Symantec's new approach in detecting malware

Thought this was an interesting blog entry from the Symantec website.
https://forums.symantec.com/syment/blog/article?blog.id=emerging&thread.id=112

Read also about an earlier blog posted by the same author.
https://forums.symantec.com/syment/blog/article?message.uid=306507

 

Great reads, Miyagi. Thanks!

 

Threatfire related i guess.

 

for someone at the cutting edge of an industry who time has shown to have made some really poor products how can this clown still have a job??

I like their latest product but everything leading up to it has been really second rate.

 

1) Is NAV2009 so Truly improved that
avast!, Kaspersky, and Avira (my order is accidental) are now behind Symantec?

2) Why do I get the feeling that someone is trying to put Symantec on the Top
-Before- the official AV/Testing sites do it?

Is it marketing? Is it brainwashing? Is it fishy?

 

Well, 2 of the most prominent AV testing sites (av-comparatives and av-test.org) have already placed Norton at the top, or at least amongst the very top.

 

i wonder why carey nachenberg is saying malware production outpaces legit software production when a) malware producers are themselves less numerous than legit software producers (ie. how does a smaller group make more stuff than a larger group?), and b) bit9 found that microsoft alone produced as many binaries in a single day as malware had been created in all of history (as of last year)...

 

I'm aware of these reports:

http://av-comparatives.org/seiten/ergebnisse/report19.pdf

http://www.virusbtn.com/news/2008/09_02

All I am saying is lets wait to see more AV tests.
I believe it is -still- too -early- for making NAV2009 the king of AVs.

Detection of Malware is one issue.
Have you ever wonder
-How AVs react when you Turn off their Real-Time/Proactive protection,
infect the PC (even with some common spyware),
Turn on their Real-Time/Proactive protection,
and let them to fight against the infection?
(by starting a Full scale scanning session).

You wouldn't believe in your eyes
how Poor the performance of some 'Big' names is!

 

real-time av isn't meant to deal with an existing infection... real-time av is primarily a preventative control... if you have a system where prevention has already failed (or been bypassed artificially) and you want to use av then you need to be using the non-real-time components, preferably while the malware (and the affected system itself) is not active...

it doesn't surprise me in the least that you'd see bad results when you use the wrong tool for the job... you can't drive screws with a hammer...

 

It really needs it to cover that thing that they call 'detection'

 

Norton/Symantec has always, for as long as I've been following testing, been at or near the top.

My wife has Norton 360 on her desktop and has recently renewed the subscription. Reason, it does a better job at protecting than any other she's used on her other computers.

I use Sandboxie or Shadow Defender and haven't had an AV on my desktop in nearly a year. I recently added Norton 360 (after discovering it can be used on 2 computers). My desktop has only 512RAM. It's running beautifully. As expected with Sandboxie, no malware was found.

For years, I avoided Norton based on what I read, sort of like I avoided Win Vista based on others comments. I love Vista and Norton is turning out to be a nice addition.

 

Here is the latest:

http://https://forums.symantec.com/syment/blog/article?message.uid=354592

Silver

 

Let me explain it better to you, because you got it all wrong,
and I didn't wrote what I implied (by starting a Full-scale scanning session)
(I added it to my 1st post to clarify things more).
"Turn on the Real-Time protection and let the AV fighting the infection means":
Giving the AV its FULL potentially Back;
avoiding nasty pop-up alerts about enabling Real-Time/Proactive Detection etc.
and start Scanning the Infected system.
I didn't say that Real-Protection -by itself-
will fight infection in an already infected system!
No way!
You have to start a Full-Scale scanning session.

Some Testers/Evaluators want to know more about AVs strength.
They simply don't stop/stay to detection ability.
If under the situation I described,
you could see your Favorite AV to be frozen/crushed or getting crazy and
trying to disinfect healthy Windows files and not the -really- infected ones
while -Other- AVs remained -Stable- and -Effective- against infection,
wouldn't you care?

There are many who care about
the performance of security software beyond the Detection Tests.

They care about how far an AV can go, before we
abandon it and start using Malware Cleaners etc.
Besides, there are AVs that perform better than some
"specialized" Malware Cleaners even when a computer is already infected!

Needless to say more...

 

doesn't matter... with the real-time av active you're talking about running the system normally... this is by far a sub-optimal way to do detection/correction because you're leaving the malware active... it's not the proper way to use the tools... either boot the machine from a PE disk or slave the drive in a clean computer and scan that way - do not run code off of the suspect system itself...

 

IMO commercial anti malware solutions are not and should not be designed to clean system from malware but they should be designed to prevent malware getting into the system or prevent malware damaging the 'real' system.

Once the system is damaged or infested because signature based detection failed or because pro active detection did not stop the thread than it is already too late... and depending of extent and size of the infection the only remedy is often to perform an in-depth forensic and/or a full reset of the machine.

Fax

 

No one said to you that this is the Optimal/Best way to fight Malware!
Forget the Real-Time/Defense enabled since you focused on it.
We have taken our tests even further:
Boot in a Safe Mode and Turn your System Restore off
before initiating a Full-Scale Scan of the infected PC.

We haven't noticed such a -Radical- Result improvement, but we did it, too.
The ones that performed well while scanning with Real-Time Defense on
were also the top ones while scanning in Safe Mode/System Restore Off!

Still don't care about how AVs treat an -Already- infected system, ah?
No problem...

 

I dont know, personally I trust in anyone who is Greek.


Kalimera lol

 

if you're going to try to determine the capabilities of a product then you must use the product in an optimal manner or your results will be meaningless...

i'm not focused on it, i'm just using it as an indicator of how you're suggesting to operate the computer during incident response...

still not good enough - you're still running code off of the suspect system... when i say you shouldn't run any code off of the suspect system that includes the operating system on the suspect system... safe mode isn't actually all that safe...

 

Avira and Kaspersky will never be behind Symantec, i am pretty sure on that.
It's Symantec that will be behind other two AV's ,

 

not necessarily

 

So, to reach a point (if we ever manage to...)
-What is the proper/optimal way -You- propose/suggest when Evaluating the performance of an AV?
-Is it Having a Malware Sample (e.g. a Folder of Infected files)
in a -Clean- computer (i.e. -Always- No Infection present) and then, Scanning to see how many were Detected?

 

your way off topic here, there is no perfect way IMHO, of course you could unhook the computer from te internet & not install anything on the computer except what was on it originally but than what fun would that be?

 

That's exactly my point, Larry.
There is no specific/proper way.
Anyway...
Sorry for getting you out off topic,
but it takes two (2) to tango...

 

it's a computer & I looked around for mine but no rule book came with it so I can't give you the HP method of proper method to remove malware I guess you have to use an AV & just run it.

 

as i understand it you want to do more than just a sample detection test, so just scanning samples in a directory won't be enough... you want to see how well the scanners can detect the malware after it's been run, that's fine, run the malware and let it get it's hooks into the system...

but after you do that you need to either boot the system from a PE disk (like the windows version of a livecd if you're unfamiliar with the term) or something similar (you could also try testing out the recovery cds that various vendors make available) or take the hard disk of the compromised computer out of that computer and stick it into another (clean) computer as a slave drive (in other words, not the primary/master drive that that 2nd computer boots from) and scan it that way...

i have nothing against testing scanners to see how well they perform in the context of incident response, but you need to have the fundamentals of incident response itself down first, and one of the first fundamentals of incident response is to not run code off of the suspect drive/system...