Does Norton AntiVirus 2009 use a Proxy Tunnel like NOD32 and some other AV Pgms ??

Discussion in 'other anti-virus software' started by JosephB, Dec 1, 2008.

Thread Status:
Not open for further replies.
  1. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    I heard that the new Norton AntiVirus 2009 is suppose to be very light on resouces and was wondering .....

    1) Does anyone know whether, the new Norton AntiVirus 2009 uses a "Proxy Tunnel" design like NOD32 and some of the other AntiVirus Pgms o_O

    2) Does it have any type of WebGuard that scans Http traffic for drive by downloads and web page scripts ?

    3) Also, does it have the option where you can enter folder and file exceptions for the Auto Protect/Real-Time Scanner and also for the On-Demand Scanner ?
     
    Last edited: Dec 1, 2008
  2. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    As far as I know:
    1) No proxy tunnel. But yes, if you already have a proxy it can be configured to work alongside it.

    2)Norton AV 2009, has a heuristic page scanner in-built in its anti-phishing toolbar. Which will scan page for malicious intent.
    NIS 2009, has a beta add-on called SafeWeb similar to McAfee SiteAdvisor.

    But Norton 2009 doesn't have an explicit HTTP/Web scanner. Files are scanned only after they are downloaded to disk/memory.

    3)Yes, you can make drives,folders and files to be excluded from Autoprotect and also On-Demand Scan.
     
  3. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    I am not quite sure what you mean by a Proxy Tunnel.

    I am an architect at Symantec and I work on the team that builds our HTTP or Web scanning engines. I just wanted to clear up some confusion about whether or not Norton products have Web scanning engines.

    The short answer is "yes" we do. In fact there are 5 independent engines that scan HTTP content.

    1) There is the Intrusion Prevention (IPS) engine that scans for all types of HTTP based exploits. The engine has many 100s of generic vulnerability signatures that dont need to change often if at all since they target the vulnerability condition which doesn't change rather than the shell-code which does. New ones are added almost weekly. The list of signatures can be found at http://www.symantec.com/avcenter/attack_sigs/. Look under "H". Every signature prefixed with "HTTP_" is being scanned on HTTP traffic. Its also important to note that the IPS engine scans ALL traffic coming into or going out of your machine, not just HTTP.

    2) Browser Protection - This engine is specifically targeted at obfuscated JScript/VBScript HTTP content that exploits vulnerabilities in ActiveX, DOM or even specific data-types like VML. Highly obfuscated attacks are difficult if not impossible to reliably detect by scanning network traffic or by scanning the files in the IE cache. Hence this uses a totally different approach to the problem. But the bottom line is that it is still will block content coming over HTTP before it exploits the browser.

    3) Anti-Phishing Engine - Also scans HTTP content looking for phishing page characteristics.

    4) Privacy Scanning engine
    5) Parental Controls.

    Engines 1 and 2 are targeted at blocking malware from automatically infecting your machine when you visit an infected web page. aka drive-by downloads.

    Engines 4 and 5 are only installed and active when you have installed the Add-on Pack.

    Yes.

    Thanks,

    Shane
     
  4. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    While both NIS and NAV have a heuristic scanner built into the anti-phishing toolbar, that scanner is only meant to heuristically detect phishing attack. It does not detect malicious attacks as in drive-by downloads. There are 2 other engines for that as described in my previous post.

    NIS has had an HTTP scanner to detect malicious HTTP attack since NIS 2002 Pro. NAV has had one since NAV 2005. It is important to note that these engines are designed to detect HTTP vulnerabilities that as we know can result in automatic download and execution of malicious exes. So it scan all kinds of files... html, jpg, wmf, gif, jscript etc etc, everything is scanned in the network stream before they hit the disk. The only exception is exes. Exes are only scanned when they hit the disk. We see no reason to scan exes in the network stream an incur and unnecessary performance penalty during web browsing with no apparent benefit. Exes coming over the web have to hit the disk before they get executed. That means that a file-based scanner is good enough to detect any malicious content within these exes.
     
    Last edited: Dec 2, 2008
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I think what is meant is this. I don't use an AV so when I do something with firefox I show firefox connecting to the web. If I were go to thru an AV such as Kaspersky, I would show KAV accessing the web as to scan Http stuff it proxies all web stuff thru itself.

