• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos1 Stats

Norton Products' Scanning

I have never really understood how these work because I have heard differnet stories of how these work (below).

01. Real-Time Protection: Does Norton Auto-Protect continually Scan, or does it only come in to Action when you Open, for example, a Document?  If it continually Scans, what does it Scan?

02. Checking for Threats in a Manual Scan: If Norton Products Scan for all Threats, then why does it "Check for:" certain Threats during the "Scanning Commonly-Infected Areas and Start-Up Files..."?  Is it just "Checking for:" Threats in the "Commonly-Infected Areas" of the computer, or is it Checking the whole Computer?  And how does the Norton Product decide what Threats to Check for?  And why does the Norton Product "Check for" more Threats during a Norton Full System Scan than a Norton Quick Scan?

Message Edited by Floating_Red on 06-02-2009 10:06 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]

Replies

Kudos0

Re: Norton Products' Scanning

I have never really understood how these work because I have heard differnet stories of how these work (below).

01. Real-Time Protection: Does Norton Auto-Protect continually Scan, or does it only come in to Action when you Open, for example, a Document?  If it continually Scans, what does it Scan?

02. Checking for Threats in a Manual Scan: If Norton Products Scan for all Threats, then why does it "Check for:" certain Threats during the "Scanning Commonly-Infected Areas and Start-Up Files..."?  Is it just "Checking for:" Threats in the "Commonly-Infected Areas" of the computer, or is it Checking the whole Computer?  And how does the Norton Product decide what Threats to Check for?  And why does the Norton Product "Check for" more Threats during a Norton Full System Scan than a Norton Quick Scan?

Message Edited by Floating_Red on 06-02-2009 10:06 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos3 Stats

Re: Norton Products' Scanning

01. Real-Time Protection: Does Norton Auto-Protect continually Scan, or does it only come in to Action when you Open, for example, a Document?  If it continually Scans, what does it Scan?

 Auto-Protect will not continually scan. Auto-Protect loads into memory when the operating system loads and protects the computer at all times. Auto-Protect uses the kernel-mode driver SymEvent to hook the Windows file operation stack to the Norton AntiVirus driver. SymEvent can scan any files as the operating system accesses them. Auto-Protect scans the following media and files:

 Removable media such as floppy disks, Zip disks, USB drives, or compact disks

 Files that are accessed or download from the Internet, including cached Web files

 New files as they are created

 Email attachments (upon their launch) that are received through POP email clients

 

02. Checking for Threats in a Manual Scan: If Norton Products Scan for all Threats, then why does it "Check for:" certain Threats during the "Scanning Commonly-Infected Areas and Start-Up Files..."?  Is it just "Checking for:" Threats in the "Commonly-Infected Areas" of the computer, or is it Checking the whole Computer?  And how does the Norton Product decide what Threats to Check for?

 

 Norton products use a Whitelist, which has the details of a set of threats. So the full system scan begins with checking the presence of those threats. Then it checks for the commonly infected areas and startup files and then the whole computer (by scanning each and every file). 

  And why does the Norton Product "Check for" more Threats during a Norton Full System Scan than a Norton Quick Scan?

  A full system scan checks the whole computer for threats. Whereas a Quick scan scans the following areas:

  

 Files that are associated with processes currently running in memory

 Files with start-up folder entries

 Files with system start INI file entries

 Files with system start batch file entries

 Files that are referenced to system startup registry keys

Vineeth--

Kudos0

Re: Norton Products' Scanning

Vineeth,

If I may, I'd like some more clarification on the second point.  I believe Floating_Red was referring to the fact that a Quick scan scans what you listed above and so does a Full scan.  Both start at the same point; but I just ran a Quick scan and it scanned 7100 files.  I then started a Full scan and it scanned 9500 files before starting to scan the hard drive.  Even taking into account the display is not what is actually happening why is there 2000 more files or objects scanned in memory / start up areas scanned one way but not the other?

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning

Sure dbrisendine ,

 

   Both start at the same point; but I just ran a Quick scan and it scanned 7100 files.  I then started a Full scan and it scanned 9500 files before starting to scan the hard drive.

 

When you perform a Quick scan, it scanned 7100 files. Here is the difference. This 7100 is not the number of files scanned, but it is the number of areas scanned (that includes the commonly infected areas, whatever loaded in the memory, processed running etc).

 

When you run a full system scan, the result that you view is the actual number of files, not the areas. So here 9500 is the number of files scanned.

 

Let me tell this in a different way, Quick scan scans mostly thorugh your physical memory, where full system scan scans through the hard drive.

