Re: Concerned about NIS 2012 efficiency

dickevans · ‎04-08-2008

v0id wrote:
Next time in 2013 version more work in protecting Norton disabling by viruses not just give us new skin and say tada this is new
NIS 2012.

That didn't happen this time, last time or the time before. It won't happen next time either. If that's what you think happened then you haven't really exercised the product and its features.

Enjoy

Dick
Win7x64 SP1 current NIS V20

eric3312 · ‎09-04-2011

this is a little concerning though. It does make me question whether or not switching from Kaspersky to Norton was the right move...I really hope they look into this

I hope we could get a Symantec employee to look into this further

Windows 7 Professional 64-bit (SP1) - Mozilla Firefox 7.x - Norton Internet Security 2012
Norton Anti-Theft 1.0 - Norton Utilities 15 - Norton Online Backup (100 gb)

michaell · ‎07-15-2008

Hello Everyone,

I am going to forward this to Symantec Response team so they can take a look at it. Really it all depends if the person who made the video provides the sample set of malware he used in his test. But I would like to make a couple of notes about this test:

Usually most users will not have zip file of malware on their pc, the user will either have to download the threat or get it via email. The website where the threat is hosted may already be blocked by Norton safe web. Of course we wont know for sure until we get the sample threats.
I am not sure if he had User Account Access in Windows 7 enabled or not
If anyone is worried about this, you can password protect Norton settings. I think one scenario that could have happened is that the threat elevated itself to admin access then at that point it can turn off Norton Tamper Protection through the settings and then kill ccSvcHst and then do other damage to NIS. This is just speculation, but once malware elevates itself, and is not detected by security software, at that point it can do what ever it wants. So having User Account Control enabled, keeping your Operating System and security software up-to-date, and being careful when installing third party software of origin that is unknown is your best protection against something like this.

Bombastus · ‎11-16-2009

Hello michaell,

While I agree 100% with the importance of 1 and 2 in your posts, shouldn't Norton protect users who come across malware from other sources than the Internet, in unzipped format (1) and who have for some reason disabled UAC (2)?

michaell · ‎07-15-2008

One other thing I forgot to mention we also have Norton Power Easer for such cases. The scanner on that is much more aggressive then the one in NIS and should help in such circumstances.

michaell · ‎07-15-2008

Bombastus wrote:

Hello michaell,

While I agree 100% with the importance of 1 and 2 in your posts, shouldn't Norton protect users who come across malware from other sources than the Internet, in unzipped format (1) and who have for some reason disabled UAC (2)?

That is were Sonar and virus defs would come into play. In this case they did not detect the threats. That is because no anti-virus software can detect threats 100%. If we were to do so then we would end up having a lot of false positives and disabling software that is not a virus. So it is a balancing act. I am going to forward this on though to see if there is something we can improve or fix if there is a bug. But like I said once a threat slips past security software and is given admin level access to the operating system, there is nothing that can be done.

SlamDunkley · ‎02-18-2010

It was me that wrote that. When it's password protected, permission is needed to turn of the Norton Product Tamper Protection. If the rootkit doesn't know the password, it can't tamper with it. But it's test based on default settings so what I said was totally irrelevent.

ace11 · ‎10-02-2008

michaell wrote:
Hello Everyone,

I am going to forward this to Symantec Response team so they can take a look at it. Really it all depends if the person who made the video provides the sample set of malware he used in his test. But I would like to make a couple of notes about this test:

Usually most users will not have zip file of malware on their pc, the user will either have to download the threat or get it via email. The website where the threat is hosted may already be blocked by Norton safe web. Of course we wont know for sure until we get the sample threats.
--------------------------------------------------------

USB Flash stick is a common source. Think of his zip as a malware resides on usb flash stick.
User plugs the stick , executes the malware and BOOM. system fail !

michaell · ‎07-15-2008

ace11 wrote:

michaell wrote:

Hello Everyone,

I am going to forward this to Symantec Response team so they can take a look at it. Really it all depends if the person who made the video provides the sample set of malware he used in his test. But I would like to make a couple of notes about this test:

Usually most users will not have zip file of malware on their pc, the user will either have to download the threat or get it via email. The website where the threat is hosted may already be blocked by Norton safe web. Of course we wont know for sure until we get the sample threats.

--------------------------------------------------------

USB Flash stick is a common source. Think of his zip as a malware resides on usb flash stick.

User plugs the stick , executes the malware and BOOM. system fail !

While it is true that you can get infected from an infected usb stick, the far majority of infections are through drive by downloads, infected websites, or email. That is why we spend so much time protecting users from such infection vectors. In the future usb sticks will become less and less used. I hardly use them any more. That said I am going to forward this to the response team for review to see if there is something we can do to prevent this from happening in the future.

Niko233 · ‎06-25-2010

Hi, everyone!

2 suggestions:

1) why not to execute norton power defence (like part of NIS or NAV) in aggressive mode after the problems with main NIS/NAV prodict detected? It wiil be increase autofix abilities without user actions. at least it can autoexecute NPE (with warnig note about main product is failed to work) to help users get protect much more faster.

2)USB sticks: why not to appear the Norton window about to continue execution of suspicious file (like SONAR does, but before any action - just in start of execution or detect it abilities through unpatched vulnerabilities and autorun.ini file)? Just say to user via (warn?) window about the file wants to execute.

Michaell, can you forward this to the response team for review? may be with your additional comment.