Is Norton 2010 up to the challenge?

Pretty simple... this is a request thread. First take a look at the article found here: http://community.norton.com/t5/Nort...et-Security-2010-Download-Insight/ba-p/113827

That's only one component using their cloud-tech., but a important one as most malware comes through the internet, as we all know - this what the component keeps track off.

Now, being only one component, we've almost the whole suite working with the cloud created by Symantec, as the software is working more and more with its individual components as a full-fledged team, but the important thing in this case is that the article should give you an idea how it works.

So what's this about? Well, I know there are a bunch of people here that like to test different security software against malware to see how they do, so here's my suggestion... as this seems to be "flawless" - all the new files are prompted on and recommended to be stopped till further analyzis or data has been added to the cloud - what about testing if it really is through a VM?


You can choose from their IS or AV on the following link: http://www.symantec.com/norton/beta/



I personally don't do malware sample sets and such - believe me, otherwise I would put this baby to the test on a VM myself - but since that's the case, that's the reason I put this request-topic up. I really wanna see if this approach works in the real-world, simple as that.


Basically, you need to RUN the malware, as it works just like Prevx - it analyzes and checks what's run, downloaded, etc., in real-time - the strengths are in there. Sure, you can find some things with signatures and the heuristics, but the real strength of this new product-line lies in its real-time protection.


So, happy testing guys. I hope I'll see lots of people who would actually like to test and do this, cause I personally think it would be REALLY interesting.

 

Give me a day or two and I'll post the results

 

Waiting for your test .

 

I'll record the test etc etc. But I want to go through the methodology with you all, and see if you agree.

Ok so I was thinking;

• Scan 5,000 samples...1-2 weeks old.
• Run 200 of those samples, mainly rogues, trojans and hijackers.
• Run 50 malicious trojans and downloaders and see how Download Insight fairs against it.
• I was thinking of also trying a few keyloggers...

Anyone want to see anything else tested?

 

Sounds great! Thank you. If on the scan of the many samples it misses a number, you could always test run some of those to see if it catches it through the cloud.

 

Yes, how about pass stealers bound to otherwise legitimate .exe's that snatch all Explorer/Firefox passwords and send them to a remote FTP?

I got hit with one of these using NIS09, and it went right through.

 

For some reason the NIS2010 installer hates my VM I'll try to install it again tomorrow, but I'm going out today.

 

The point of this test is kinda the opposite; see if their cloud-tech. is as flawless as it seems, as this is the big thing in the 2010-release. NOT to upload some samples that it's not aware of. That we can do anyday for any security company we would like to contribute to.

 

An alternative would be to make a small partition as it would be a faster process too when it comes to the install process, having all the resources of your system available, but ofc it's more convenient to make a fast test on a VM that you just create in under a minute - maybe you even tried to test it on a predefined restore point?

See if there's more information on installing on a VM at their official forums here: http://community.norton.com/norton/board?board.id=nis2010_pb - I recall seeing something about that over there...


Have fun today!

 

My mistake, i thought the cloud's purpose was to measure the reputation of an executable using an algorithm and various factors like what company the file belongs to. That's why i thought modifying a known executable to include something the original doesn't do (harvest browser passwords and connect to a remote FTP) would of been a good test.

If the cloud can't differentiate between an genuine and a tampered with exe that performs malicious actions, then i will have to read more about what it really does.

I'm going to roll back to NIS09 until it's better tested i think.

 

Oh sorry, I'd just woke up when I read your message. I thought what you were saying was something in the lines of "sending new malware samples to Symantec for analyzis" - MY mistake to be honest.

 

That's ok maybe i didn't explain it good first time around. Yes i'm talking about getting an exe that's "Highly Trusted" in the cloud, and see what the cloud thinks if the exe has been modified by an unauthorized third party.

Basically seeing if the cloud and reputation can be tricked. It could be something simple like bumping up the file size 20kb with "junk" bytes, or more suspicious actions like reading Firefox passwords then writing them to a .txt file in C:\ and maybe connecting to a remote FTP and sending that file before the real installation routine runs.

Does the cloud still class the exe as "Trusted" with an altered filesize? Reading browser passwords and writing them to a file? How about sending this info out?

The reason i'm interested in this is it happened to me with NIS09 and i got all my passwords sent out, but if the new cloud system detects what i mentioned above it will be a massive step towards preventing this kind of attack.

 

Yes, I get what you mean. Have I understood correctly that you want to see if it'll cause FPs AND if it detects dangerous tactics when it comes to your privacy?