• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

What's driving Norton Power Eraser?

Symantec Maximum Repair (SMR) is a brand new security engine that drives our new Norton Power Eraser recovery tool. It combines aggressive heuristics and advanced removal capabilities to combat the newest and toughest threats. I thought I would share with you some of the background on why we developed this new engine.

 

Why the need?

The threat landscape has radically changed over the last few years and that has driven the need for new approaches to protection. Most notable are the following trends:

  • A new micro distribution model for malicious threats. A couple of years ago, the norm was to see relatively few threat variants distributed to millions of users.  Today, hackers have moved to a micro-distribution model where millions of variants are created and distributed far and wide to very small numbers of victims. In fact it is not unusual today for most victims to get an infection that is unique to their machine.  Last year alone, Symantec identified 240 million new threat variants but less than 200 actual new threat families.  Hackers are generating these variants in high volume by taking pre-existing threats and packing or encrypting them by using packer kits and custom encryptors, sometimes as often as on a per-download basis.  Fake AVs are also being rapidly rebranded with minor cosmetic changes in order to avoid recognition.
  • Advanced Rootkits. Another major change in the threat space is the increased use of advanced rootkit techniques.  With profit as an incentive, more and more hackers are willing to push the difficult boundaries of rootkit development and deployment.  This can be seen most recently in the spread and evolution of Backdoor.Tidserv and W32.Stuxnet.

  • Fake Antivirus. The last few years have seen a proliferation of Fake Antivirus scams.  Stealthily installing a Fake AV on an unsuspecting user’s machine has become a highly lucrative “business”, and hackers are using every tool at their disposal to avoid detection in order to maximize profits.  Successful distributors can make an average of $130 a day so it’s no wonder that the threat space has moved to infections involving the installation of Fake AVs.  These infections are often multi-layered and difficult to remove as a whole.  They often consist of Fake AV components, Trojans that download the Fake AVs, and rootkits that keep the Trojans hidden.  While some components are easy to spot and remove, such as the Fake AV GUI, leaving any infection components behind leaves the system vulnerable to be re-infected. 

This new and evolving landscape has created a window of opportunity where extremely aggressive threats can infect customers before antivirus suites can provide full protection.

Meeting the challenge

We designed the new heuristic based SMR engine to close this window and stay abreast of the ever-changing threat space.  Key design elements of SMR include:

  • A nimble and easily updatable engine. Since the threat space is always changing in order to evade security suites like our own Norton products, we wanted to provide a tool that can be easily updated as well.  We started by gathering attributes and data points from thousands of threat families in order to build and tune a broad detection net.  This is net is constantly tuned using data gathered from the field so that when the threatspace moves away from Fake AVs, SMR will evolve and be in position to protect against the next scam.  Changing trends in the threat space such as rebranding Fake AVs are easily handled with a definitions update, and having a rapid development cycle means we can react to major changes in infection and rootkit vectors like the .lnk exploit used by the Stuxnet family. 
  • Able to target infections in their entirety. From the downloaders to the payloads and the rootkits that hide them, today’s infections are complex, utilizing multiple components to orchestrate a profitable outcome for the hackers.  SMR is tuned to detect and remove these risks by looking for behavioral patterns such as displaying scareware messaging.  More importantly, SMR is tuned to detect the Trojan that got the Fake AV on your system in the first place, as well as the rootkit that’s hiding it.  We do this by looking at the evasion techniques modern malware use, such as distributing threats in small numbers, utilizing packers and encryptors, and hiding files and registry keys by using rootkits.
  • Aggressive detection techniques: One of the challenges that security companies face as threats evolve is the risk of false positive detections. For this reason, sometimes the most aggressive detection techniques cannot always be used. Because SMR is used in a standalone tool reserved for those situations where a machine is very infected it allows us to be more aggressive in our detection and repair actions. SMR utilizes multiple new heuristic engines and data analysis points in order to detect a broad range of threats.  These include packer heuristics, load point analysis, rootkit heuristics, behavioral analysis, distribution analysis, and system configurations monitors.  Data-driven algorithms use this information to detect zero-day threats and once found, the SMR engine removes the threats early in reboot so they don’t have a chance to protect or repopulate themselves.   

So, if you are infected with a threat, Fake AV or otherwise, give Norton Power Eraser (which is powered by the SMR engine) a shot and let us know what you think.  Your feedback is welcome and will help make this free tool more effective against today’s toughest malware.

Comments

Kudos0

So now this link makes five machines crippled by the Norton Power Eraser.  Apparently support is now using it and can't tell the symptoms of a possible rootkit, never mind what files should be left alone.  Just click fix.  Giving this to support is irresponsible, and ill-considered if even your support people don't know what to do with it.

http://community.norton.com/t5/Norton-360/Serious-problem-Norton-analyst-remote-linked-now-desktop-blank/td-p/301206

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

"Advanced Rootkits. Another major change in the threat space is the increased use of advanced rootkit techniques.  With profit as an incentive, more and more hackers are willing to push the difficult boundaries of rootkit development and deployment.  This can be seen most recently in the spread and evolution of Backdoor.Tidserv and W32.Stuxnet."

Do Not use NPE (Norton Power Eraser) if it is suspected the likes of TDL3 / TDL4 (Tidserv) rootkits are involved, or like  Ramnit, Virut, Hacktool.Rootkits are involved.

These are infections that patch, modify, inject or overwrite files that are required by Windows to run.

NPE, can or does detect the change in files, then is without the user realizing, is able to delete the critical file(s) causing BSOD's etc.

