NIS 2013 x64 Users - A Must Read!

Below is the help screen for NIS 2013 firewall Advanced Events Monitoring feature. Please note everything I have highlighted in bold.

Appears NIS 2013 x64 is missing one heck of a lot of HIPS protection plus no keylogging protection.

This was an eye opener for me. No where in any Norton ads have I observed x64 restrictions for NIS 2013. However, I am getting old and I might have missed them?

Advanced Events Monitoring

When you are connected to the Internet, there are various ways by which intruders can gain unauthorized access to your computer.

Intruders can gain access to your computer in the following ways without causing firewall alerts to appear:

- Launching and manipulating safe programs without your knowledge
- Attaching to a safe program without getting detected
- Launching trusted applications in hidden mode through command-line parameters
- Injecting code into other applications' processes
- Modifying the URL of an Internet browser through Windows messages
- Bypassing firewall inspections by penetrating the Windows TCP/IP layer to send and receive data
- Using the documented interfaces that Windows Active Desktop provides to transmit data outside the network
- Using keylogger programs to monitor the keystrokes of a computer user, thereby gaining access to a user's personal information
- Instantiating controlled COM objects to manipulate an application's behavior

The Advanced Events Monitoring settings consist of the following categories that provide your computer with advanced protection:

Program Component
Monitors the malicious programs that launch Internet-enabled programs.

Program Launch
Monitors the malicious programs that attach to safe programs without being detected.

Command Line Execution
Monitors the Trojan horses or malicious programs that launch trusted applications in hidden mode through command-line parameters.

Code Injection
Monitors the Trojan horses or malicious programs that inject code into an application's process without triggering firewall alerts.

This category is not available if you use 64-bit version of Windows.

Window Messages
Monitors the Trojan horses and other malicious programs that manipulate an application's behavior to connect to the Internet without triggering firewall alerts.

This category is not available if you use 64-bit version of Windows.

Direct Network Access
Monitors the Trojan horses and other malicious programs that bypass network traffic.

These programs penetrate the Windows TCP/IP layer to send and receive data without triggering firewall alerts.

Active Desktop Change
Monitors the malicious programs that use the documented interfaces that the trusted applications provide to transmit data outside the network without triggering firewall alerts.

This category is not available if you use 64-bit version of Windows.

Key Logger Monitor
Monitors the malicious keylogger programs that access personal information of a user on a particular computer by monitoring their keystroke activities.

This category is not available if you use 64-bit version of Windows.

COM Control
Monitors the malicious programs that manipulate an application's behavior by instantiating controlled COM objects.

This category is not available if you use 64-bit version of Windows.

 

Wow long way to go with the X64 version.

 

It's the same with PC Tools - "Enhanced Security Verifications", which is a similar HIPS based protection, did not work with 64-bit systems. Since version 9.0, the option isn't there anymore.

In Norton, "automatic program control" does a similar thing, but perhaps on a different level. This should still be available on 64-bit.

 

Wow still not 64 bit product. Aren't we in 2013?

 

Does this apply to Norton 360 as well? I'm assuming it does since they use similar if not exact technologies, but wanted to clarify.

 

How important are these - how much protection are you missing?

I have NAV now that expires in less than 30 days. I was planning to get NIS to gain the firewall but since I use Windwos 7 X64, maybe it is not worth it? Would I still gain much over NAV with the NIS firewall?

 

Will researching this, I found this old message thread on this same board: https://www.wilderssecurity.com/archive/index.php/t-222506.html

It is short but it seems people are arguing at that time (late 200 that many antivirus programs had less features on X64 systems because Microsoft added kernel security enforcement to X64 systems that X32 do not have and the features do not work and/or are not needed because of what Microsoft added in X64 systems.

For example, a poster in the 2008 quoted thread, wrote, "No product is going to have the same feature set on 64-bit has they do on 32-bit. By locking down the kernel using PatchGuard, Microsoft has seen to that. Kaspersky too has a lot of HIPS-related features that are missing on 64-bit."

And this recent wiki entry indicates that some antivirus programs have advanced features that do not work with Windows X64: http://en.wikipedia.org/wiki/Kernel_Patch_Protection

Wiki highlight on subject:

""Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel[citation needed]. Additionally, anti-virus software authored by Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows.[15] This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.[16] Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by trusted companies such as themselves.[3]

Interestingly, Symantec's corporate antivirus software[17] and Norton 2010 range and beyond [18] does work on x64 editions of Windows despite KPP's restrictions. Antivirus software made by competitors ESET,[19] Trend Micro,[20] Grisoft AVG,[21] avast!, Avira Anti-Vir and Sophos do not patch the kernel in default configurations, but may patch the kernel when features such as "advanced process protection" or "prevent unauthorized termination of processes" are enabled. Sophos publicly stated that it does not feel KPP limits the effectiveness of its software.[22][23]""


So it seems other antivirus providers are missing advanced features on X64 systems too and it is not just Norton. Anyone know which programs and which features?

