topic Re: To Symantec experts... in Norton Internet Security / Norton AntiVirus

To Symantec experts...

Serekantum — Mon, 16 Mar 2009 17:32:16 GMT

Hi all. I wonder why Symantec does not focus its research on unraveling how the rogues change their code. Polymorphic malware is a huge problem because the detection signature is not a reliable system. Malware code changes frequently and has a different signature which is not recognized as a threat... In one week I have sent more than eight samples of malware that NIS09 not detected, and if they are running on the system then they are very difficult to completely disinfect.

I think Symantec should initiate new ways of establishing their safety directives, the detection signature is outdated and easy to circumvent. I think we should take a lot of improvements based on the application behavior.
A good idea would be to create an equivalent function to a virtual machine to assess how each new program behavior, and actions carried out in the system before allowing their integration into the computer

Greetings

Re: To Symantec experts...

Rohit1gupta — Mon, 16 Mar 2009 18:14:08 GMT

It will make norton slower

Re: To Symantec experts...

Floating_Red — Mon, 16 Mar 2009 18:15:47 GMT

01. That is why Pulse Updates were Created.

02. I don't think Signature-based Detection is useless - far from it - that is why Pulse Updates were Created. ;)

Re: To Symantec experts...

Serekantum — Mon, 16 Mar 2009 19:25:04 GMT

Floating_Red I never said that the detection signatures were useless, what I say is causing a time when the malware is not detected and for which can damage the equipment. This would not happen if we implement a smart detection system based on behavior. And given the level of current hardware, I do not think this kind of technology will cause a lot of slowdown in a modern computer with multiple cores processor and over 3 GB of RAM

Greetings

Re: To Symantec experts...

RavenMacDaddy — Mon, 16 Mar 2009 19:50:44 GMT

Yeah, it's a shame the SONAR behavior blocker isn't capable of detecting new variants of the rogues... It can be effective against some other totally new viruses, but then you don't know how long the malware infection has come, and it's definitely not against all. Just tested running the first crack with malware in it seen on a torrent site for NIS09 in the purpose of testing something for a Wilders discussion. SONAR wouldn't do a thing. The FIRST result returned on the torrent site for the search term. Yes, it was a new infection, but that's what SONAR is for... I thought generic signatures were already implemented (and probably have been for quite some time?), considering all the topics about Generic.200 infections? Are the rogues not detectable through generic signatures? They still seem to be the same rogue programs (well, except for the new being released, but that's not all the time - often it's changes of the same rogues).

Message Edited by RavenMacDaddy on 03-16-2009 08:50 PM

Re: To Symantec experts...

orla_cox — Tue, 17 Mar 2009 16:44:22 GMT

Hi Serekantum

We have a number of methods we can adopt to provide detection against malware. You explicitly call out behaviour-based detections which is something we adopted a number of years back using our SONAR engine. While behavioural detections have their advantages in proactively detecting new threats, we are still not in a place where we can solely rely on behavioural methodologies. Signature-based detections offer some advantages over behavoural detections as they are more specific and as a result are less prone to false positives aswell as offering better performance. Signature-based detections these days are also not simply one-to-one detections, in fact we will always choose the signature which offers the broadest potential coverage.

We also develop a number of heuristic signatures which are designed to detect particular charateristics associated with malware. You mention Packed.Generic.200 which has been very successful in proactively detecting malware associated with downloading misleading antivirus products. Regarding polymorphic threats, we have a specific engine which allows us to emulate the behaviour of such complex threats and allow us to effectively detect and repair them. A recent example of a complex polymorphic threat is W32.Virut.CF - we currently have full detection and repair in place for this threat's many iterations.

In general, with the volume and complexity of today's threats, an effective antivirus product needs to offer a combination of detection possibilities. We continue to investigate improvements to our behavioural engines, in addition to regularly creating heuristics and generic signature detections. If you look at the list here you'll see 6-7 new generic/heuristic detections released in the past month.

Regards

Orla

Symantec Security Response

Re: To Symantec experts...

TomiRed — Tue, 17 Mar 2009 16:59:26 GMT

Unfortunately, I still don't feel safe to *test* what I know to be malware which would at the time of that testing still be undetected by Norton products.

The last 2-3 of times I did that the *test* resulted in a malicious process active and running on my system, creating hidden entries in the Run section of the registry, and so on and so on...

Never in my 5 years of almost incidentally using Norton have I seen a SONAR (behavioral) alert and detection. I and my family rarely come across an infection accidentaly, so Norton seemed sufficient to me thus far.

Would you be so kind to explain to us where this SONAR analysis takes place? On our system or on some Symantec's test machine? And what is the timeframe for that?

Re: To Symantec experts...

TomiRed — Tue, 17 Mar 2009 17:07:58 GMT

Also an anecdote about repair..

