Why not Norton AV?

Ianb, your screenshot shows Symantec 8.0 failing to detect a spyware sample. Are you aware that this is NAV 2002 which does not detect Expanded Threats? Had they tested with the current version Symantec 11.0 {NAV 2005}, or even 10.0 {NAV 2004}, that sample would most likely been detected. Detection of Expanded Threats only began with NAV 2004. Attached is a screenshot of the current version number for NAV 2005 which I am running.

Here is Symantec's page explaining Expanded Threats:
http://securityresponse.symantec.com/avcenter/expanded_threats/

QUOTE: "Symantec AntiVirus products allow users to protect themselves from a variety of potential software and Internet threats. These include malicious code such as viruses and Trojans, as well as Expanded Threats, which include Spyware, Adware, and Dialers."

{Bolding is mine} .. but I have no doubt that had they tested with a more current Engine {version 10 or higher}, that sample would have been detected. I mean no offense folks but it helps if you fully understand the Product you are criticizing. Testing with an obsolete Engine is misleading and unfair. Perhaps this is done in innocence, I don't mean to flame anyone here.

There have been several instances where I have seen people posting that NAV missed such-and-such, but when I PMed the person and got them to send me the sample, I tested on my PC and found that indeed NAV was detecting the sample. I mean no offense but, I have seen so many instances of this, that I take these posts about isolated {lone} samples with a grain of salt.

Until someone sends me the sample(s) where I can test and verify on my own PC, with an up-to-date Engine and Database for NAV, that the sample is missed -- I tend to be highly skeptical of these posted claims -- no offense.

Take Care Everybody and Please Let's not Flame Each Other. I try to be fair to ALL AV's, not just my own preference {NAV}. There are several good AV products on the market, that is what free market is all about, and it is healthy and wise that we have the free choice and diversity of product choices. Each person's system and needs are different.

Warmly, and in Peace, Ran

 

The truth is in the middle, Norton isn't as bad as many of the "experts" on security forums say it is; but, then again, it isn't as good as most of "laymen" in the wider world think it is. I am quoting the terms "experts" and "laymen" not to offend or insult anyone, but rather to reflect a generalization that in my view has some validity.

The point is this... I know countless people that buy PCs so that they can play games, check their email, and occassionally use something like MS Office or Intuit Quicken. For whatever reason -- lack of knowledge or overreliance upon heavy marketing and promotion -- most of these people think that they are perfectly safe once they have installed Norton Anti-Virus. In the minds of many of these people NAV is a panacea. The problem is that this is, of course, just not true. Anyone with an actual interest in personal computers and information security can quickly attest to that reality. So the PC aficionados quickly become tired of trying to dispell the NAV panacea myth that many of the PC laymen hold, especially when many of these same aficionados believe that NAV is a mid-grade anti-virus product at best. It is easy to see why NAV quickly becomes a source of antipathy among these people.

No AV product is perfect, and for each such product I could almost invariably produce some malware that is not detected by it, that is detected by the alternative products. That is almost a given in the marketplace. Yes it's true... I have definitely seen up-to-date NAV installs totally miss multiple viruses and malware infestatations that other products subsequently caught. However, I suspect that the reverse would largely be equally true. I believe that one has to approach the anti-virus field not from a viewpoint espousing perfection but rather from a perspective acknowledging the benefits of continual education, a modicum of vigilance, and the concept of a layered defense.

 

Very Well Said. I have tested roughly a Gig's worth of samples, and I am sure I could produce some lone samples that NAV was detecting but your AV {whatever it is: NOD, PCC, AVG, etc.} was missing. It is easy to do. Not only that, but any skilled hacker who knows his stuff can "doctor" any one of the thousands of malwares out there, so as to be undetected by a given Scanner -- by careful hexediting, or exotic runtime packing and encryption techniques.

I have even seen threads discussing instances where someone had rebased the entire KAV Database! My point is, you must be careful to not base conclusion on a lone isolated sample or two. And you have to know all the details. For example, is the sample packed with some form of runtime-packer? Well if it is, it might go undetected by older Engines of NAV or PCC which did not at that time include unpackers. Or if the packing is more exotic, it might only be detected by KAV {which has over a thousand unpacker-decrypter formats in its bases} or McAfee {which also has good unpackers albeit not as good as KAV}. There are many things you have to take into consideration when making comparative product evaluations ..

