto Protect/Real-Time Scanner and also for the On-Demand Scanner ?

As far as I know:
1) No proxy tunnel. But yes, if you already have a proxy it can be configured to work alongside it.

2)Norton AV 2009, has a heuristic page scanner in-built in its anti-phishing toolbar. Which will scan page for malicious intent.
NIS 2009, has a beta add-on called SafeWeb similar to McAfee SiteAdvisor.

But Norton 2009 doesn't have an explicit HTTP/Web scanner. Files are scanned only after they are downloaded to disk/memory.

3)Yes, you can make drives,folders and files to be excluded from Autoprotect and also On-Demand Scan.

-{ Quote: "

1) Does anyone know whether, the new Norton AntiVirus 2009 uses a "Proxy Tunnel" design like NOD32 and some of the other AntiVirus Pgms ??? " }-

I am not quite sure what you mean by a Proxy Tunnel.

-{ Quote: "
Does it have any type of WebGuard that scans Http traffic for drive by downloads and web page scripts " }-

I am an architect at Symantec and I work on the team that builds our HTTP or Web scanning engines. I just wanted to clear up some confusion about whether or not Norton products have Web scanning engines.

The short answer is "yes" we do. In fact there are 5 independent engines that scan HTTP content.

1) There is the Intrusion Prevention (IPS) engine that scans for all types of HTTP based exploits. The engine has many 100s of generic vulnerability signatures that dont need to change often if at all since they target the vulnerability condition which doesn't change rather than the shell-code which does. New ones are added almost weekly. The list of signatures can be found at http://www.symantec.com/avcenter/attack_sigs/. Look under "H". Every signature prefixed with "HTTP_" is being scanned on HTTP traffic. Its also important to note that the IPS engine scans ALL traffic coming into or going out of your machine, not just HTTP.

2) Browser Protection - This engine is specifically targeted at obfuscated JScript/VBScript HTTP content that exploits vulnerabilities in ActiveX, DOM or even specific data-types like VML. Highly obfuscated attacks are difficult if not impossible to reliably detect by scanning network traffic or by scanning the files in the IE cache. Hence this uses a totally different approach to the problem. But the bottom line is that it is still will block content coming over HTTP before it exploits the browser.

3) Anti-Phishing Engine - Also scans HTTP content looking for phishing page characteristics.

4) Privacy Scanning engine
5) Parental Controls.

Engines 1 and 2 are targeted at blocking malware from automatically infecting your machine when you visit an infected web page. aka drive-by downloads.

Engines 4 and 5 are only installed and active when you have installed the Add-on Pack.

-{ Quote: " 3) Also, does it have the option where you can enter folder and file exceptions for the Auto Protect/Real-Time Scanner and also for the On-Demand Scanner ?" }-

Yes.

Thanks,

Shane

-{ Quote: "
2)Norton AV 2009, has a heuristic page scanner in-built in its anti-phishing toolbar. Which will scan page for malicious intent. " }-

While both NIS and NAV have a heuristic scanner built into the anti-phishing toolbar, that scanner is only meant to heuristically detect phishing attack. It does not detect malicious attacks as in drive-by downloads. There are 2 other engines for that as described in my previous post.

-{ Quote: " But Norton 2009 doesn't have an explicit HTTP/Web scanner. Files are scanned only after they are downloaded to disk/memory. " }-

NIS has had an HTTP scanner to detect malicious HTTP attack since NIS 2002 Pro. NAV has had one since NAV 2005. It is important to note that these engines are designed to detect HTTP vulnerabilities that as we know can result in automatic download and execution of malicious exes. So it scan all kinds of files... html, jpg, wmf, gif, jscript etc etc, everything is scanned in the network stream before they hit the disk. The only exception is exes. Exes are only scanned when they hit the disk. We see no reason to scan exes in the network stream an incur and unnecessary performance penalty during web browsing with no apparent benefit. Exes coming over the web have to hit the disk before they get executed. That means that a file-based scanner is good enough to detect any malicious content within these exes.

-{ Quote: "I am not quite sure what you mean by a Proxy Tunnel.

Shane" }-

I think what is meant is this. I don't use an AV so when I do something with firefox I show firefox connecting to the web. If I were go to thru an AV such as Kaspersky, I would show KAV accessing the web as to scan Http stuff it proxies all web stuff thru itself.

