Norton Internet Security 2013 vs AdAware

Discussion in 'other anti-virus software' started by mattdocs12345, May 23, 2013.

Thread Status:
Not open for further replies.
  1. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    I was looking for a WiFi hot spot. Binging resulted in me going to this site:
    http://virtualrouterplus.com/
    I downloaded the virtual router pro and NIS did not inform me that the installer contains AdAware. The installer was a signed in Chinese. The installation resulted in a bunch of toolbars and other FF modifications that could not be uninstalled.
    A quick scan with MBAM Pro resulted in 1x AdAware found which was subsequently removed.

    After further search I found out that the official site is actually here:
    http://virtualwifihotspot.codeplex.com/releases/view/101858
    This one doesn't contain any adaware and is stand alone installation. Interestingly this file in unsigned.

    Through out the entire process NIS 2013 gave me 0 notifications. The installer from http://virtualrouterplus.com/ was found to be reliable according to Norton Insight. While this was not a virus, i was disappointed by NIS 2013 performance. All in one security suite should protect from both viruses, malware and adaware.
     
    Last edited: May 23, 2013
  2. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    Seems you posted the same link above? I fail to see the difference.

    Let's see what Norton fans have to say about its "premium" protection ;)
     
  3. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Sorry. I have updated the links. The official site for Virtual Router Plus is here:
    http://virtualwifihotspot.codeplex.com/

    The other one is some kind of a hoax to get you to install adware.
    I redownloaded the file from the hoax site http://virtualrouterplus.com/
    Interesting on-demand scan with neither MBAM Pro or NIS doesn't reveal any adware.
    Norton File Insight gives it GOOD rating!!!?
     
  4. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    Matt- an interesting piece of software. But note that all of the toolbar installations could have been skipped by the user, as long as the user took the time to read what he/she was agreeing to.

    However it did throw off a file into the temp folder that is detected by quality scanners, Norton sadly not being among those (I believe VT scans are banned here, so I'll say no more).
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Well Norton Insight is primarily reputation based but is supposed to also check file hashes and if the file has a cert. Doubt it actually checks the cert.
    Norton Insight to my knowledge does not actually scan the file for malware at that point but leaves that to its realtime scanning when the file is accessed or scanned manually or through one of its scheduled scans.

    I think it's Quick scan does check the download folder at least. If you stored the download somewhere else, it might has missed it at that time.

    As far as how effective NIS/NAV is against adware is debatable. I would say poor to average at best.

    BTW - I always make it a point to manually scan anything I download from an "iffy" source regardless of what Insight says.
     
  6. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Actually I did click skip and despite that, the toolbars were installed and my search settings were completely altered in FF.
    However even if there is a way to skip installation of "offers," there is no way to completely remove them. The search engine and other configuration setting in FF remained changed/altered. Inability to uninstall and offer qualifies it as a malware.
     
  7. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    828
    Location:
    Ireland
    How many engines at VirusTotal detect that file?

    Currently, 8/47 detect the installer.
     
  8. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    UPDATE:
    other scanners from xyz sources confirmed it's a adware/riskware/etc...
    Dissapointed at on demand scanners for both Symantec and MBAM Pro. At least MBAM Pro cleaned out the system from the infection. Symantec reported no infections...
     
  9. aztony

    aztony Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    547
    Location:
    USA Southwest
    Why is that?
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,948
    Location:
    U.S.A.
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Tell that to Google!
     
  12. aztony

    aztony Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    547
    Location:
    USA Southwest
  13. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    This is the sort of scenario where sandboxie proves its effectiveness.
     
  14. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,948
    Location:
    U.S.A.
    aztony, you're welcome! Take care.
     
  15. mhl6493

    mhl6493 Registered Member

    Joined:
    Apr 20, 2010
    Posts:
    230
    Location:
    Tennessee
    :thumb:
     
  16. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    265
    Location:
    USA
    Can you scan a file before you download it? I always manually scan after one is downloaded, but is there a way before?
     
