Question re NIS 'High Risk' file handling

Discussion in 'other anti-virus software' started by Longboard, Sep 14, 2009.

Thread Status:
Not open for further replies.
  1. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    So NIS 2010 is out and getting good raps.
    Q for any current 2010 users:
    In v2009, any file judged high risk by Symantec was ripped off the drive, not Quarantined; no removal options: just removed with no option for recovery.
    See here for example:
    http://community.norton.com/norton/...back&message.id=70028&query.id=1281147#M70028
    No real answer there :cautious:

    Does the new version have different options and better suspicious file handling??.

    I cant really risk an install for arbitrary removal of any files I might want to keep.

    The, imho, critical issue was no warnings or other options before auto-removal.
    We have had issues with the "Symantec knows best" policy and no OWNER consent before.
    regards
     
  2. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    AGREED that was the one thing that truly bothered me about 2009 version.. i have not played with each setting enough yet. i did notice though that norton deleted a test file and when i checked quarantine it was there and i was able to choose what to do with that file. if i removed it from the log norton said the file would not be able to be uploaded or recovered so i am guessing there is a way to un quarantine it but i have not tried yet. ill play with it later tonight to see.

    here are screens of the 2010 version and all available settings: NOTE ALL SETTINGS SHOWN ARE DEFAULT EXCEPT THE TRACKING COOKIE WHICH IS SET TO AUTO.
     

    Attached Files:

  3. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    When you are on the quarantine page with the list of quarantined files, over on the right there's a small plain blue text link that says "Options" it's not real obvious. When you click that you can Restore the file, Clear Log or Submit it to Symantec.

    So from the main dashboard, it's 3 clicks to restore a quarantined file then one more to confirm which is pretty good.
     
  4. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Thanks for posting the screenies. :)

    I can see the "Low Risk > Ask Me" setting and the sig and file exclusions.
    No change there
    I cant see the/any 'Auto-Removal' settings options for High Risk files.

    As I noted@Symantec forums, the user interface is getting complex to say the least !!

    I guess if I want to keep going with NIS, I'll have to dl and install into a snapshot and see ...is there a Symantec page with option details anywhere?

    ( boy the Symantec home pages are getting a little top heavy too !! )

    Thanks again zfactor.

    EDIT: @1boss1: ya, aware of how NIS handles some files, but the issue was autodeletion of high risk files: 'no ask me first' or 'quarantine before removal' options available for high risk files and no recovery options :ouch:
     
    Last edited: Sep 14, 2009
  5. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
  6. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    I'm afraid to say, unless some one can correct me: I am very very dissappointed.
    AFAICS, the handling of "high Risk" items has not changed. :mad:
    This has the potential to be a pita if NIS is just going to rip out without specific permission.
    Lots of > disable Auto-protect > install or download > rar or zip > add exceptions > turn Autoprotect back on > see what happens: blech. :gack:
    Turn Autoprotect off to actually run some files to prevent inappropriate removals.
    Ridiculous: and in the face of other highly competent security apps offering more control with fewer mouse clicks, shell extensions etc.
    The only thing in favour of this approach is Symantec's good record of low FPs.
    What makes me gag at the forums while reading is the blind acceptance of this setting and the somewhat stupid !!! and moot advice re submitting a deleted file to Symantec: wot ?? :blink:

    User forums peppered with improper file deletions.

    The 'options' box in the autoprotect configs for High Risk files is set to 'Delete' and cannot be changed ( which as noted have included older Sandboxieinstall.exe and IceSword :blink: )

    There is little doubt that these options can be changed: surely Symantec is not averse to the idea of A BIG RED BOX for warning and descriptions. Most peeps would respond appropriately methinks; or, at the least an "advanced settings" option available only to those who ask or look for it.

    Have to say, also, on the basis of those GUI screenies and the descriptions of the newer functionality: my brain hurts trying to figure out what does what first how and where.. and how to set setting the current options. :D
    Looks the goods but how will "average joes" navigate all those lists..?? :doubt:

    Symantecs home page links and kb are riddled with dead ends !!