Pete

Thanks for the info, Shane :thumb:

shane,

so if i say come in contact with a infected page whatever type of infection.. will nortons nis 2009 stop the page from loading then? or will it allow the virus' to be downloaded then neutralized later? the one thing i miss about kaspersky was when i hit a infected page i knew it. i got the pop up message and it told me it stopped it or gave me the choice to do so.

i have yet to see this with nortons and on a test pc i did try hard to find a web page containing this type of content, but no luck with it blocking anything.

i like the program a lot. i just kinda miss that level of security i fealt with the kaspersky http scanner

-{ Quote: "I think what is meant is this. I don't use an AV so when I do something with firefox I show firefox connecting to the web. If I were go to thru an AV such as Kaspersky, I would show KAV accessing the web as to scan Http stuff it proxies all web stuff thru itself.

Pete" }-

Thanks for the clarification. Yes, NIS/NAV use a local proxy, but not all of the 5 engines I mentioned earlier use it. Proxies in general cause a hit on HTTP throughput, especially on gigabit network, so we try to avoid using them unless its absolutely necessary.

-{ Quote: "shane,

so if i say come in contact with a infected page whatever type of infection.. will nortons nis 2009 stop the page from loading then? or will it allow the virus' to be downloaded then neutralized later? the one thing i miss about kaspersky was when i hit a infected page i knew it. i got the pop up message and it told me it stopped it or gave me the choice to do so.

i have yet to see this with nortons and on a test pc i did try hard to find a web page containing this type of content, but no luck with it blocking anything.

i like the program a lot. i just kinda miss that level of security i fealt with the kaspersky http scanner" }-

Hi zfactor,

I think its important to clarify what is meant by "an infected page". There are two kinds of infected web pages:
Type 1) One that contains content that (directly or indirectly via iframes) leads to the automatic download and execution of an malicious exe without the user's consent. This is typically referred to a drive-by download that leverage a vulnerability in the browser. NIS will absolutely block such content from ever buffer-overflowing your browser. The html file etc will still get downloaded, but NIS will block IE from ever executing the malicious script within it. Most importantly, the signatures that look for malicious script are generic vulnerability signatures. They look for string of length "x" being passed to 2nd parameter to method "Y" of activeX "Z". It was designed to see through any amount of obfuscation of the JScript/VBScript, mixing of JScript and VBSript (has been tried), method names mangling, activeX names, variant type disguise, etc.

Type 2) A web page that has a hyperlink to an malicious exe/zip etc. which when you click on it, it causes the usual IE "Do you want to run or save this file" dialog to show up. The Network scanner does not stop such exes from being downloaded onto the machine. Thats why you might find that we dont block in the network stream a lot of the links on http://www.eicar.org/anti_virus_test_file.htm. However, the real-time file scanner will block them from ever being opened, provided it has a signature of course.

-{ Quote: "will nortons nis 2009 stop the page from loading then " }-
So in answer to the above question, NIS2009 will stop the malicious parts of the page from ever loading right there on the spot. Shell code execution will not occur and hence an exe will not be allowed to be dropped on your machine. Depending on the engine that detects the attack, NIS2009 will also terminate the TCP connection.

-{ Quote: "i have yet to see this with nortons and on a test pc i did try hard to find a web page containing this type of content, but no luck with it blocking anything. " }-
If you'd like, you can PM me some of the links you've tried where you didn't see an alert. I can take a look to see if they Type-1 or Type-2. Also, let me know which OS you are using. Here is a screenshot of an alert you should see when you visit a web page that hosts a drive-by download (Type 1).

Hi shanep,


-{ Quote: "Originally Posted by shanep
I am not quite sure what you mean by a Proxy Tunnel.

Shane" }-


Actually, what I meant by above question, was does Norton Antivirus 2009 implement a proxy pgm that redirects all traffic thru it (like the way that NOD32 pgm does) ? Some PC's experience high cpu with NOD32's mehtod of all traffic (including real-time file scanning activities) going thru its one local proxy pgm (ekrn.exe), so I was wondering if Norton's Antivirus 2009 uses this same technique of all traffic going thru one local proxy pgm or some other technique ???

... Also, does real-time scanning of larger sized executable files increase or not the cpu utilization used by NAV 2009? .... What would you say is the typical cpu utilization range used by NAV 2009 pgms when real-time scanning of executable files takes place ?

