NIS 2013 x64 Users - A Must Read!

Discussion in 'other anti-virus software' started by itman, Feb 13, 2013.

Thread Status:
Not open for further replies.
  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Below is the help screen for NIS 2013 firewall Advanced Events Monitoring feature. Please note everything I have highlighted in bold.

    Appears NIS 2013 x64 is missing one heck of a lot of HIPS protection plus no keylogging protection.

    This was an eye opener for me. No where in any Norton ads have I observed x64 restrictions for NIS 2013. However, I am getting old and I might have missed them?

    Advanced Events Monitoring

    When you are connected to the Internet, there are various ways by which intruders can gain unauthorized access to your computer.

    Intruders can gain access to your computer in the following ways without causing firewall alerts to appear:

    - Launching and manipulating safe programs without your knowledge
    - Attaching to a safe program without getting detected
    - Launching trusted applications in hidden mode through command-line parameters
    - Injecting code into other applications' processes
    - Modifying the URL of an Internet browser through Windows messages
    - Bypassing firewall inspections by penetrating the Windows TCP/IP layer to send and receive data
    - Using the documented interfaces that Windows Active Desktop provides to transmit data outside the network
    - Using keylogger programs to monitor the keystrokes of a computer user, thereby gaining access to a user's personal information
    - Instantiating controlled COM objects to manipulate an application's behavior

    The Advanced Events Monitoring settings consist of the following categories that provide your computer with advanced protection:

    Program Component
    Monitors the malicious programs that launch Internet-enabled programs.

    Program Launch
    Monitors the malicious programs that attach to safe programs without being detected.

    Command Line Execution
    Monitors the Trojan horses or malicious programs that launch trusted applications in hidden mode through command-line parameters.

    Code Injection
    Monitors the Trojan horses or malicious programs that inject code into an application's process without triggering firewall alerts.

    This category is not available if you use 64-bit version of Windows.

    Window Messages
    Monitors the Trojan horses and other malicious programs that manipulate an application's behavior to connect to the Internet without triggering firewall alerts.

    This category is not available if you use 64-bit version of Windows.

    Direct Network Access
    Monitors the Trojan horses and other malicious programs that bypass network traffic.

    These programs penetrate the Windows TCP/IP layer to send and receive data without triggering firewall alerts.

    Active Desktop Change
    Monitors the malicious programs that use the documented interfaces that the trusted applications provide to transmit data outside the network without triggering firewall alerts.

    This category is not available if you use 64-bit version of Windows.

    Key Logger Monitor
    Monitors the malicious keylogger programs that access personal information of a user on a particular computer by monitoring their keystroke activities.

    This category is not available if you use 64-bit version of Windows.

    COM Control
    Monitors the malicious programs that manipulate an application's behavior by instantiating controlled COM objects.

    This category is not available if you use 64-bit version of Windows.
     
  2. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Wow long way to go with the X64 version.:argh:
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    It's the same with PC Tools - "Enhanced Security Verifications", which is a similar HIPS based protection, did not work with 64-bit systems. Since version 9.0, the option isn't there anymore.

    In Norton, "automatic program control" does a similar thing, but perhaps on a different level. This should still be available on 64-bit.
     
    Last edited: Feb 13, 2013
  4. jo3blac1

    jo3blac1 Registered Member

    Joined:
    Sep 15, 2012
    Posts:
    739
    Location:
    U.S.
    Wow still not 64 bit product. Aren't we in 2013?
     
  5. truoc

    truoc Registered Member

    Joined:
    Dec 31, 2012
    Posts:
    34
    Location:
    United States
    Does this apply to Norton 360 as well? I'm assuming it does since they use similar if not exact technologies, but wanted to clarify.
     
  6. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    How important are these - how much protection are you missing?

    I have NAV now that expires in less than 30 days. I was planning to get NIS to gain the firewall but since I use Windwos 7 X64, maybe it is not worth it? Would I still gain much over NAV with the NIS firewall?
     
  7. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    Will researching this, I found this old message thread on this same board: https://www.wilderssecurity.com/archive/index.php/t-222506.html

    It is short but it seems people are arguing at that time (late 200:cool: that many antivirus programs had less features on X64 systems because Microsoft added kernel security enforcement to X64 systems that X32 do not have and the features do not work and/or are not needed because of what Microsoft added in X64 systems.

    For example, a poster in the 2008 quoted thread, wrote, "No product is going to have the same feature set on 64-bit has they do on 32-bit. By locking down the kernel using PatchGuard, Microsoft has seen to that. Kaspersky too has a lot of HIPS-related features that are missing on 64-bit."

    And this recent wiki entry indicates that some antivirus programs have advanced features that do not work with Windows X64: http://en.wikipedia.org/wiki/Kernel_Patch_Protection

    Wiki highlight on subject:

    ""Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel[citation needed]. Additionally, anti-virus software authored by Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows.[15] This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.[16] Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by trusted companies such as themselves.[3]

    Interestingly, Symantec's corporate antivirus software[17] and Norton 2010 range and beyond [18] does work on x64 editions of Windows despite KPP's restrictions. Antivirus software made by competitors ESET,[19] Trend Micro,[20] Grisoft AVG,[21] avast!, Avira Anti-Vir and Sophos do not patch the kernel in default configurations, but may patch the kernel when features such as "advanced process protection" or "prevent unauthorized termination of processes" are enabled. Sophos publicly stated that it does not feel KPP limits the effectiveness of its software.[22][23]""


    So it seems other antivirus providers are missing advanced features on X64 systems too and it is not just Norton. Anyone know which programs and which features?
     
