Is anybody familiar with NEW Norman antivirus software? There is some new SandBox technology for detection of unknown viruses.

Did anyone tried that new version?


(Its to expensive btw 78$US lol)

yeah i did. its the same old CPU emulation trick. Norman has a very good record everywhere including the VB. but the software is scattered as small files so if used wisely it'll use less resources. in overall a good program worth buying though in lesser money you can have same level of security.

3 yr licence for $50 @ http://www.tryus.dk/normanbuy.asp
I guess its the same that you are referring too.
A couple of threads on norman http://www.wilderssecurity.com/showthread.php?t=21404
http://www.wilderssecurity.com/showthread.php?t=7485
http://www.wilderssecurity.com/showthread.php?t=12647

I tried a recent version for a couple days. It seemed pretty light on resources with a fairly quick scan. I buried the EICAR tester 3 deep in *.rar archives and scanned it, but NVC missed it. That's about all the testing I did. The sandbox does sound promising, according to their website it emulates all of your pc's hardware as a test environment to run the suspect file in. I should've tested that more while I had it but it's unpackers disappointed me so I moved on.

Norman's Sandbox technology seems extremely similar to the one used by NOD32 Advanced Heuristics. Let's have a look to what they say about their heuristics :

- Anton Zajac, Eset CEO, said in an interview (http://informationweek.securitypipeline.com/infrastructure/18900335) :

"The second is even more sophisticated. It's based on virtual PC technology. We throw a file into a confined section of the memory where the entire computer is simulated with all its devices, memory, drivers, etc. Then we let the file--which arrives through e-mail--run in this confined, virtual PC environment. In this confined environment, our system can make a very good, educated guess regarding the malicious nature of a file. "

- On Norman's website ( http://www.norman.com/Virus/13927/en ) :

"Norman Sandbox is a fully simulated computer. No code is executed on the real CPU except for the Norman Virus Control emulator engine; even the hardware in the simulated PC is emulated[...]."

(http://www.norman.com/News/Press_releases/11429/en)

"The simulated virtual machine (Norman Sandbox) now incorporates services found in most networks, like SMTP, News, IRC, DNS, etc. This deludes the malware into believing it is in a live network allowing the SandBox to evaluate its behaviour and potential threats to the network environment."

It would be interesting to have a comparison of the effectiveness of these heuristics.

I use Norman NVC 5.7 as my On-Access scanner.
It is (relatively) light on resources but its detection rate is not as good as NOD32 or KAV.

What I really like about NVC is the Sandbox output.
Whenever it detects an unknown malware it outputs a Sandbox log which describes exactly what the malware tried to do, like:
Created files, created/modied registry keys and network activity (ports opened, etc.)
All this info comes from executing the malware inside the Sandbox (virtual computer).
This is a really neat feature.

Here's the Sandbox report I got from scanning a variant of the hackarmy trojan:

====================================================
* Attemps to open C:\WINDOWS\SYSTEM\win32server.exe qwerC:\SAMPLE.EXE.
* File length: 15872 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\win32server.exe.
* Deletes file C:\SAMPLE.EXE.

[ Changes to registry ]
* Creates value "Winsock32driver"="win32server.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Checks wheter computer is connected to Internet.
* Attempts to resolve name "aobuluz.hackarmy.tk".
* Connect port 6667 [IP], IP 193.75.75.100.
* Attempts to resolve name "0.0.0.0".
* Connects to IRC Server.

[ Process/window information ]
* Creates a mutex botsmfdutpex.

====================================================