Again, that is well stated and a good, non-inflammatory post, Alec. I thoroughly agree, in fact, I would add that IMHO this applies to most AV products: they are neither as bad as their "haters" try to paint them, nor as good as their "lovers" try to paint them.

I don't know why comparative AV discussions are so volatile; the closest thing I can liken it to is racial bigotry and hatred .. and I mean no offense by that metaphor or likeness. What I mean is, IMHO some folks harbor such hatred toward one Vendor-X {X = Symantec, TrendMicro, Kaspersky, ESET, take your pick, depending on the poster} -- animosity characterized by the kind of negative passion that reminds me of race-hatred, although it isn't nearly so serious as that.

Maybe we need to invent a new Online Crime, call it "Vendor Hate Crime", hehe .. just a thought.

But thank you for you nice post.

 

Well.....Don't these Norton threads turn into very hot topics!

Randy,
I'd love to hear your advice on my current AV situation. I'm still on NAV2003 and due for renewal about October. Now I never upgraded to 2004 because of a fair bit of negative stuff that I had read. I know I will probably have big strife uninstalling 2003, but I may end up doing it on a clean XP reinstall. I have been fairly happy with 2003, and I'm using it in conjunction with Adaware, SWB, Spybot, Ewido (free) and FF Browser. My system has been very clean for a year or two now. My question is basically...Is 2003 getting a bit antiquated? How would it stack up against...say the latest free AVG? If I stick with Norton, should I go to 2005? Any advice would be appreciated. I'd like to get my 'homework' done well ahead of October!
Thanks,
Buck.

 

Yes indeed they do, not just here at Wilders, but at every other forum I've been to! It seems there is little or no "in-between", folks either seem to really like NAV or they loathe NAV. Strange thing is, with all the negativity, NAV keeps polling about the same numbers amongst users, roughly between 40 to 50 percent of users in polls I see on various forums, with McAfee a distant second. Symantec must be doing something right, even if it is in the area of marketing, and there is nothing wrong with marketing your product. Anyway .. hehe ..

I can't tell you what to do but, really by the time October rolls around you will be able to get NAV 2005 for zero dollars after rebate; so there is little incentive to spend more dollars renewing a subscription for an old engine, IMHO. NAV 2005 has some substantial improvements under the hood, were I you I would "go for it" assuming your system specs are adequate, and if you are running NAV 2003 with ease on your box, there should be no problem.

Regarding AVG, I have heard that AVG 7.0 is greatly improved, and it does seem their frequency of updates has increased {I've been active in updates at DSLR and now here at Wilders so I notice these things}. NAV has the better testing record but I don't know how much of that is "in the past", i.e. tests based on earlier versions of AVG that don't stack up to the newest.

It's your call of course, only you know your system so intimately, and your needs.

Take Care,
Warmly, Ran

 

Thanks for that Randy.
Cheers,
Brad.

 

Ran, you are correct. I had to re install NAV2005 to test it myself and it detected both of those samples. I have had Trojans before that it didn't detect, that's why I dumped it ........... maybe they ARE making an effort after all.

As far as I'm concerned it has been a good debate so far, I will keep testing NAV for Trojans and other Malware (not at that site though) and report what I find.

Bigbuck, I had a major problem uninstalling 2003 with the script blocking if you get the same drop a note on here as I have the answer in an email somewhere.

 

Glad to see you such a "good sport" and not offended by my comments. One other thing, in my testing I find that sometimes a very new sample {trojan, worm} may be undetected by the dailies {the NAV IU} but if you download the latest rapidrelease defs it will often be detected:

ftp://ftp.symantec.com/public/engli...virus/rapidrelease/symrapidreleasedefsi32.exe

for an FTP download, or:

http://definitions.symantec.com/defs/rapidrelease/symrapidreleasedefsi32.exe

for an HTTP download. Rapidrelease Defs are disussed at the WebSite here:

http://securityresponse.symantec.com/avcenter/beta.download.html

The LiveUpdate definitions, as currently designed, are mainly to protect against established in-the-wild {ITW} threats, and not to detect the more exotic and newest latebreaking stuff {the newest malware samples}.

