NIS 2013 x64 Users - A Must Read!

Here's another NIS 2013 goodie I just discovered.

I set Zemana Antilogger.exe to a delayed startup in NIS's startup manager. I restarted and found low and behold Zemana Antilogger started right up. Went back into NIS startup manager and Zemana Antilogger.exe delayed startup option was turned off! I know that feature works since I set Abobe ARM to delayed startup and it stuck.

Implication, Zemana antilogger has the ability to turn off NIS features at will.

 

That is interesting. I wonder why?

 

Much more probable implication, Zemana has self-defense, so NIS can't set it to delayed start-up and start-up manager doesn't properly check if changing the setting actually worked. After reboot, when you open the start-up manager again it checks the start-up settings of all programs and it sees that Zemana is normal(not delayed) so it shows it as such.

 

Yes, hopefully this is correct. You would expect a security program to not allow its' auto-start setting to be changed.

 

I just checked those footnotes and they go to Symantec product "advertising" pages (so no testing by a third party.) So it does not seem to carry much weight.

 

When I check my Norton Antivirus' log, it is filled with entries where Norton blocked windows services and other programs that tried to interact with Norton programs. I guess it is not foolproof, but it seems to protect its processes.

 

I saw enough suspicous activities with Zemana AK of late, that it is off my PC permanently this time. The fact that antiloger.exe was injected with NIS Sonar engine, this interference with NIS startup manager, the fact it dumped adware on my latest install of the paid ver. which I have a license for, etc. etc. was enough for me.

Zemana AK also did not play well with EMET 3 at boot time on my WIN 7 SP1 x64 installation. I can go on but you get my drift.

 

Link to those please? (Not questioning your opinnion, just wanting to evaluate which one would suite my needs best)

Haven't tested yet, but I think this doesn't work yet with Win8.

That's what I'm starting to be affraid also, now, as a poker player. Comodo for FW then? (That was my original choise in my new setup, but after reading a few PC Mag articles, decided to order Norton 360)

Bitdefender or F-Secure for AV? (Should use the same engine, and test results have been pretty similar. Compatibility issues with other vendors' firewalls perhaps?)

 

In "static" zero day tests by the major AV test labs, NIS 2013 performed great. AV-Test WIN 7 Nov.-Dec. 2012 results showed NIS 2013 at 100% for Nov. and 98% for Dec. By "static" I mean, the tests are performed with malware in the wild at the time the test was performed. Test labs that perform "dynamic" continuous testing of in the wild malware over a long period of time such as AV-Comparatives and Malware Research Group show a different result for NIS 2013. Below is a link to the Malware Research Group results for 2012. Although NIS 2013 results were respectable, they were below the other major AV vendors. Most interesting is that after a 6 hour interval, only have of the prior missed malware was addressed by NIS 2013 via detection signatures.

http://www.mrg-effitas.com/current-tests/flash-test-results/

I beleive using NIS 2013 is a good antimalware solution as long as you realize its limitations. It does not have HIPS protection that would protect critical system areas if a zero day exploit was to slip through. One way to address that with minimal user interaction would be to purchase banking/anti-keylogger software. G-Data's Bank Guard and SpyShelter's Anti-keylogger are two possible solution. Trusteer offers a free product but I have never had any sucess with it running on my WIN 7 x64 SP1 installation.

 

(Of course, there are other protections that might prevent you being infected by ZeroAccess such as the IPS or Download Insight modules.) Which ones have confirmed it?

In 2012, Norton blocked 11/11 ZeroAccess samples in the MRG Flash Tests.

 

EMET Version 4.0 beta is out and supports Windows 8. Using it now myself and am quite impressed.
http://blogs.technet.com/b/srd/archive/2013/04/18/introducing-emet-v4-beta.aspx

 

Ok. My main concern is keyloggers etc that could steal passwords from poker accounts. For web wallets, banking, mail etc I can allways use linux, but for poker clients (and also poker utilities like databases) I have to use Windows, and I'm using both Win7 and Win8 for them - not older Windowses.

So, my environment would be 64-bit, meaning that Norton is less than ideal choise. That means I'd prolly go for separate firewall and AV programs, and perhaps added anti-keylogger utility like SpyShelter or Zemana AntiLogger

I'm open to recommendations for combo of
a) Firewall - Comodo, ZA, OA, other?
b) AV - F-secure, Bitdefender, Avast, BullGuard, other?
c) Anti-Keyloggers - Zemana, SpyShelter, other?
d) Other software, like perhaps that G-Data Bank Guard, that would make using poker clients (with couple of good reputation poker utilites) safer

Bitdefender and F-Secure have done well in AV-Test tests, but Avast was better in that Flash test by MRG Effitas. (F-Secure wasn't there, but I'd expect something similar results than BitDefender)

I don't know if I trust much to that MatouSec test, but Comodo is doing well in it, and OA used to when they still participated. Not really many firewall tests around.

Minimal user interaction is nice, but not ichiban priority here, because I will be using only limited amount of different Windows software. It might reduce possibility of making errors when answering to popups, though.

http://www.mrg-effitas.com/wp-conte...anking-and-Endpoint-Security-Report-20121.pdf
There Zemana AntiLogger did well, but SpyShelter didn't participate.
In this test Avast IS $ version did well, and also Emsisoft Anti-Malware, Comodo IS Pro and Kaspersky.

There's also "Antivirus lab tests chart' you can click open to other window from
http://www.pcmag.com/article2/0,2817,2372364,00.asp
but I don't know how relevant all those test results are for my needs.

So keeping in mind my special needs just for poker, what combo of software you'd use? (Asking any reader's opinnion here) Let's say, money is not a big issue here.