 

I just checked the NIS 2013 user manual. No mention of those Advanced Events Monitoring features being unavailable for x64 OSes. Have we caught Symantec in a do-do here?

BTW - if you open up AEM, you will not find any of those unsupported x64 features listed.

 

But it seems other antivirus providers* lose advanced features because of Microsoft's Patchguard kernel protection in x64 systems and the ones that do have the features in X32 systems should not be using kernel modifications for these features anyway (Microsoft does not allow it) but they do so because Microsoft does not enforce it in x32 O/Ss (see my post above yours.)


* From wiki "Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows"

 

Using Malware Research Group's last banking protection software test, appears some have found a way around it. As far as AVs go, Avast IS, Comodo Pro, Emsisoft Antimalware, and Kapersky IS all passed their tests. Plus a few speciality anti-keyloggers such as Zemana, Trusteer, etc.

 

With the promising tests of Avast 8, I might switch to it.

Do you have link for above so I could study the report?

 

http://www.matousec.com/projects/proactive-security-challenge/results.php
http://www.matousec.com/projects/proactive-security-challenge-64/results.php

The difference is well known and few av vendors are honest about this.

 

I thought it was bad enough that Norton didn't support 64 bit Office or any 64 bit browsers. If this is also true, back to Kaspersky I go.

 

I'm not aware of any security software vendor that openly explains which features of their products are not supported or only partially supported in X64 Windows. You have to dig for that information.

Well documented reviews will state when the tested OS is Windows x64 so at least you can see how effective the product is on the 64 bit platform. In any case it is rare now that machines come preloaded with x86 (32 bit) so the focus going forward is effectiveness on x64. These days x86 Windows means mostly XP and even though the kernel can be patched you have to ask if it can be made as secure as x64 Vista/7/8.

 

As long as Norton has top tier effectiveness and performance, which all recognized tests seem to suggest, these differences (thanks to Microsoft for no alternative to patchguard) don't matter to me.

And I agree, Kudos to Symantec for even publicly acknowledging this. Many others don't

 

Maybe, but most of these tests are done on Windows XP. Now I understand why. I haven't run XP for 6 years, so as far as I am concerned, none of these tests are valid.

 

Well said, if security suite scramble hard to work with x64 kernel, so do malware

 

I can't recall one review and/or "independent" test where this AEM x64 restriction issue was acknowledged. Speaks volumes for the quality of the stuff floating around the Internet these days.

Worse if you read postings on the NIS forum, the "expert" trolls there will emphatically state that NIS has antilogging protection.

As far as public announcement of x64 restrictions, some vendors are forthcoming on the issue and others are deceptive. Symanatec being a major internation corporation however is expected to be held to a higher standard I would believe. I find it hypocritical that orgranizations that are trying to sell you "trust" related products are many times untrustworthy in their sales execution methods.

 

It does, and I am glad you brought this to my attention.

Yeah, you don't dare say "64 bit" there. I along with other users have requested support for 64 bit IE and 64 bit Office for some time, only to be told that we shouldn't be using those things. Now it looks like they don't even reasonably support 64 bit Windows.

They should be held to a higher standard, and it appears they have worst 64 bit support of any vendor I have encountered. I'm done with them until they pick up the ball they dropped 6 years ago when 64 bit Vista was released.

 

You have no idea what you are talking about. AV-Test has switched to Windows 7 64-bit a while ago.

 

More generally the Symantec/Norton forums are run more like marketing vehicles than support venues in my experience. If you point out a genuine weakness that can't be corrected by changing a setting, etc, they keep smiling and blow smoke. You only have to look at how they responded to NIS being unable to stop the zeroaccess rootkit to see this behavior in action. To date I don't know if the Norton products can stop or remove it. The products are worthless if you can't trust the vendor IMHO.

 

Have you heard about MoneyPak and problems with NIS with respect to getting it removed?

It appears to me NIS doesn't have a strong enough unpack engine to deal with variants of such malware. Norton certainly has some issues, and IMO, they have been focusing too much on performance rather than protection in recent years, though they remain decent at protection too. I personally prefer SEPS, which seems to be a much higher quality, no-nonsense product than Norton

 

Yes, because there are no other testing sites.
From this thread:
https://www.wilderssecurity.com/showthread.php?t=341306
From the PDF linked in the article:
"We test with Windows XP SP3 and Internet
Explorer 7 due to the high prevalence of internet
threats that work with this combination."

 

Av-Tests uses Windows 7 (SP1, 64 bit) for its Windows 7 results. It consistently shows Kaspersky and Norton equal just a hair (statistically no difference) behind Bitdefender in detection. http://www.av-test.org/en/tests/test-reports/

 

AV-Test has for some time rotated on quarterly basis by OS their testing. I believe they were the first to do this. AV-Test is also my favorite test lab.