 

I am not sure whether I am able to express my idea here or whether it is clear to you. But this is how it works. I am really sorry if it is not clear and I am ready to make it more clear if you need

Kudos0

Re: Norton Products' Scanning

Vineeth,

I guess the problem is that they both say they are scanning the same places on the screen. 

Using what you said Quick Scan processes this (7100)

the commonly infected areas, whatever loaded in the memory, processed running etc  

 Full System Scan starts with (it says) the same processes (and gets 9500)

the commonly infected areas, whatever loaded in the memory, processed running etc 

So if I look at where the Full scan stops scanning the same processes / places as a Quick scan, why does it have 2000 more items that are not included in the Quick scan when they both have scanned the same things.

 

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning

Vineeth's message said:  SymEvent can scan any files as the operating system accesses them. 

As I indicated in another message,  I downloaded Combofix but never installed it or ran it. Several days later,  right after a definition update,  Auto-Protect identified it as a Trojan and quarantined it.  Combofix  was just sitting there,  it was not being accessed by the operating sytem,  security history did not indicate that an idle time scan was running.  SymEvent should not have been triggered.

It looks like Auto-Protect was either continually scanning, or a definition update caused it to start scanning. 

Are definition updates supposed to trigger Auto-Protect to start scanning?   Just curious about the many mysteries of NIS. 

NS - Vista 32bit - Win8 64bit - IE9 - Safari5
Kudos0

Re: Norton Products' Scanning

An Update will trigger a scan of 'questionable' or uncertain files that have been submitted to Symantec through CWatch / SONAR etc. to see if the new updates apply to any of the submitted files.  It will also scan the Quarantined files, of course.
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning

dbrisendine,

Thanks. Makes sense; the file may have moved from "gray" list (questionable) to blacklisted by the update. 

NS - Vista 32bit - Win8 64bit - IE9 - Safari5
Kudos0

Re: Norton Products' Scanning


Vineeth wrote:

When you perform a Quick scan, it scanned 7100 files. Here is the difference. This 7100 is not the number of files scanned, but it is the number of areas scanned (that includes the commonly infected areas, whatever loaded in the memory, processed running etc).


Eh?  I don't agree with that un-less two or three other Users or symantec Employees comment on this.

____________________________________________________

The reason why 7,100 Files were Scan compared to 9,500 is because in the Full System Scan, it Checks for more Threats.  And that was my question: why does the Full System Scan "Check for" more Threats during a F.S.S. and not the same amont when you Run a Quick Scan? 

And, Vineeth, telling me something that I already know, that Norton has a "Whitelist", i.e. Definitions, is not answering my question.  How does the Norton Product decide what Threats to Scan for?  It keeps Scanning for the same Threats, e.g. W32.Downadup.B, and sometimes Modifies what Threats to Scan for.  Obviously, the Norton Products would not have been Scanning for W32.Downadup.B before around October 2008.  And, when it lists the Threats it is "Checking for:" under the "Scanning commonly infected areas and start-up files...", are the Threats listed just being Check for under the Commonly-Infected Areas' area of the computer?  And why does the Norton Product Check for these Single Threats one-at-a-time when the Norton Products have got Virus Definitions of all Known Threats out there and these Threats it Checks-only for, would be included in if the Norton Product was Scanning a FIle on your Computer, if you indeed has the Threat on your computer.

And it the Norton Products' Manual Scan goes: Scans for Infected Files > Checks for Threats > Starts to Scan the Whole Computer. 

___________________________________________________

And what is the reason behind Auto-Protect not Scanning all the time?

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Norton Products' Scanning


dbrisendine wrote:
An Update will trigger a scan of 'questionable' or uncertain files that have been submitted to Symantec through CWatch / SONAR etc. to see if the new updates apply to any of the submitted files. 

What happens if the User has Community Watch Turned Off?  And what other areas does the Auto-Protect Scan when you get a Virus' Definition Update?

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Norton Products' Scanning

For a novice like me, the question is does NAV2008 (in my case) provide real time protection/ That is if I go to a website that is infected and tries to inject malicious code on my machine, does NAV2008 stop it right away? Or just picks up on it after a scan is done ( and thus the machine is infected)?

I thought I had heard that the answer to this ( my question above) is YES Norton NAV2008 ( and then I would assume the newer products too)  Protect at the point of contact

Message Edited by NY1986 on 06-03-2009 06:53 AM
Kudos0

Re: Norton Products' Scanning

Floating_Red -

"What happens if the User has Community Watch Turned Off?"