-{ Quote: "
Actually, what I meant by above question, was does Norton Antivirus 2009 implement a proxy pgm that redirects all traffic thru it (like the way that NOD32 pgm does) ? Some PC's experience high cpu with NOD32's mehtod of all traffic (including real-time file scanning activities) going thru its one local proxy pgm (ekrn.exe), so I was wondering if Norton's Antivirus 2009 uses this same technique of all traffic going thru one local proxy pgm or some other technique ??? " }-

Hi JosephB,

I responded to this question above, but here is some more detail. If you installed NAV2009 the HTTP scanning does not use a proxy. If you install NIS2009 the HTTP scanning does not use a proxy. If you install NIS 2009 WITH Add-On Pack (Option), then a proxy is used only for Parental Controls, Add Blocking and Privacy Block features.

-{ Quote: "... Also, does real-time scanning of larger sized executable files increase or not the cpu utilization used by NAV 2009? " }-
It doesn't.

-{ Quote: " What would you say is the typical cpu utilization range used by NAV 2009 pgms when real-time scanning of executable files takes place ?" }-
This is a hard one since I dont work on the file scanners. However, I would say that given that the scanning takes of the order of a few milliseconds, 10s of millseconds, maybe even less, it would be hard to measure the CPU utilization during such a small time interval.

Hi Shanep,

I have two questions.
First: How will NIS2009 protect IE64?
I did install NIS2009 on my Ultimate64-machine and I have to see, it works only as a 32-Bit application. No integration in IE64 but in IE7 (32Bit) the Phishingfilter is activated. Further I can´t see that NIS is protecting Opera 9 as a 32-Bit application that I have running too...

Second: How can NIS2009 Realtime-Scanner protect the memory in a Vista64-Bit environment? If an user accept to run a malware by clicking LUA will NIS catch the malware?

Hi Shanep,

You post highly interresting technical info in such a way that its easy to grasp. I hope you will be posting for a long time, here @ Wilders

Hi Shane,

Wow! Thanks for that detailed explanation in easy to comprehend language, but just to clarify for tihis newbie, I have two questions about what you stated below:

-{ Quote: "If you installed NAV2009 the HTTP scanning does not use a proxy" }-

1. Does this mean that the HTTP scanning works as some kind of driver level type of a pgm, instead of a proxy type pgm which listens to the ports for traffic to filter ?

2 Also, will NAV2009 HTTP scanning engine pgm typically cause any known conflicts with 3rd party firewall programs ?
....... Specifically, I am using Outpost firewall, would I have any known conflict using NAV 2009 with it ? ... If you know off hand, Would I need to disable any feature of NAV 2009 to make it work with Outpost firewall ?

wow great info shane thank you for answering my questions!! i have to say this 2009 versions is one of the most impressive advancements i have seen any company make from their previous versions. (not to say there are no other good apps because for sure there are but i have not seen any really step up their game compared to previous efforts like this)

i bought nis2009 and i dont buy av's very easy and nis2009 has replaced kaspersky on my own personal machines. PLEASE keep up the great work and i hope to see you here at wilders for a long time to come. more av companies should have people like you to help, while some already do MANY do not and many that have forums some of those are even useless. thanks

-{ Quote: "Hi Shanep,

I have two questions.
First: How will NIS2009 protect IE64?
I did install NIS2009 on my Ultimate64-machine and I have to see, it works only as a 32-Bit application. No integration in IE64 but in IE7 (32Bit) the Phishingfilter is activated. Further I can´t see that NIS is protecting Opera 9 as a 32-Bit application that I have running too...

Second: How can NIS2009 Realtime-Scanner protect the memory in a Vista64-Bit environment? If an user accept to run a malware by clicking LUA will NIS catch the malware?" }-

No answers?
:blink:

-{ Quote: "No answers?
:blink:" }-

No patiance? ;)

-{ Quote: "Hi Shane,
Wow! Thanks for that detailed explanation in easy to comprehend language, " }-

Glad you found the information useful.

-{ Quote: " 1. Does this mean that the HTTP scanning works as some kind of driver level type of a pgm, instead of a proxy type pgm which listens to the ports for traffic to filter ? " }-

I'm afraid I cannot publicly comment on internal details related to how we implemented the HTTP traffic scanning. All I can reiterate is that for reasons related performance and incompatibility in streaming applications like audio, video, the core features dont use a proxy. We want the web browsing experience to be as fast as possible.