    Pete
     
  6. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Thanks for the info, Shane :thumb:
     
  7. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    shane,

    so if i say come in contact with a infected page whatever type of infection.. will nortons nis 2009 stop the page from loading then? or will it allow the virus' to be downloaded then neutralized later? the one thing i miss about kaspersky was when i hit a infected page i knew it. i got the pop up message and it told me it stopped it or gave me the choice to do so.

    i have yet to see this with nortons and on a test pc i did try hard to find a web page containing this type of content, but no luck with it blocking anything.

    i like the program a lot. i just kinda miss that level of security i fealt with the kaspersky http scanner
     
  8. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Thanks for the clarification. Yes, NIS/NAV use a local proxy, but not all of the 5 engines I mentioned earlier use it. Proxies in general cause a hit on HTTP throughput, especially on gigabit network, so we try to avoid using them unless its absolutely necessary.
     
  9. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Hi zfactor,

    I think its important to clarify what is meant by "an infected page". There are two kinds of infected web pages:
    Type 1) One that contains content that (directly or indirectly via iframes) leads to the automatic download and execution of an malicious exe without the user's consent. This is typically referred to a drive-by download that leverage a vulnerability in the browser. NIS will absolutely block such content from ever buffer-overflowing your browser. The html file etc will still get downloaded, but NIS will block IE from ever executing the malicious script within it. Most importantly, the signatures that look for malicious script are generic vulnerability signatures. They look for string of length "x" being passed to 2nd parameter to method "Y" of activeX "Z". It was designed to see through any amount of obfuscation of the JScript/VBScript, mixing of JScript and VBSript (has been tried), method names mangling, activeX names, variant type disguise, etc.

    Type 2) A web page that has a hyperlink to an malicious exe/zip etc. which when you click on it, it causes the usual IE "Do you want to run or save this file" dialog to show up. The Network scanner does not stop such exes from being downloaded onto the machine. Thats why you might find that we dont block in the network stream a lot of the links on http://www.eicar.org/anti_virus_test_file.htm. However, the real-time file scanner will block them from ever being opened, provided it has a signature of course.

    So in answer to the above question, NIS2009 will stop the malicious parts of the page from ever loading right there on the spot. Shell code execution will not occur and hence an exe will not be allowed to be dropped on your machine. Depending on the engine that detects the attack, NIS2009 will also terminate the TCP connection.

    If you'd like, you can PM me some of the links you've tried where you didn't see an alert. I can take a look to see if they Type-1 or Type-2. Also, let me know which OS you are using. Here is a screenshot of an alert you should see when you visit a web page that hosts a drive-by download (Type 1).
     

    Attached Files:

    • Dump.JPG
      Dump.JPG
      File size:
      110.8 KB
      Views:
      28
    Last edited: Dec 2, 2008
  10. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    Hi shanep,



    Actually, what I meant by above question, was does Norton Antivirus 2009 implement a proxy pgm that redirects all traffic thru it (like the way that NOD32 pgm does) ? Some PC's experience high cpu with NOD32's mehtod of all traffic (including real-time file scanning activities) going thru its one local proxy pgm (ekrn.exe), so I was wondering if Norton's Antivirus 2009 uses this same technique of all traffic going thru one local proxy pgm or some other technique o_O

    ... Also, does real-time scanning of larger sized executable files increase or not the cpu utilization used by NAV 2009? .... What would you say is the typical cpu utilization range used by NAV 2009 pgms when real-time scanning of executable files takes place ?
     
  11. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Hi JosephB,

    I responded to this question above, but here is some more detail. If you installed NAV2009 the HTTP scanning does not use a proxy. If you install NIS2009 the HTTP scanning does not use a proxy. If you install NIS 2009 WITH Add-On Pack (Option), then a proxy is used only for Parental Controls, Add Blocking and Privacy Block features.

    It doesn't.

    This is a hard one since I dont work on the file scanners. However, I would say that given that the scanning takes of the order of a few milliseconds, 10s of millseconds, maybe even less, it would be hard to measure the CPU utilization during such a small time interval.
     