From the information I have seen and read, the Updates will cause a scan of the questionable files on the user's system weither they were submitted to Symantec or not.  This would always include Quarantine files.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning

Perhaps a simplified explanation of Auto-Protect is that Norton will monitor and provide protection for what you and your computer are currently doing.

As Vineeth mentioned:

 Removable media such as floppy disks, Zip disks, USB drives, or compact disks

 Files that are accessed or download from the Internet, including cached Web files

 New files as they are created

 Email attachments (upon their launch) that are received through POP email clients

Since most computers have a huge number of files contained within, it would be a waste of resources for Auto-Protect to constantly scan everything that has been previously scanned and is just in "storage".

Instead, Norton will scan the resources that you currently have in use.  You may have a word document that was created months ago and is sitting in your My Documents folder. It will not be involved with Auto-Protect until you open that file. At that point, Auto-Protect will monitor your activity with that file and the associated processes to make sure they are free of threats.

The same would apply for surfing the web. Any files that need to be accessed for viewing web pages will be monitored by Auto-Protect.

[edit: grammar]

Message Edited by Phil_D on 06-03-2009 10:34 AM
"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: Norton Products' Scanning

NY1986,

Here's a very non-technical response that is based on 7 months of experience with NIS on MY computer. Sometimes NIS PREVENTS infections and sometimes NIS merely DETECTS infections.   I keep my operating system and NIS fully updated and scan with zero exclusions. 

I've had about 4 or 5 instances where NIS has popped-up saying that it has prevented a virus from infecting my PC.

Unfortunately, I've had 2 serious Virus/Trojan infections that managed to get right past NIS ... scans said I was infected.  

There is no program available that is 100% foolproof. Malicious hackers are getting more sophisticated each month.  It used to be considered safe if you surfed only the large "reputable" websites. Today, with drive-by attacks, you can get zapped almost anywhere. 

Keep your system and NIS updated. Periodically run on-demand scans with other detection programs. Stay away from known crackz/warez sites.  Eat a healthy breakfast.

NS - Vista 32bit - Win8 64bit - IE9 - Safari5
Kudos0

Re: Norton Products' Scanning

Hi Marty -

Actually, I think that NIS or any other security suite, should be tested in all the areas which you say to stay away from!

Obviously, with NIS 2009 or any other Vendor, there are going to be lots of "hits and misses" with the defense.

That's why a multi-layer approach is the best - i.e. NIS 2009, Malwarebytes, SuperAntiSpyware, etc. - IMHO.

We are all very fortunate that MBAM and SAS are provided and updated to us for *FREE!*

I strongly feel that Symantec (I wrote a thread on this long ago) should purchase the IP (Intellectual Property) of these companies and integrate the native "core logic" into their products. The User Interface stuff from these vendors are really just *eye candy.* It's the guts that makes their respective products so useful. Those two products are just a start. There are others out there, too.

Case in point, Oracle corporation, *smart* company - buys Sun Microsystems to have the crown jewel of Java. They also bought several other companies that had great technologies and integrate them into their products.

To me, this is a smart strategy.

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Norton Products' Scanning

Compumind,

I fully agree that NIS should be tested in the "nasty" sites ... but NIS should do the testing ... not NIS customers!   I've been an unknowing (and unwilling) tester twice! 

I've sworn off going to the "dark side" ... not worth the risk and subsequent hassle.

NS - Vista 32bit - Win8 64bit - IE9 - Safari5
Kudos0

Re: Norton Products' Scanning


Compumind wrote:

I strongly feel that Symantec (I wrote a thread on this long ago) should purchase the IP (Intellectual Property) of these companies and integrate the native "core logic" into their products. The User Interface stuff from these vendors are really just *eye candy.* It's the guts that makes their respective products so useful. Those two products are just a start. There are others out there, too.


It's one thing to to judge those products which are used after the fact.

I don't know of any verifiable data that they are more effective in prevention. So we really don't know that their "core logic" would integrate into the Norton Product line and improve the detection rate.

You mentioned: "there are going to be lots of "hits and misses" with the defense." I believe the folks at Norton are working toward a point where that would no longer be the case. Just a review of the innovations introduced over the past few Norton  versions indicates that type of foresight and goal.

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: Norton Products' Scanning


Marty wrote:

Vineeth's message said:  SymEvent can scan any files as the operating system accesses them. 

As I indicated in another message,  I downloaded Combofix but never installed it or ran it. Several days later,  right after a definition update,  Auto-Protect identified it as a Trojan and quarantined it.  Combofix  was just sitting there,  it was not being accessed by the operating sytem,  security history did not indicate that an idle time scan was running.  SymEvent should not have been triggered.

