Norton Internet Security, Antivirus and 360 Being Retired?

Agreed, although frankly the versions of Symantec Endpoint Protection (or whatever they call the Windows client software) I've seen in the past have always seemed quite primitive. But perhaps, as you say, all of the smarts are in the "back end"? And by the way are there any Unified Threat Management firewall/router solutions for consumers that you would recommend at this point? (I know that's off topic - maybe PM me).

 

http://www.netgear.com/business/products/security/utm-firewalls.aspx

Added source of quoted material.

 

The key with UTM routers is throughput. Home networks are quite speedy, and with all of the UTM features on your connection can be throttled. The above mentioned Netgear solutions are expensive, and the throughput is bad (sub 20mbps on some models).

Right now the choices for consumer grade stuff is limited. ASUS RT-AC87 is powerful, and the Trend DS scanning in it very effective (80-85% of known malware links/sites/vectors). But it isn't a malware scanner in the real sense of it, just a very effective inspection layer. Sitecom makes a great consumer UTM router with 3 engine cloud scanning but you will have to order it from an overseas vendor. ZyXEL makes affordable UTM appliances, the USG60 has amazing protection and has high throughput (90-190mbps) while being under $450. Within 5 years the market will be full of consumer UTM appliances because it's what makes sense.

Sitecom
https://www.sitecom.com/en/routers?subgroups[]=10

ASUS
http://www.asus.com/us/Networking/RTAC87U/

ZyXEL
http://www.zyxel.com/us/en/products_services/usg60w_60_40w_40.shtml?t=p

 

Well, maybe I had better shorten my post.
@zfactor
The problem might be you first scanned in aggressive then standard.
Norton dynamically adjusts its heuristic sensitiveness. (same goes for Trend)
If it finds malware, the sensitiveness automatically go aggressive - I believe more aggressive than by slidebar setting - regardless of user setting (boot protection go aggressive too).
There're other situations where such adjustment occur, e.g.
- In download, it's more aggressive than on-demand scan
- In safemode, more aggressive than normal mode
- If it can't connect to cloud, much less aggressive to reduce FP
As NS now integrated Power Eraser capability, it's well possible that more granular adjustments are adopted.

Also, Norton remember how many times infected files are found on each PC and this affects reputation of all files on that computer.
i.e. an unknown file found in a PC which is recently/often infected is more likely to be malware.

So the best way to test is simultaneously scanning same files on different PCs with different settings.

 

This is interesting, and some companies appear to be moving towards more intelligent responses. For example Trend auto-adjusting based on outbreak metrics. If a machine is seemingly seeing more unsigned, unseen, or risky files, then it pushes the protection level up automatically, a sort of automated paranoid mode. Also there is some backend work being done to implement things like Region, and Activity based changes to detections. So if you are suddenly browsing a bunch of high risk Anime sites in China, protection might be ramped up during such times. If you are on porn sites, it might ramp up. But if you are on Microsoft.com or Wilders, it might relax a little. I think these intelligent scaling solutions will start to become more commonplace, and products under 'normal' use will feel much lighter as a result.

One thing I noticed about Norton on my test machine is that after a couple of infections were found Norton did seem a bit more paranoid. I noticed it kept 'removing' threats when the machine was idle, or I was doing other things on it. Like it remembered where it saw the unclassified files, and was waiting for classification, or perhaps waiting to see if the machine appeared infected. It seemed quite intelligent in this respect. Trend should score very high in upcoming tests because Trend will detect infected test machines, and ramp up it's own detection levels, and in theory - Norton should start scoring in the top tier as well if their system works as well as Trend's appears to be working.

 

Is this auto-adjusting logic documented? I was told on the Norton Forum (with regard to an older version of NIS) that the reason boot time protection now defaults to off is because it is turned on automatically if a threat is detected on the system that requires a reboot, but I have not seen this documented anywhere.

 

@Mayahana
Thanks for variable info!
Personally, I feel Trend is too harsh to porn sites.
Some of them are dangerous, but others are just annoying - they might have tricks to make affiliate income but not a virus or fraud - Trend's web rep blocks nearly all of them.

Yeah, one advantage Trend has is their cloud back-end system's comprehensiveness.
They effectively use geographical distribution info among other factors, but I think no other company -even Symantec- don't have such a integrated back-end system which correlates web-rep, mail-rep, file-rep, network-rep, mobile-rep, and... woops, I forgot rest. lol
And if a file downloaded another file and later it start to behave suspiciously, then it's not only affects rep of the file's origin site, but also Trend retroactively adjusts rep of the parent files origin.

BTW, I already mentioned exactly same thing with you in my first post.

But really sorry for such a loooooong post!

 

One question, I heard Trend has several definition sets such as for international, for Japan, and for Chine.
Is this true?
If true, this is only for local def? (I know Trend puts most of def in cloud.)

 

@Victek
Some of them are documented, but sorry as to boot-time adjustment, I also found it in Norton Community.
Heuristic adjustment when cloud is not available is documented in several place such as:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/reputation_based_security.pdf
http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/183000/TECH183109/en_US/Insight FAQ version 2.pdf
More aggressive in download was documented somewhere (separately from download insight), but sorry I don't remember.
More aggressive when threats found is documented in old AV-Comparatives reports, but I think also documented in somewhere else - but if not, you can easily confirm it by simple test.
More aggressive in safemode is again, from Community question in my country.

Also this might be interesting.
http://www.symantec.com/page.jsp?id=star

 

Thanks for the links, especially to the STAR Malware Protection Technologies info. This is in line with what other vendors are doing, however a problem I have with the Norton products for PCs is that their functionality is not documented in detail and the people in the support forums don't know the real answers either.