Finally if you discover some that NAV is absolutely missing, and I get sent those often { }; just submit to avsubmit@symantec.com; or, so long as you have a working installed copy of NAV, the best way is to Add the sample to Quarantine and click on "Submit Item", which launches the Scan-and-Deliver wizard to walk you through submission to SARC.

I mention that because I've submitted a lot of samples myself, and encourage others to submit to your Vendor-of-Choice; as, in that way we all benefit when our Vendors receive new malware samples so they can add protection {new signatures} for us.

Thanks Again,
Warmly, Ran

 

Now why couldn't all threads about Norton end up like this one has ended (if it has ended)?

Acadia

 

Not yet...One more question...LOL

What is the truth, or importance, to the claim made here at other posts at Wilders that NAV and PcCillin don't remove registry entries left behind by malware? Is that true? Importance?

 

I hope they will eventually convert to an "all-liveupdate" {LU} system of updating such as you suggest. Note that McAfee, another big Vendor, has a similar system, their "Weeklies" occur on Wednesdays {just like NAV} and their dailies are essentially "beta" manual downloads similar to what I have described for NAV:

McAfee Weekly: http://www.nai.com/us/downloads/updates/dat.asp?id=1
McAfee Daily {beta}: http://vil.nai.com/vil/virus-4d.asp

The daily update for NAV is a manual "intelligent updater" {IU} published at the WebSite:
http://securityresponse.symantec.com/avcenter/download.html

Although it is a manual download, I would not say it is that obtuse. We post the daily NAV IU here in your Wilders Updates forum. {I myself have posted most of them lately }. So I wouldn't characterize it as so difficult as to be beyond the grasp of an average user.

With the IU, there is no "extraction into folders", it is an executable program; you simply download it and run it, and it automatically extracts into your virusdefs folder and when done, there is no need to reboot, your defs are updated then. The same applies to the "rapidrelease" defs, it is a file like the daily IU which you download and run as an executable. {They, the IU and the rapidrelease, are just self-extracting (SFX) zip archives with a little built-in program which tells them where to extract the defs}.

NAV and McAfee are not the only ones, I understand Computer Associates eTrust EZ downloads are rather large; so is the {beta} Controlled Pattern Release by TrendMicro:

http://www.trendmicro.com/download/pattern-cpr.asp

and also the daily update used by Panda:

http://www.pandasoftware.com/download/updates/

Not all the AVs use the small "differential" or "incremental" updating system that you are speaking of.

But you are right, the usual KAV update is small {again, I post many of the KAV updates here in the updates forum myself}. I'm not familiar with NOD32's updating system, so will trust your expertise on that.

KAV and Dr. Web update very often, you are correct about that. I don't have easy explanation as to why the different AV vendors have such differing update systems.

Finally, one exception is when KAV comes out with a new Cumulative, which is a large download, but that only happens every few months.

Take Care my friend,
Warmly, Ran

 

I've wondered about that myself, that is, how "automated" can one make the malware removal process? With NAV, when it detects something, there is an active link to the virus in the GUI {the graphical interface} itself, which if you click on it will take you to Symantec's writeup on the virus. From there, you can click on "removal instructions" and get rid of the bugger yourself. I am unsure how automated one can make the removal process, if that were possible there would be not as great a need for detailed writeups at Vendor Sites. Not only that, I suspect that different "variants" of the same thing may have slightly different reg-entries and infecting filenames which would thwart an auto-removal process that did not take into account every possible variant. There might even be cases {and I recall reading of some} where random filenames and varying regvalues are used to infect, in which cases I wonder how the heck anyone could automate removal of those ?? Seems to me there *has* to be some human interventon and intelligence involved; I am skeptical of any claims to fully "automate" the malware removal process. I do know that Symantec provides some of the best writeups, and maintains one of the best Virus Encyclopedias, on the Net. So I really don't think this is that great an issue. Just my two cents ..

 

Since Jim mentioned both NAV and PCC have been criticised as having these issues with not cleaning regentries, let me add something I forgot to say: that is, TrendMicro also has excellent Virus Encyclopedia: http://www.trendmicro.com/vinfo/

I can't imagine that the average PCC user, if he/she is able to *read*, would have much problems in going to Trend WriteUp and following the instructions for himself!

Hehehe .. OK I made my point!