It will make norton slower

01. That is why Pulse Updates were Created.

 

02. I don't think Signature-based Detection is useless - far from it - that is why Pulse Updates were Created.  ;)

 

Floating_Red I never said that the detection signatures were useless, what I say is causing a time when the malware is not detected and for which can damage the equipment. This would not happen if we implement a smart detection system based on behavior. And given the level of current hardware, I do not think this kind of technology will cause a lot of slowdown in a modern computer with multiple cores processor and over 3 GB of RAM

Greetings

Yeah, it's a shame the SONAR behavior blocker isn't capable of detecting new variants of the rogues... It can be effective against some other totally new viruses, but then you don't know how long the malware infection has come, and it's definitely not against all. Just tested running the first crack with malware in it seen on a torrent site for NIS09 in the purpose of testing something for a Wilders discussion. SONAR wouldn't do a thing. The FIRST result returned on the torrent site for the search term. Yes, it was a new infection, but that's what SONAR is for... I thought generic signatures were already implemented (and probably have been for quite some time?), considering all the topics about Generic.200 infections? Are the rogues not detectable through generic signatures? They still seem to be the same rogue programs (well, except for the new being released, but that's not all the time - often it's changes of the same rogues).

Hi Serekantum

 

We have a number of methods we can adopt to provide detection against malware. You explicitly call out behaviour-based detections which is something we adopted a number of years back using our SONAR engine. While behavioural detections have their advantages in proactively detecting new threats, we are still not in a place where we can solely rely on behavioural methodologies. Signature-based detections offer some advantages over behavoural detections as they are more specific and as a result are less prone to false positives aswell as offering better performance. Signature-based detections these days are also not simply one-to-one detections, in fact we will always choose the signature which offers the broadest potential coverage.

We also develop a number of heuristic signatures which are designed to detect particular charateristics associated with malware. You mention Packed.Generic.200 which has been very successful in proactively detecting malware associated with downloading misleading antivirus products. Regarding polymorphic threats, we have a specific engine which allows us to emulate the behaviour of such complex threats and allow us to effectively detect and repair them. A recent example of a complex polymorphic threat is W32.Virut.CF - we currently have full detection and repair in place for this threat's many iterations.

In general, with the volume and complexity of today's threats, an effective antivirus product needs to offer a combination of detection possibilities. We continue to investigate improvements to our behavioural engines, in addition to regularly creating heuristics and generic signature detections. If you look at the list here you'll see 6-7 new generic/heuristic detections released in the past month.

 

Regards

Orla 

Symantec Security Response

 

Unfortunately, I still don't feel safe to *test* what I know to be malware which would at the time of that testing still be undetected by Norton products.

 

The last 2-3 of times I did that the *test* resulted in a malicious process active and running on my system, creating hidden entries in the Run section of the registry, and so on and so on... 

 

Never in my 5 years of almost incidentally using Norton have I seen a SONAR (behavioral) alert and detection. I and my family rarely come across an infection accidentaly, so Norton seemed sufficient to me thus far.

 

Would you be so kind to explain to us where this SONAR analysis takes place? On our system or on some Symantec's test machine? And what is the timeframe for that?

Also an anecdote about repair..

 

A couple of times I came across an obvious USB flash disk (autorun) spreading malware, still undetected by Norton (09) version, when scanned manually.

 

I would take it out, leave it on one of my disk as an inactive file. My system would never be infected in the firts place.

 

A couple of days (or a week) after, the file is detected by NIS 09 as SillyFDC!

 

And NIS would then promptly ''clean'' my Registry of entries that did not even exist (because malware never got the chance to be active on my system). Funny. :D

 

 

We don't really know, you see, even the generic and heuristic detections rely on some kind of downloaded signature, it seems to me.

 

Either it is a packer (a compression utility) that only malware authors use (those are these Packed.Generic detections), or it looks very much like a trojan in its code inside (Generic.Trojan)

 

What I haven't seen from Norton is a kind of alert that would stop a process from downloading, dropping and executing files, creating a hidden file in a system directory, a hidden entry in the Run section and the like...even if it is not described in any of those by-the-looks-of-the-file based detections..

 

Except maybe if Suspicious.MH960 is a precursor for such detections...