  12. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
    Hi Shanep,

    I have two questions.
    First: How will NIS2009 protect IE64?
    I did install NIS2009 on my Ultimate64-machine and I have to see, it works only as a 32-Bit application. No integration in IE64 but in IE7 (32Bit) the Phishingfilter is activated. Further I can´t see that NIS is protecting Opera 9 as a 32-Bit application that I have running too...

    Second: How can NIS2009 Realtime-Scanner protect the memory in a Vista64-Bit environment? If an user accept to run a malware by clicking LUA will NIS catch the malware?
     
  13. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Hi Shanep,

    You post highly interresting technical info in such a way that its easy to grasp. I hope you will be posting for a long time, here @ Wilders
     
  14. JosephB

    JosephB Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    310
    Hi Shane,

    Wow! Thanks for that detailed explanation in easy to comprehend language, but just to clarify for tihis newbie, I have two questions about what you stated below:

    1. Does this mean that the HTTP scanning works as some kind of driver level type of a pgm, instead of a proxy type pgm which listens to the ports for traffic to filter ?

    2 Also, will NAV2009 HTTP scanning engine pgm typically cause any known conflicts with 3rd party firewall programs ?
    ....... Specifically, I am using Outpost firewall, would I have any known conflict using NAV 2009 with it ? ... If you know off hand, Would I need to disable any feature of NAV 2009 to make it work with Outpost firewall ?
     
  15. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    wow great info shane thank you for answering my questions!! i have to say this 2009 versions is one of the most impressive advancements i have seen any company make from their previous versions. (not to say there are no other good apps because for sure there are but i have not seen any really step up their game compared to previous efforts like this)

    i bought nis2009 and i dont buy av's very easy and nis2009 has replaced kaspersky on my own personal machines. PLEASE keep up the great work and i hope to see you here at wilders for a long time to come. more av companies should have people like you to help, while some already do MANY do not and many that have forums some of those are even useless. thanks
     
  16. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
    No answers?
    :blink:
     
  17. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    No patiance? ;)
     
  18. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Glad you found the information useful.

    I'm afraid I cannot publicly comment on internal details related to how we implemented the HTTP traffic scanning. All I can reiterate is that for reasons related performance and incompatibility in streaming applications like audio, video, the core features dont use a proxy. We want the web browsing experience to be as fast as possible.

    I dont believe you will have problems with the base product. The Add-on Pack uses a proxy. I'm not sure how that would work with other products that might also use a proxy. For Outpost, I am not aware of any compability issues off the top of my head. I suggest you trial both on the same machine and see if that works for you.
     
  19. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
    Oh - I´m still waiting since Vista came out...
    :rolleyes:
     
  20. Defcon

    Defcon Registered Member

    Joined:
    Jul 5, 2006
    Posts:
    332
    I'd also like to know how well Norton 2009 works with Vista 64-bit.

    Shane, we wait anxiously for your answers :)
     
  21. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Yep.. confirming that the Anti-Phishing toolbar does not work on IE64 on Vista-64bit. It still works on IE32 on Vista-64bit.


    Anti-Phishing is not supported on Opera.

    Yes it will catch the malware even before it executes.
     
  22. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Re: Does Norton AntiVirus 2009 use a Proxy Tunnel like NOD32 and some other AV Pgms ?

    Does all or most of the above apply to Norton 360 v2 also? Or is this just Norton AV 2009 features?
     
  23. shanep

    shanep AV Expert

    Joined:
    Sep 10, 2008
    Posts:
    54
    Re: Does Norton AntiVirus 2009 use a Proxy Tunnel like NOD32 and some other AV Pgms ?

    Norton 360 v2 as well.
     
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,785
    Re: Does Norton AntiVirus 2009 use a Proxy Tunnel like NOD32 and some other AV Pgms ?

    Thanks.... :thumb:
     
  25. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Sorry if this is a dumb question (and too off topic) - but does 360 v2 have the same scanning engine as NIS 2009? Also, does NIS2009 have the SONAR behavior blocker incorporated? Finally, in 360 v1 I noticed that the toolbar for IE was not able to be disabled without the red X in the task icon coming on. Is this still the same? I had to disable the toolbar in 360 v1 because of a noticeable surfing slow down.

    Thanks
     
Loading...
Thread Status:
Not open for further replies.