    Last edited: Feb 13, 2013
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I just checked the NIS 2013 user manual. No mention of those Advanced Events Monitoring features being unavailable for x64 OSes. Have we caught Symantec in a do-do here?

    BTW - if you open up AEM, you will not find any of those unsupported x64 features listed.
     
  9. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    But it seems other antivirus providers* lose advanced features because of Microsoft's Patchguard kernel protection in x64 systems and the ones that do have the features in X32 systems should not be using kernel modifications for these features anyway (Microsoft does not allow it) but they do so because Microsoft does not enforce it in x32 O/Ss (see my post above yours.)


    * From wiki "Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows"
     
    Last edited: Feb 13, 2013
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Using Malware Research Group's last banking protection software test, appears some have found a way around it. As far as AVs go, Avast IS, Comodo Pro, Emsisoft Antimalware, and Kapersky IS all passed their tests. Plus a few speciality anti-keyloggers such as Zemana, Trusteer, etc.
     
  11. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    With the promising tests of Avast 8, I might switch to it.

    Do you have link for above so I could study the report?
     
  12. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,045
    Location:
    USA
    I thought it was bad enough that Norton didn't support 64 bit Office or any 64 bit browsers. If this is also true, back to Kaspersky I go. :mad:
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    I'm not aware of any security software vendor that openly explains which features of their products are not supported or only partially supported in X64 Windows. You have to dig for that information.

    Well documented reviews will state when the tested OS is Windows x64 so at least you can see how effective the product is on the 64 bit platform. In any case it is rare now that machines come preloaded with x86 (32 bit) so the focus going forward is effectiveness on x64. These days x86 Windows means mostly XP and even though the kernel can be patched you have to ask if it can be made as secure as x64 Vista/7/8.
     
  15. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    As long as Norton has top tier effectiveness and performance, which all recognized tests seem to suggest, these differences (thanks to Microsoft for no alternative to patchguard) don't matter to me.

    And I agree, Kudos to Symantec for even publicly acknowledging this. Many others don't
     
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,045
    Location:
    USA
    Maybe, but most of these tests are done on Windows XP. Now I understand why. I haven't run XP for 6 years, so as far as I am concerned, none of these tests are valid.
     
  17. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    Well said, if security suite scramble hard to work with x64 kernel, so do malware
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I can't recall one review and/or "independent" test where this AEM x64 restriction issue was acknowledged. Speaks volumes for the quality of the stuff floating around the Internet these days.

    Worse if you read postings on the NIS forum, the "expert" trolls there will emphatically state that NIS has antilogging protection.

    As far as public announcement of x64 restrictions, some vendors are forthcoming on the issue and others are deceptive. Symanatec being a major internation corporation however is expected to be held to a higher standard I would believe. I find it hypocritical that orgranizations that are trying to sell you "trust" related products are many times untrustworthy in their sales execution methods.
     
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,045
    Location:
    USA
    It does, and I am glad you brought this to my attention.

    Yeah, you don't dare say "64 bit" there. I along with other users have requested support for 64 bit IE and 64 bit Office for some time, only to be told that we shouldn't be using those things. Now it looks like they don't even reasonably support 64 bit Windows.

    They should be held to a higher standard, and it appears they have worst 64 bit support of any vendor I have encountered. I'm done with them until they pick up the ball they dropped 6 years ago when 64 bit Vista was released.
     
  20. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    You have no idea what you are talking about. AV-Test has switched to Windows 7 64-bit a while ago.
     
  21. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    More generally the Symantec/Norton forums are run more like marketing vehicles than support venues in my experience. If you point out a genuine weakness that can't be corrected by changing a setting, etc, they keep smiling and blow smoke. You only have to look at how they responded to NIS being unable to stop the zeroaccess rootkit to see this behavior in action. To date I don't know if the Norton products can stop or remove it. The products are worthless if you can't trust the vendor IMHO.
     
  22. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Have you heard about MoneyPak and problems with NIS with respect to getting it removed? :)

    It appears to me NIS doesn't have a strong enough unpack engine to deal with variants of such malware. Norton certainly has some issues, and IMO, they have been focusing too much on performance rather than protection in recent years, though they remain decent at protection too. I personally prefer SEPS, which seems to be a much higher quality, no-nonsense product than Norton :)
     
  23. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,045
    Location:
    USA
    Yes, because there are no other testing sites.
    From this thread:
    https://www.wilderssecurity.com/showthread.php?t=341306
    From the PDF linked in the article:
    "We test with Windows XP SP3 and Internet
    Explorer 7 due to the high prevalence of internet
    threats that work with this combination."
     
    Last edited: Feb 14, 2013
  24. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA

    Av-Tests uses Windows 7 (SP1, 64 bit) for its Windows 7 results. It consistently shows Kaspersky and Norton equal just a hair (statistically no difference) behind Bitdefender in detection. http://www.av-test.org/en/tests/test-reports/
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    AV-Test has for some time rotated on quarterly basis by OS their testing. I believe they were the first to do this. AV-Test is also my favorite test lab.
     
Loading...
Thread Status:
Not open for further replies.