Quads 

Kudos0

Norton Power Eraser is very aggressive and needs to be used with care. If people would read before they act, they would know NPE itself says to use only as a last resort. Norton Antivirus should be the tool of choice, but it is not perfect and sometimes fails to fix problems. NPE runs more like a regestry checker or systym analysis than it does an anti virus. NPE also allows the user to determine if they want to delete a suspicious file by giving a means to see the location, judge the importance, and view the date of creation. If the suspicious file is in programs, root, or is a DLL file, don't check the box. If the creation date is older than the problem, don't check the box. NPE also takes a snapshot of your system (unless you say no) that allows the user to go to system restore and undo harmful actions. When handled properly Norton Power Eraser is a great tool. 

Kudos0

I downloaded the NPE tool file from the link above but I'm bothered by the lack of information at that point about the NPE.

If I run the downloaded file will it immediately run or is it an installer that then allows me to decide whether or when to run it? There is a popup at the Download button but says nothing about that -- just the usual stuff on Save etc.

Can it be run from a thumbdrive?

Could we please be provided with some information about the tool?

If the answer is that it is all lthere then all I can say is that it was not at the end of the link given and nowhere on that page was there a link to more information .....

Hugh
Kudos0

"This tool contains the latest detection and removal techniques for newer variants of Tidserv"

No it doesn't  LOL,  although the good thing is The Tool (as I posted a screenshot on the forums), at least does not  delete the File detected even though it cannot repair the file as it's to new.

But that is why even TDSSkiller continually get updated so that it can now repair the X64 variants which is now at 03.

But also at least now Symantec is doing a lot better compared it even back when TDL2 was rampant and I had to push and push, then I had to push and push (and test on my machine in real world when Norton was Detecting TDL3 and restarting causing a BSOD (same with zeloaces.inf).  I had to do some talking.   It was in the end an error in the definitions. 

Yay Symantec is getting there.

Quads

Kudos0

Also if you suspect you have a Tidserv/TDSS infection, we've developed a new tool, FixTDSS, that can be found here.  This tool contains the latest detection and removal techniques for newer variants of Tidserv and this technology is currently being implemented into the next version of SMR.

Kudos0

<< Regarding installation and deployment, NPE is a standalone executable that requires no installation.  It runs on demand and can be executed from a thumbdrive. >>

Thanks WIlson.

This needs to be said on the download site!

This needs to be said on the download site!  <g>

Hugh
Kudos0

Thanks for the feedback.  The fight against rootkits is ongoing and we are currently integrating new technology into SMR that will detect and repair newer versions of Tidserv.  In its current iteration, SMR will not detect these variants, but it should not remove system critical files if run.  While there were a few reported incidents of SMR removing critical files, these have been reviewed and addressed with the latest definitions update.   Please also note that NPE displays all files it finds as suspicious for review by the user before removal and provides a undo feature in case the user wants to rollback the remediation.    

We’ve noted the suggestion for integrating the undo feature with NBRT for the rollback of unstable systems.  This is a good suggestion and is currently under consideration.

I agree that more information regarding when and how to use this scanner would be helpful.  While we do have the following disclaimer on the NPE download page, “Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.” including a video demo and introduction would also help.

Regarding installation and deployment, NPE is a standalone executable that requires no installation.  It runs on demand and can be executed from a thumbdrive.

Thanks again for the feedback and please keep it coming.  All suggestions and concerns will be reviewed and will help us make this tool better and more effective against the latest infections.

Kudos0

Plain & simple I have heard alot of good thing's about it.....Could you format it to recover bad hard drive sector's?...That would  be special!...

Kudos0

Hmm.  Feed back on Norton Power Eraser can be found in these links.  This tool is being made available to people that have no way of really knowing what they are doing.  Symantec should know.

Here it took services.exe

http://community.norton.com/t5/Norton-Internet-Security-Norton/Can-t-remove-Infostealer/m-p/269009/h...

Here it killed winlogon.exe

http://community.norton.com/t5/Other-Norton-Products/Norton-Power-Eraser/m-p/287902/highlight/true#M...

Here it killed the Intel Processor Manager.

http://community.norton.com/t5/Tech-Outpost/TDSSkiller-TDL4/m-p/243067/highlight/true#M1214

Here it killed another critical driver causing a BSOD.

http://community.norton.com/t5/Norton-Internet-Security-Norton/Infected-w-search-engine-hijack-virus...

Hmm, took out the LAN here.

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Antivirus-Email-Error/m-p/2633...

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Hi, Norton Community. I have a couple of questions regarding Norton Power Eraser:

1. Is NPE compatible with x64 OS? 2. Is NPE can detect and eliminate Backdoor.Tidserv(aka TDSS) x64 variants(I meant TDL4/TDL5 versions of this rootkit)?3. Can NPE detect other x64 malware? 4. Is NPE detects anomalous system changes? (e.g. non standard UserInit key, many IP addresses which are bound on loopback in hosts file, task manager and / or registry editor blocking via policies, etc).5. Does NPE removes all traces of file, which has been deleted, from registry? (I meant if some file create a couple of  CLSIDs, WinLogon notify, etc...  does NPE delete these things when it has been removing this file?)Thank you for your answers. 

UPD

6. How stable is NPE when malware controls TCP/IP stack of network protocols(i.e. when network connection is not flat and may be terminated by malware).

Kudos0

I made a suggestion in one of those topics, I hope someone from Symantec saw it.

You really need to have some way for a person to "undo" any changes made by Norton Power Eraser.

For a non-booting system, you should make a way for the Norton Bootable Recovery Tool to be able to make the "undo".  And since NPE is available to anyone, the NBRT should be able to undo any changes without needing to input a valid serial number.

The NPE is a great tool but there needs to be a "way out" for situations where it doesn't work or the user makes a bad choice.  Leaving somone with a non-working system is not a good thing.

Just my opinion,

Dave