Computer held hostage? Try Norton Power Eraser

by ‎09-08-2010 12:18 AM - edited ‎09-16-2010 04:55 PM

Bridging the Gap

Norton Power Eraser is the latest Norton Recovery tool. It is being released at the same time as Norton Internet Security and Norton Antivirus 2011. The tool is aimed at detection and clean-up of “0-day” threats (0-day threats are those that take advantage of a newly discovered hole in a program or operating system before the developers have made a fix available – or before they are even aware that a hole exists.)

 

There is special focus on ”Fake AV” (aka ”Rogueware” or ”Crimeware”). Fake AV is a rogue piece of software that pretends to be security software and tempts the user to pay for worthless software; even worse it can install additional malware on the system and claim the system is clean.

 

Many users still do not use antivirus software, or they use software that is not updated or effective. As a result, their systems can become infected with malware that is extremely difficult to remove. Worse, malware authors routinely attempt to evade or disable security programs. Many will prevent these programs from even installing. For all these reasons, users who end up with an infected computer often need more aggressive techniques to handle detection and remediation.

 

It was with this vision that Norton Power Eraser (NPE) was created. So far we have been very successful in delivering on that vision. In the first three months of limited release of the tool, the tool has been 80% effective against never-seen-before Fake AV programs, and in our internal tests, the tool has been working about 53% better than the nearest competitor.

 

Norton Power Eraser downloads and runs quickly and is free for anyone to use.

 

Running a Scan

Norton Power Eraser is a single executable that can be downloaded from the Symantec Web site and is extremely simple to use – just accept the End User License Agreement and you are ready to scan.

 

1.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Norton Power Eraser uses aggressive engine heuristics and Symantec’s Reputation technology to discover risks and identify potentially dangerous items. In the Scan Complete screen, the results of this scan appear in the Local Scan column. Files that are found to be threats are flagged as Bad and files that are a potential problem are flagged as Suspicious. Norton always recommends that you remove files that are flagged as Bad if you know that you are infected.

 

To further assist you in identifying if a suspicious file is a threat, an option called Remote Scan is available for files flagged by the Local Scan. This is an advanced feature that performs a full scan on a file by sending it to the Symantec servers. Remote Scan provides Norton Power Eraser with access to our traditional Signature-based detection engines to increase effectiveness.

 

Both Local Scan and Remote Scan can identify malicious files. Note that both the scans run independently and if either scan flags a file as Bad, then the file should probably be removed.

 

2.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Feeling the Power

Given its aggressive nature, Norton Power Eraser ultimately requires you to make the final decision on whether or not to remove an item. Norton Power Eraser does provide recommendations on whether or not to fix items identified on the Scan Complete screen. The results appear under two sections, Detected and Suspected.

 

The Detected section shows items that Norton Power Eraser considers risks, recommending that they be removed (“Fix” checkbox checked). The Suspected section shows items that require further review. A Remote Scan on items marked Suspicious can help determine if they are malicious. If the Remote Scan deems the file to be Bad, the item will be moved to the Detected section with the “Fix” checkbox automatically checked.

 

In addition to Remote Scan, to retrieve additional information on a file simply click the file name under the Detected or Suspected sections to open the File Insight screen for that file. File Insight provides valuable information like the Prevalence, Age, and Norton Trust rating for that file – very valuable information to help you make a decision.

 

3.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The recommended action of Norton Power Eraser can be tabulated as follows:

Local Scan

Remote Scan

Recommendation

Bad

Bad

Fix

Bad

Not a Known Threat

Fix

Suspicious

Bad

Fix

Suspicious

Not a Known Threat

Further Analysis needed

 

Should you remove a file in error, the tool comes with safeguards, such as creating System Restore Points and enabling review and undo of previous actions.

 

Summary

Norton Power Eraser is a last-resort, extremely powerful tool to assist in the detection and clean-up of 0-day risks with special focus on Fake AV. If a program has hijacked your computer and is holding you hostage, try Norton Power Eraser. Once again, Symantec widens the gap with the competition by delivering a unique cutting-edge tool.

 

Key Terms

 

Local Scan

Displays results of the aggressive heuristic engine supported by Symantec’s Reputation technology.

4.jpg

 

 

Remote Scan

Sends the file to the Symantec servers for a signature-based scan.

5.jpg

 

 

Detected

Items for which Symantec recommends removal.

6.jpg

 

 

Suspected

Items for which Symantec recommends further review and a Remote Scan.

7.jpg

 

Back to Top

 

Comments
by Norton Fighter on ‎09-08-2010 01:16 AM

Nice to see a good, concise and well laid out explanation of the tool and its use.

by Hamburgler on ‎09-15-2010 10:22 AM

I tried to use this tool. Unfortunately it does not run without being connected to the internet. I entered safe mode on my laptop with network support because the security issue I am having is propagating when connected. Is there an offline version I can run?

by ‎09-15-2010 06:05 PM - edited ‎09-15-2010 06:05 PM

Hello Hamburgler,

 

NPE should run correctly in Safe Mode with Networking. Would you want to try that out?

 

Another offline option I would recommend is running NBRT as a recovery mechanism  (it does require a valid Norton Key). http://security.symantec.com/nbrt/nbrt.asp?lcid=1033&serviceid=2&pname=nis&pversion=na&origin=stmnu&...

 

Due the type of threats that NPE attacks & the technology used, there is no offline version available. A lot of the Fake AV products would actually want you to stay online so that they can make money etc.

 

by on ‎09-15-2010 10:04 PM

1.  The problem I see is that in the case of an infected system file, it is clearly recognized as infected, It is going to be noted as "Bad,  Bad,  Fix."  Since "Fix" means delete, the machine becomes unbootable.  Here it killed services.exe

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/Can-t-remove-Infostealer/m-p/269009/h...

 

Here it killed winlogon.exe

 

http://community.norton.com/t5/Other-Norton-Products/Norton-Power-Eraser/m-p/287902/highlight/true#M...

 

Here it killed the Intel Processor Manager.

 

http://community.norton.com/t5/Tech-Outpost/TDSSkiller-TDL4/m-p/243067/highlight/true#M1214

 

Here it killed another critical driver causing a BSOD.

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/Infected-w-search-engine-hijack-virus...

 

Hmm, took out the LAN here.

 

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-Antivirus-Email-Error/m-p/2633...

 

At least, don't call it "Fix."  Call it what it is, "Delete."  Calling it anything else and marketing it as the latest great repair tool is irresponsible.

by Shell1021 on ‎12-23-2010 05:35 AM

I cannot uninstall or delete Mighty Magoo from my computer.  Will Norton Power Eraser resolve this problem for me?

by on ‎12-23-2010 04:28 PM

Norton Power Eraser is a very powerful tool.  For this reason, it should be considered as one of the last things you try, rather than one of the first.  There is a danger of false positives, or identification of system files that should not be removed.

 

There is an uninstaller provided by Mighty Magoo.  The website tests as safe by Norton Safe Web, and as well there is a place to phone if you are having difficulty.  That is always the first line of attack.

 

http://mightymagoo.com/deactivate.html

 

 

by Moderator on ‎11-23-2012 07:50 PM