-{ Quote: "2 Also, will NAV2009 HTTP scanning engine pgm typically cause any known conflicts with 3rd party firewall programs ?
....... Specifically, I am using Outpost firewall, would I have any known conflict using NAV 2009 with it ? ... If you know off hand, Would I need to disable any feature of NAV 2009 to make it work with Outpost firewall ?" }-

I dont believe you will have problems with the base product. The Add-on Pack uses a proxy. I'm not sure how that would work with other products that might also use a proxy. For Outpost, I am not aware of any compability issues off the top of my head. I suggest you trial both on the same machine and see if that works for you.

-{ Quote: "No patiance? ;)" }-
Oh - I´m still waiting since Vista came out...
::)

I'd also like to know how well Norton 2009 works with Vista 64-bit.

Shane, we wait anxiously for your answers :)

-{ Quote: "Hi Shanep,
I have two questions.
First: How will NIS2009 protect IE64? " }-

Yep.. confirming that the Anti-Phishing toolbar does not work on IE64 on Vista-64bit. It still works on IE32 on Vista-64bit.


-{ Quote: " Further I can´t see that NIS is protecting Opera 9 as a 32-Bit application that I have running too... " }-

Anti-Phishing is not supported on Opera.

-{ Quote: "Second: How can NIS2009 Realtime-Scanner protect the memory in a Vista64-Bit environment? If an user accept to run a malware by clicking LUA will NIS catch the malware?" }-

Yes it will catch the malware even before it executes.

Does all or most of the above apply to Norton 360 v2 also? Or is this just Norton AV 2009 features?

-{ Quote: "Does all or most of the above apply to Norton 360 v2 also? Or is this just Norton AV 2009 features?" }-

Norton 360 v2 as well.

-{ Quote: "Norton 360 v2 as well." }-
Thanks.... :thumb:

Sorry if this is a dumb question (and too off topic) - but does 360 v2 have the same scanning engine as NIS 2009? Also, does NIS2009 have the SONAR behavior blocker incorporated? Finally, in 360 v1 I noticed that the toolbar for IE was not able to be disabled without the red X in the task icon coming on. Is this still the same? I had to disable the toolbar in 360 v1 because of a noticeable surfing slow down.

Thanks

-{ Quote: "Sorry if this is a dumb question (and too off topic) - but does 360 v2 have the same scanning engine as NIS 2009?" }-

Hi acr1965,

N360v2 is older than NIS/NAV 2009 and hence it doesn't have all the performance enhancement we put in for the 2009 product. While they share the same scanning engines, there are a lot of enhancement in NIS/NAV2009 outside of the scanning engine that improve performance in scanning.. I dont know if that made sense. Ofcourse all those improvements will be in N360v3 (whenever thats out).

-{ Quote: " Also, does NIS2009 have the SONAR behavior blocker incorporated? " }-

Yes.

-{ Quote: "Finally, in 360 v1 I noticed that the toolbar for IE was not able to be disabled without the red X in the task icon coming on. Is this still the same? " }-
Sorry.. no idea.

-{ Quote: "I had to disable the toolbar in 360 v1 because of a noticeable surfing slow down. " }-
We spent a lot of time optimizing the webpage processing in NIS/NAV 2009. Hopefully you wont see those issues any more. If there are specific pages where you notice a slowdown, let us know and we can have the performance team specifically test with those.

thanks for the info

shane what about all the update issues we are seeing now with failed updates? i am having this problem on almost every pc its installed on. sometimes its the web part that fails and other times its the virus def's that fail. i did use the patch or "reset" tool from the norton forum and it helped but only the FIRST time i ran it. after i ran it updates worked fine. now i get failed again about 5-7 times then it MAY work than fails again. pulse updates "seem" to be okay or it says they are but if i run the manual update ot the regular updates they fail most of the time. this has been happening for the last 4-5 days for me. thanks for any help

-{ Quote: "shane what about all the update issues we are seeing now with failed updates? i am having this problem on almost every pc its installed on. sometimes its the web part that fails and other times its the virus def's that fail. i did use the patch or "reset" tool from the norton forum and it helped but only the FIRST time i ran it. after i ran it updates worked fine. now i get failed again about 5-7 times then it MAY work than fails again. pulse updates "seem" to be okay or it says they are but if i run the manual update ot the regular updates they fail most of the time. this has been happening for the last 4-5 days for me. thanks for any help" }-

Hi ZFactor,

Can you post a link to the Norton Forums thread so I have something for reference.