 

Yes, sometimes I had to search for SEP to know Norton's function because they share some technology (not all are same though).
I think at least some of staffs in community (like Tony) saying real answer, but they don't always come in.
Kaspersky OTOH goes quite details, but problem is they are spread among white papers, securelist, and even Eugene's blog.
ESET has centralized info page, though still somewhat limited in a degree of depth.

 

Yes, this is problematic for those of us who want to understand the consumer products in-depth. Perhaps most people don't care and so resources are not allocated by the vendors? It's unfortunate because it can result in products not being optimally configured/effective.

 

http://us.norton.com/ns-beta

Testing in a virtual machine, I have seen Norton Internet Security/Norton AntiVirus/Norton 360 (I do not remember which) change the setting to Aggressive after a malware detection. I am not sure it changes the setting back. It had not after, at least, two reboots.

 

Thanks that's good to know, however why provide the setting in the UI and why turn it off by default? Does it slow the boot time a little? If so that seems a poor reason for disabling it. I would want it on unless it interferes with some other boot process. On the other hand if Symantec feels the manual setting is no longer necessary because the automatic feature provides full protection why don't they remove it from the UI? I asked but couldn't get an answer in the Norton forum.

 

They seem to think otherwise. "Turning off the Boot Time Protection option reduces the level of protection of your computer." https://support.norton.com/sp/en/us...110/solutions/v36662094_NIS_Retail_2015_en_us.

 

NS is aimed at the mass consumer market. They may be more concerned with the typical buyer complaining about slow boot up times than with whatever security threat having boot time protection disabled presents, particularly if another layer of security in the program could catch any active threat injected during boot time.

Also, respecting the beta statement we may be talking about Symantec's semantics-they may not consider "watching for changes in boot-time configuration" the same thing as protecting boot up from having any such changes made. In any event it appears from that statement that whether or not "boot time protection" is tuned on or off makes little difference - your PC will be watched and then protected during boot time, if necessary.

 

You may be correct, but the problem is you don't know any of that for fact and that's my point. I prefer to use a product where all features are documented and where the people providing support understand and can answer questions about those features. That has not been and apparently still isn't the case with the Norton products.

 

Changes at Symantec

http://arstechnica.com/business/2014/10/symantec-is-splitting-up-to-form-two-companies/

 

The 52 pages he provided isn't enough? You need to understand that if you become overly open about your techniques you open yourself to more targeted threats, right? The details you seek may actually compromise the product, and a lot of these technologies are proprietary, industry secrets. The vast majority (99.999%?) of users don't care to know the details, they just want a usable, quality product.

 

52 pages? I must have missed something. I only see an explanation of the settings for Boot Time Protection and that demonstrates the problem.

https://support.norton.com/sp/en/us...110/solutions/v36662094_NIS_Retail_2015_en_us

It states "Turning off the Boot Time Protection option reduces the level of protection of your computer". It was last updated on 7/29/2014. However Boot Time Protection is Off by default in the 2014 product and now in the 2015 product. Why can't the company document this feature properly? I tried to get answers about this in the Norton forum last year, but none of the designated support staff would answer.

 

You reminded me of a past experience.
When I tried very first alpha version of Driver Radar Pro, it successfully blocked Norton's driver and Norton showed big red warning, couldn't fix unless I whitelist the driver in DRP.
But it didn't always occur, just some times.
I always use boot time protection Aggressive.

 

The slider being grayed out means that there's some remediation pending and a system restart lets it do just that. After the remediation (restart) the slider would be available for toggling to on/off.

Also, if you explicitly disable boot time scan, it auto enables it (to aggressive) if it suspects something fishy is happening during bootup and that slider would be greyed out too, until the next restart where it does it's scan, and after that the slider would again be available for toggling.

 

Greyed out slider seems to also mean an update, possibly an engine update is pending.

If you install 2015 right now, and push live update, the update is huge. If you reboot, push it again, it updates major engine components, and requires a reboot. If you push it again, it updates a final time. All of this of course would take place automatically over a day of it being installed. But a tester throwing it in a VM and not taking at least these steps IS going to cause some detection issues, and potential failures. Also, any issues with connection will cause failures. I haven't been able to infect a test machine with Norton 2015 on it, but I have a 56mbps pipe on an AC2400 router. Norton validates/invalidates threats in a second or two at most.

The delay in PC Security's test to me indicates issues with his connection. I want to see him run a speed+network strength test before testing these products. PC Security has a known bias against cloud solutions, he talks about hating them in every video. Maybe he's on dialup or something? I mean who disconnects their internet these days? He talks about people constantly disconnecting their internet, and ruining cloud based solutions, but who really does that? Let's see a speed test and ping -t running the entire time he is testing Norton, then I will believe anything he says.

I'd love to post logs of my 3 day honeypot test of Norton 2015 here. It's ridiculous how effective Norton 2015 is.. Color me impressed, and I've always hated Norton. ;-)

 

He said he has a 2meg connection, which is barely considered broadband these days. Still, should be enough for AV testing.

 

2mbps connection is barely capable of web browsing these days. So that's the problem right there. Let's assume he has other devices/machines connected to that connection, and probably background activity, then he tested Norton on what amounts to a dial-up line. That helps explain why his test essentially failed. Who the heck has a 2Mbps connection these days? I know people in small villages in China that have 10Mbps, and I thought that was slow. Also 2mbps both ways? Doubt it. Most 2Mbps connections are 2mbps down, 256-512 up.

So let's toss 200 pieces of malware to a cloud solution, with a connection from the 1990s? This is so much fail I hate to even acknowledge it.