A couple of times I came across an obvious USB flash disk (autorun) spreading malware, still undetected by Norton (09) version, when scanned manually.

I would take it out, leave it on one of my disk as an inactive file. My system would never be infected in the firts place.

A couple of days (or a week) after, the file is detected by NIS 09 as SillyFDC!

And NIS would then promptly ''clean'' my Registry of entries that did not even exist (because malware never got the chance to be active on my system). Funny. :D

Re: To Symantec experts...

dbrisendine — Tue, 17 Mar 2009 17:08:15 GMT

I can confirm that SONAR detection takes place on your machine inside Norton products. I have gotten several SONAR popups over the last year and have always done analysis on the suspected files. Some are normal files that are used in compiling software (I program many different types of control systems) but some have been dubious at best and my system does not miss them. I would say that out of the two products that I know have SONAR routines that NIS2009 is 'tighter' in its' control that N360.

Re: To Symantec experts...

TomiRed — Tue, 17 Mar 2009 17:24:32 GMT

We don't really know, you see, even the generic and heuristic detections rely on some kind of downloaded signature, it seems to me.

Either it is a packer (a compression utility) that only malware authors use (those are these Packed.Generic detections), or it looks very much like a trojan in its code inside (Generic.Trojan)

What I haven't seen from Norton is a kind of alert that would stop a process from downloading, dropping and executing files, creating a hidden file in a system directory, a hidden entry in the Run section and the like...even if it is not described in any of those by-the-looks-of-the-file based detections..

Except maybe if Suspicious.MH960 is a precursor for such detections...

Re: To Symantec experts...

RavenMacDaddy — Tue, 17 Mar 2009 17:53:47 GMT

dbrisendine wrote:
I can confirm that SONAR detection takes place on your machine inside Norton products. I have gotten several SONAR popups over the last year and have always done analysis on the suspected files. Some are normal files that are used in compiling software (I program many different types of control systems) but some have been dubious at best and my system does not miss them. I would say that out of the two products that I know have SONAR routines that NIS2009 is 'tighter' in its' control that N360.

I thought N360 was still using the same system entirely when it comes to security now in v3 as 2009-edition does. (?) Could you try to clarify how specifically SONAR is being tighter in its monitoring or such in NIS2009 for example compared to N360v3? I'm simply curious about the details. :) The difference between 2009 products and v3 I thought was that N360 is supposed to be even less in your face (while I can't really get how - my NIS09 is working completely automatic and even more effective against malware* by only changing low-risks and tracking cookies to automatic removal :P), but maintain the same level of protection. (?)

* = Being even more effective was proven when testing to run HotBar, which is considered a low-risk with the default setting for this threat-rating, which is "Ask me". NIS09 would have about 4 detections and growing of the low-risk (HotBar) and from what I recall didn't even stop it at first from executing, so it had seemingly made it into my system already to some degree because of the prompts. Instead setting this category to 'automatic removal', it would block HotBar from even starting its setup executable. It wasn't able to do or start a thing. Therefore the protection from Norton is seemingly much better when setting these two categories for automatic removal. How good isn't that? ; more comfortability (the software is in most cases COMPLETELY automatic now, except for cases like deleting whole archives because of infection, where the user should be able to make a decision) and better protection at the same time! :D

Re: To Symantec experts...

dbrisendine — Tue, 17 Mar 2009 19:59:19 GMT

I use a programming system that has many processes in it: I'll call one of them xY2000.exe. This file during compiling modifies many intermediate files used by other parts of the programming system (basically, xY2000.exe reads many sources and modifies some header files more than once so that other compile processes are more effiecent). When I run this system under NIS2009, SONAR flags this process (xY2000.exe) and quarantines the file. If I run this system under N360, SONAR does not flag this process. I have asked what the difference is between the two products but have never gotten a complete answer. Not complaining about the SONAR in NIS2009 but would like to know why one triggers and the other does not. Same hardware; same compiling system; same source files compiled. Duh....

Re: To Symantec experts...

huwyngr — Tue, 17 Mar 2009 22:12:19 GMT

dbrisendine wrote:
[ ... ]

I have asked what the difference is between the two products but have never gotten a complete answer. Not complaining about the SONAR in NIS2009 but would like to know why one triggers and the other does not. Same hardware; same compiling system; same source files compiled. Duh....

Vista HomePrem SP1
NIS2009 16.2.0.7 (still waiting for 16.5.0.134 update)

You will find a partial answer in this very recent post on the wider distribution of the long awaited 16.5.0.134!

Re: To Tim Lopez re 16,5 update

by jensm

First class news including:

<< We will publish a detailed 16.5 changelist on the forum later today. The 16.5 code is basically the underlying code of the N360 Version 3 infrastructure. It includes all bug fixes since we shipped 16.0 that are also in N360. This is really a quality release and addresses our top Support issues, including feedback from this forum. >>