  17. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hello,

    You can use the Virus Total Uploader (available on their site), enter in the download link, and it will open a web page with the results.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    WOT gave the "hoax" web site link a 76 with 96,000 downloads. Not the highest safe rating but not in the "at risk" category.

    Also a 8/47 rating at VT doesn't set off danger bells either.

    Like said previously, maybe adopting a "run in the sandbox" approach to any unsigned software initially would be the best remedial approach.
     
  19. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    As I was curious about this package, I did a little further analysis and found some interesting tidbits. Although I didn't have access to the Norton product I had to use SEP 12.1.

    1). I installed the software making sure that I ran it as Custom Installer- this allowed me to either "Skip" or "Cancel" all of the toolbars. After installation and reboot no browser settings were changed, no toolbars were installed, and the single file in Users/Name/App Data/Temp was al that remained. Malwarebyes tagged it as malicious (adware) but Symantec and HMP did not concur (pricepeep_130001_0101.exe, VT 19/46).

    2). I then installed the program (clean machine, of course) using the Typical Installation setting. The installer (connecting to a server in Germany) threw off a number of daughter adware/toolbar installers: bundlesweetimsetup.exe, dp.exe, FastFreeConverter_Somoto2.exe, pricepeep_130001_0101.exe.
    Symantec only tagged dp.exe as a baddie, and only 1 AM product caught all of them- TrendMicro HouseCall (why does an image of a blind squirrel come to mind?).

    So toolbars were installed, default browser homepage an search provider were changed. Using the Windows uninstall routine which had to be done for like 5 or 6 packages) did not, as OP has mentioned, get rid of the toolbar. At this point I decided to test something. I wiped the machine and prior to installing the program again I installed Comodo Program Manager (just was curious). I then installed the full adware package with the same results. But this time I attempted to remove via CPM. All I had to do was to uninstall the main Virtual Router App and something termed "Bundled App" or some such. All toolbars and assorted adware were removed. I did have to manually reset my homepage, and IE alerted me to a change in search providers which I reset.

    Al in all an interesting experience and my thanks to Mattdocs for starting this thread!
     
  20. Nevis

    Nevis Registered Member

    Joined:
    Aug 28, 2010
    Posts:
    786
    Location:
    255.255.255.255
    I have seen a lot of programs not effective in adware. Actually, its debatable whether programs which install toolbar are adware. You can skip them if you want.
    But in you case, I guess that was a bit extreme case of toolbar install which could not be cleaned easily. It should have been caught. I see very few AV have detected it as adware.
     
  21. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    976
    Location:
    Paris
    This particular installer package really shows the importance of having an outbound alerting firewall in place. Each adware package had its own install routine, so I received outbound alerts for each one. Pretty easy to deny at that point, just leaving some temp files around and about.
     
  22. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    NIS 2013 has an outbound FW which did not alert me of anything.
    I mean this is an "Internet Security" and so it suppose to be an all around protection.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here's the scoop on the NIS firewall running in automated mode which is the default.

    If the process is rated as "trusted" by Insight, the firewall will generate a rule to allow all inbound/outbound traffic. If the process is rated "good", the firewall will generate a rule allowing all outbound UDP/TCP traffic. I beleive anything else outbound will be blocked.

    I have also seen the firewall block "unusual" outbound traffic from a trusted process such as a FTP dialout.

    You can turn off the the firewall automatically control and you will receive alerts on everything. Problem is some of the alerts are for local subnet traffic, broadcast traffic, and the like, so you really have to know what your OS is doing to effectively respond to the alerts.

    Bottom line - if your looking for a firewall with intelligent granular control, the NIS firewall is not it.
     
  24. silverfox99

    silverfox99 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    204
    McAfee detects.

    test_site_mcafee.jpg
     
  25. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    I attempted to download from the first link and avira blocked it straightaway.
     
Loading...
Thread Status:
Not open for further replies.