I found some of the methodology of the Youtube test dubious. For instance at one point the tester disconnects from the Internet and turns off Auto Protect so he can copy a folder full of malware files to the desktop. That's not something most users would do. Then he scans the files while still offline, his reasoning being that it's valid because people can be infected by malware from USB flashdrives while offline. Again that's an unrealistic scenario, and I would have preferred that he actually have the malware on a USB flashdrive if that's the attack vector he intends to test. Although the various modules of a security suite function with a degree of independence the effectiveness of a product can only be accurately determined when the product is fully functional. No one part of the product is designed to stand alone. The reason why security products in general are using more "cloud analysis" is because signatures cannot be generated fast enough to keep up with new malware. The model of having 100% detection capability available offline via signatures no longer works and testers need to stop testing products that way and criticizing them when they fail. The one thing I would agree with is the slow response of Sonar. Note that although he did set it to aggressive he did not change the setting from "high certainty" to "low certainty" (or whatever the more sensitive setting is called). That may have improved the result. Question: Does Norton Security still have a Boot Protection option? I ask because that option has been off by default in previous versions. It should have been on by default IMHO and if it still exists it should be turned on and set Aggressive.