Thanks,

Shane.

will do when i get back to that computer.

also i am liking the new chrome as well as the newest version of ff3.1 both are much faster than ff3 or ie. but it seem neither one can use the norton tool bar. will this hinder the http scanning of nis2009? so i mean if i use google's chrome without the tool installed will i essentially loose the http scanning? i for sure think you guys should expand on that to wor in opera and the new chrome as well as both are alreay very popular..

thanks

-{ Quote: "will do when i get back to that computer.

also i am liking the new chrome as well as the newest version of ff3.1 both are much faster than ff3 or ie. but it seem neither one can use the norton tool bar. will this hinder the http scanning of nis2009? so i mean if i use google's chrome without the tool installed will i essentially loose the http scanning? i for sure think you guys should expand on that to wor in opera and the new chrome as well as both are alreay very popular..

thanks" }-

The HTTP Network Scanning for vulnerabilities and other baddies will still work. It will work irrespective of the application. The Anti-Phishing feature is only IE and Firefox specific.

anti phising doesnt seem to work in firefox 3.1 though. works fine in 3.0

Hi shanep just one question my norton safe web isn't working is it only compatible for one 16.0.125 version only

You have NAV or NIS?

-{ Quote: "You have NAV or NIS?" }-

He has NIS look in his signature ;)

-{ Quote: "shane what about all the update issues we are seeing now with failed updates? i am having this problem on almost every pc its installed on. sometimes its the web part that fails and other times its the virus def's that fail. i did use the patch or "reset" tool from the norton forum and it helped but only the FIRST time i ran it. after i ran it updates worked fine. now i get failed again about 5-7 times then it MAY work than fails again. pulse updates "seem" to be okay or it says they are but if i run the manual update ot the regular updates they fail most of the time. this has been happening for the last 4-5 days for me. thanks for any help" }-

I have posted on this here many times and at Symantec, and the issue still is unresolved. Updates do not occur if the computer has been off, you have to manually update, and then it works until the next day after shut off. I like the program and as a beta tester last summer, I was one of the first in this forum to give NIS 2009 a big :thumb: The problem is now even with the latest build, updates are not automatic. I cannot (will not) use a program that cannot update itself.

I never had an update problem like this with any other AV.

@shanep

Are all those "5 engines" fully compatible with Firefox 3?

Edit: Please let us know a valid reason for removal of Banner Blocker form the addon pack.

All the Norton products route internet traffic through a proxy if you have the parental control add-on installed.

-{ Quote: "All the Norton products route internet traffic through a proxy if you have the parental control add-on installed." }-

Actually, even with the Add-on pack installed, only HTTP traffic is routed through the proxy. All other traffic e.g. gaming traffic if its not on 80, 8080 etc, it will not go through the proxy.

Thanks,

Shane.

Regarding Norton Safe Web:

- Norton Safe Web requires Norton Internet Security 2009 English and has been optimized for U.S. users. If you have installed a non-English version of Norton Internet Security 2009, Norton Safe Web functionality will not be available.

- The Norton Safe Web plug-in works with Internet Explorer 6, Internet Explorer 7, Firefox 2, and Firefox 3.

http://safeweb.norton.com/beta/download

Great explanations shanep. Will nav 2009 work with comodo firewall. Sorry ot

Yes. Experiment a little; you may have to disable "Intrusion Prevention".

Yes because no one complained about NAV and Comodo at the Norton forums, ever since NAV09's launch.

You may have to Disable Intrusion Prevention because it functions similar to a firewall.

good to see nav getting some positive notice. i always liked it and could not understand all the trouble people had with it though i do accept they had

-{ Quote: "Yes. Experiment a little; you may have to disable "Intrusion Prevention".

Yes because no one complained about NAV and Comodo at the Norton forums, ever since NAV09's launch.

You may have to Disable Intrusion Prevention because it functions similar to a firewall." }-

The Intrusion Prevention in NAV 2009 doesn't have any functionality related to a firewall. It did contain FW functionality in older version of NAV, but in 2009 allthe firewall functionality was stripped out to facilitate better compatibility with other firewalls. Now you can use NAV 2009 and your favorite firewall if you so choose. Unfortunately I don't know if NAV2009 works with Comodo per se.

The IPS as I described earlier is meant to protect your machine against buffer-overflows and vulnerabilities in general. There are thousands of IPS vulnerability signatures http://www.symantec.com/business/security_response/attacksignatures/index.jsp. If you disable this feature you are losing out on a large chunk of protection. I wouldn't recommend it.