    The configs GUI has now apparently become so complex..

    This may become a watershed for me after more than a decade with Symantec.

    Seems to be a trend for some security tools: the to my mind, dumbing down of settings, less and less granular control for end users, lower and lower LCD.
    Handing over of control to Symantec: while I'm happy to have a partner/seatbelt in the box/car , they dont actually start the engine or do the steering for want of a better description.

    I know the "average joe" settings are important, but more interested users get left out. :p
    Will watch and wait a bit.
    Dont want to get too excited and burn all bridges, really: had only 1-2 actual episodes of this auto-delete over a long time, but the history log has been full of false low risk detections in the past..

    From 2008:
    http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=15769
    Page 17 from LanaK, Symantec employee:
    Wonder what happened ??

    I really hope I have missed some secret settings....o_O
     
    Last edited: Sep 15, 2009
  7. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    Indeed, i can't find a way to prompt me what to do for High Risk items it just auto-zaps them. I downloaded a mixed bag of malware to test it properly, on the positive side auto-deleted high risk items can be restored and aren't just tossed in to an unrecoverable void:

    malware.png

    However indeed, yes it's disappointing they didn't hand enough control to the advanced user to make their own choices about what happens to the files on our own systems on a case by case basis.. Without shutting down and crippling system wide protection to get around the restriction.

    I think they spent a little to much time on things like defragger/optimizer, CPU/Memory graphs and things like that to make it "cool" to the average user.

    I was also a little upset at them jamming the web safe toolbar in Explorer, Firefox and Antispam in Outlook despite me disabling these options before launching my browsers or email after installing NIS.

    Despite these annoyances i'm fairly happy with it for my needs, it's detection seems quite good, it runs very light on my system and after initial tweaking and setup i could go days/weeks without ever needing to open it. I just hope they push out an update the enables an "Ask Me" switch for high risk like they have for low risk.

    Yep, no argument here. The other day i was trying to find the NIS10 download link, and i ran in to a page offering to "upgrade" me to 2007. o_O
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I installed NIS to have a look for myself.

    Mmm got a weird BSOD as soon as I clicked agree and install.

    So I tried again and okay. I tried out a scan and it reminded me why I don't use this sort of software - files that were not infected were tossed away because of association - all deleted plus a few other annoyances. Don't get me wrong, this 2010 product is well slick, fast...and alot more going for it besides, good show to them.
     
  9. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Does NAV give the path to where the potentially infected piece of malware is located? I could not find it in NAV 2009.
     
  10. ASpace

    ASpace Guest

    You've got to click on the "Details" options and have an in-depth look at the History (details) . Norton is not like most other AVs - it is extremely automated - most time it just says "I have a work to do and I am doing it" , "You are no work to do , you are secure" :D
     
  11. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @1boss1: re file handling of high risk deleted items: that is more encouraging wrt to file handling isn't it. . :)
    Symantec have pulled some rabbits out of the hat re running at low mem use but have obviously decided to leverage that into a bucketful of options and extras.
    The default toolbar install is a nuisance always was and always will be :(

    The increased "automation" as a default is an issue
    Thats a nice summary in three lines.

    Hhmm: Been good to me for a while, but now,is Symantec worth the nuisance value because of the defaults and what appears to be an increasing FP rate along with the limited control options, extraneous features, amazingly complicated config options and complicated exclusion protocols.

    I really don't appreciate the approach that" 'we never get it wrong' so we'll pull these files and you fix it afterwards" as a default.
    Really really needs shell extensions or other options for "exclude and send to Symantec" Lots of other security apps have got that well sorted. :mad:

    Will be interesting re FP rate in formal testing: roll on AVC.

    :) ya again, the well put "it works for me" position.:thumb:

    I have 50 days subs left: Needs some thought.
    LOL, been a long time since I experimented with other AV and their own foibles: and now really good HIPS/HIDS options.
     
    Last edited: Sep 16, 2009
Loading...
Thread Status:
Not open for further replies.