Edit: Let's add to the list of choices some AV/FW combos, like G Data IS/TS, Emsisoft etc, whose qualities of FW's i have no idea, and G Data AV (without firewall, but which has above mentioned Bank Guard included - like also have G Data IS/TS).

 

Not according to the MRG link I posted above. In that chart, they list Symantec instead of Norton. Since that chart references retail solutions, I assume they are referring to NIS and not Symantec Endpoint product.

 

Here a link to the last banking software test MRG performed. A few AV suites passed along with a few stand-alone products. MRG hasn't tested SpyShelter Antilogger as noted previously.

http://www.mrg-effitas.com/wp-content/uploads/2012/06/MRG-Effitas-Online-Banking-and-Endpoint-Security-Report-20121.pdf

 

This link http://www.mrg-effitas.com/current-tests/flash-test-results/? The fails were other samples, not ZeroAccess.

Edit: I just realised that the MRG Flash Tests have been run on Windows 7 32-bit.

 

(Quoting myself here)

How about

a) Comodo IS 6 + Emsisoft Anti-Malware
b) Comodo FW 6 + Avast + Emsisoft Anti-Malware

Those combos should work together?

 

I have been doing some experimenting with NIS 2013 with Automatic Program Control set off in the firewall settings.

Appears NIS 2013 does have HIPS protection at least as far as your browser goes. It will detect any .dll injection from non-MS .dlls whether they are signed or not and give you an alert. The glitch is there is no way to block the .dll. All you get is a popup saying your browser is the issue. If you select block you keep getting the same popup. You have to open the log and see what it is actually blocking to decide if you want to allow it or not.

 

I have seen a few "surprises" in connection attempts running with automatic program control off. Definitely a good experience so far.

Also my boots times have definitely decreased. One interesting thing I noticed in the NIS log is lsass.exe and services.exe are now being blocked inbound whereas with automatic program control on, NIS was allowing it. Also NIS removed its previously genereated allow rules for the above. I thought those connections were suspect anyway.

 

Can't say I have ever tried turning it off. Sounds like it might be worth a test run.

 

http://community.norton.com/t5/Nort...-Zeroaccess-I-think-it-s-gone-but/td-p/948227

 

There is bug fix release for Norton products. The new version is 20.3.1.22.

Changelog:

# Changes and fixes
- Resolved issue where Norton Autofix appears after patch installation, showing that one item has been fixed
- Fixed a few UI issues for the uninstall pages
- Corrected an issue with Online Vault where customers who logged into Norton Account during install had their passwords automatically autofilled before they explicitly indicated via the Norton Toolbar that they wished to use the linked Online Vault
- Fixed issues where ccsvchst.exe does not properly shutdown
- Resolved a blue screen error that occured when both Norton and Nero products were installed
- Corrected an issue where customers saw programs being uninstalled when installing their Norton product
- Fixed an issue where AutoProtect, Sonar, & AntiSpyware getting turned off, and Fix Now was unable to resolve it
- Resolved a subscription issue where ‘License Expired’ is shown, despite having remaining subscription time
- Corrected problems where 2 AntiSpam listings appeared in Task Manager, and AntiSpam consumes almost 100% CPU
- Fixed issues logging into Norton Account to access Online Storage.
- Fixed issues AP, Sonar, & AntiSpyware getting turned off and Fix Now unable to resolve it.
- Corrected Norton Safe Web spelling mistake "Satistics".
- Fixed an issue where header rows in lists (eg. Security History, Program Control) would move when scrolling through list.
- Corrected some instances were ccSvcHst.exe may crash or hang under Windows XP.
- Re-added missing Calendar in the Custom Scan and Backup Scheduling User Interfaces.
- Corrected an issue where you would have to sign-in to your Norton Account multiple times to configure Online Backup.
- Corrected display issue with Security Status Tile on Mail User Interface.
- Fixed an instance where multiple Download Insight notifications would display constantly.
- Installation now displays proper Incompatibility Alert when attempting to install on Windows Vista SP0 (Service Pack 1 and above required).
- Corrected a compatibility issue with CCLeaner's Registry Scan.
- Corrected an issue that caused a delay in loading the Norton Tray Icon.
- General enhancements around Windows 8 compatibility.
- Overall Product Performance Improvements.
- Performance enhancements for Norton Identity Safe.
- Enhanced Rebootless Patching feature (Rebootless Patching not supported on Windows XP or Vista)

Source: filehippo.com

For those of you who had issues with earlier 2013 versions may try this build

 

That and the rash of posts about opt_content[1].js that seems to go unresolved has left me unwilling to install their product in its current state.

 

I have turned NIS 2013 firewall back on to Aggresive mode after completing my testing.

I do believe there is a problem with how the firewall handles wininit.exe, lsass.exe, and services.exe. With Automatic Program Contol set to off, the firewall will block services.exe and lsass.exe. It will also not allow you to manually set up rules for these. With Automatic Program Control set on, it will create rules for wininit.exe, lsass.exe, and services.exe. However, the rules it creates allow all inbound and outbound from anywhere. These processes should be allowed only on the local subnet and I have modified these rules accordingly. As a result, they also appear in the TCPview as they should.

These rules have to monitored occasionally. Another glitch I have found with the firewall running on Automatic Program Control is if something tries to dialout and its a "trusted" process, the firewall will override whatever firewall rule you created and create its own firewall rules.

 

Currently up to 9 web pages on the NIS forum and going strong.

Crap is all Java related. Since I don't have Java installed on my WIN 7 build and never intend to, I don't have to worry about crap like this.

Appears that NIS only removes the base infection but leaves the source, appears to be toolbar related, on the user's PC.

And I bet not one of the infected PCs have EMET installed

 

Probably not. I noticed that almost everyone in that thread has 1 post. No java here either. Probably not ever again.