NORMAN

Is anybody familiar with NEW Norman antivirus software? There is some new SandBox technology for detection of unknown viruses.

Did anyone tried that new version?


(Its to expensive btw 78$US lol)

 

yeah i did. its the same old CPU emulation trick. Norman has a very good record everywhere including the VB. but the software is scattered as small files so if used wisely it'll use less resources. in overall a good program worth buying though in lesser money you can have same level of security.

 

3 yr licence for $50 @ http://www.tryus.dk/normanbuy.asp
I guess its the same that you are referring too.
A couple of threads on norman https://www.wilderssecurity.com/showthread.php?t=21404
https://www.wilderssecurity.com/showthread.php?t=7485
https://www.wilderssecurity.com/showthread.php?t=12647

 

I tried a recent version for a couple days. It seemed pretty light on resources with a fairly quick scan. I buried the EICAR tester 3 deep in *.rar archives and scanned it, but NVC missed it. That's about all the testing I did. The sandbox does sound promising, according to their website it emulates all of your pc's hardware as a test environment to run the suspect file in. I should've tested that more while I had it but it's unpackers disappointed me so I moved on.

 

Norman's Sandbox technology seems extremely similar to the one used by NOD32 Advanced Heuristics. Let's have a look to what they say about their heuristics :

- Anton Zajac, Eset CEO, said in an interview (http://informationweek.securitypipeline.com/infrastructure/18900335) :

"The second is even more sophisticated. It's based on virtual PC technology. We throw a file into a confined section of the memory where the entire computer is simulated with all its devices, memory, drivers, etc. Then we let the file--which arrives through e-mail--run in this confined, virtual PC environment. In this confined environment, our system can make a very good, educated guess regarding the malicious nature of a file. "

- On Norman's website ( http://www.norman.com/Virus/13927/en ) :

"Norman Sandbox is a fully simulated computer. No code is executed on the real CPU except for the Norman Virus Control emulator engine; even the hardware in the simulated PC is emulated[...]."

(http://www.norman.com/News/Press_releases/11429/en)

"The simulated virtual machine (Norman Sandbox) now incorporates services found in most networks, like SMTP, News, IRC, DNS, etc. This deludes the malware into believing it is in a live network allowing the SandBox to evaluate its behaviour and potential threats to the network environment."

It would be interesting to have a comparison of the effectiveness of these heuristics.

 

I use Norman NVC 5.7 as my On-Access scanner.
It is (relatively) light on resources but its detection rate is not as good as NOD32 or KAV.

What I really like about NVC is the Sandbox output.
Whenever it detects an unknown malware it outputs a Sandbox log which describes exactly what the malware tried to do, like:
Created files, created/modied registry keys and network activity (ports opened, etc.)
All this info comes from executing the malware inside the Sandbox (virtual computer).
This is a really neat feature.

Here's the Sandbox report I got from scanning a variant of the hackarmy trojan:

====================================================
* Attemps to open C:\WINDOWS\SYSTEM\win32server.exe qwerC:\SAMPLE.EXE.
* File length: 15872 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\win32server.exe.
* Deletes file C:\SAMPLE.EXE.

[ Changes to registry ]
* Creates value "Winsock32driver"="win32server.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Checks wheter computer is connected to Internet.
* Attempts to resolve name "aobuluz.hackarmy.tk".
* Connect port 6667 [IP], IP 193.75.75.100.
* Attempts to resolve name "0.0.0.0".
* Connects to IRC Server.

[ Process/window information ]
* Creates a mutex botsmfdutpex.

====================================================