It looks like Auto-Protect was either continually scanning, or a definition update caused it to start scanning. 

Are definition updates supposed to trigger Auto-Protect to start scanning?   Just curious about the many mysteries of NIS. 


Marty

firstly, where was combofix "sitting?" because if it was, say, on your desktop - in otherwords, if you could actually "see" combofix - then it actually was accessed by the operating system.

secondly, if it was a trojan, then it would have been active on your pc, and if you had just received definitions of that trojan, which would be active, Auto-Protect would have seen the activity and put a stop to it.

 I'm not so sure about the whole suspicious file thing though. Doesn't make sense to me?

Matt

"The fact that man knows right from wrong proves his intellectual superiority to other creatures; but the fact that he can do wrong proves his moral inferiority to any creature that cannot."- Mark Twain
Kudos0

Re: Norton Products' Scanning

Hi Phil_D -

You said:


"I believe the folks at Norton are working toward a point where that would no longer be the case. Just a review of the innovations introduced over the past few Norton versions indicates that type of foresight and goal."


I totally agree!

However, it is much easier to write Viruses, Malware, etc., than it is for many software companies to keep up with everything. By teaming together in a strategic effort, IMHO, similar to a "world war," the possibility of realizing this dream will become reality.

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Norton Products' Scanning

In the real world, however, the value in different programs is actually the difference.  Because they use different engines, and different definitions, they are useful as tools.  As sonn as you integrate products, they have to become more similar in order to function.  There would be a great deal of loss in this scenario and very little to gain.

We would just have to go find something different all over again.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: Norton Products' Scanning

Hi delphinium -

It really depends on the internals of the program and the technical resources available.

It would be great if there was a common API available which to build on! Resources could then be shared.

Message Edited by Compumind on 06-03-2009 01:29 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: Norton Products' Scanning

mattsegers -

The answer on the ComboFix "issue"  is that Norton first saw this as 'interesting file' and sent the information off to Symantec to examine the application / file.  When definitions are updated (believe this case it has to be a Full update not Streaming), all the 'interesting files' that have been submitted to Symantec (if Community Watch is enabled; if not All 'interesting files' are scanned) are scanned to determine if the new definitions now apply to the 'interesting files'.

So, to answer some one else's question, Yes, an Update will cause a scan to take place but not Auto-Protect just a 'clean up' of the files of 'interest' that Norton is watching to determine what to do with.

If you have not done so, since I'm probably missing something or left out a point, you can find more information on this Blog by a Symantec employee .

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning

Hi Matt,

I had Combofix here:  C:\Users\Owner\Documents;  not on the desktop. 

I did some Googling after Combofix was quarantined, and there was discussion about some AntiVirus/AntiMalware products identifying Combofix as a Trojan.  Likewise, there was similar discussion about false positives and some products reversed earlier calls and deemed Combofix clean.  No 100% agreement out there.

I only scan in Full Scan mode, but as you know, some programs are "whitelisted" and are skipped during a standard trust or high trust scan.  Also, some programs are "blacklisted" and are immediately zapped by NIS.  Similarly, Norton categorizes malware definitions as Certified or Rapid Release.  After further testing, the Rapid Release definitions may or may not be "upgraded"  to Certified. So, the concept of a "graylist" of "suspicious" or "to be determined"  files sounds like something Norton might utilize.

Edit : I didn't read "Blog by Symantec Employee"  until after I left this message.  Very interesting.  Wish I would have read it first.

Message Edited by Marty on 06-03-2009 01:18 PM
NS - Vista 32bit - Win8 64bit - IE9 - Safari5
Kudos1 Stats

Re: Norton Products' Scanning


Compumind wrote:

......

It would be great if there was a common API available which to build on! Resources could then be shared.

....

Only problem with that is a common API gives the programs a common way to be defeated all at once.  Big problem there.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning

With regard to Auto-Protect: There seems to be two messages here: It does not Scan all the time - yet it does Scan/Monitor Files, as pointed out by Phil_D.  This is what I mean about being given two different answers.  Maybe I've missed something, but, why is it so hard to get one answer and not a yes-and-no answer?

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos1 Stats

Re: Norton Products' Scanning


Floating_Red wrote:

With regard to Auto-Protect: There seems to be two messages here: It does not Scan all the time - yet it does Scan/Monitor Files, as pointed out by Phil_D.  This is what I mean about being given two different answers.  Maybe I've missed something, but, why is it so hard to get one answer and not a yes-and-no answer?


Read this Knowledge Base Article about Auto-Protect and it's working. This is an old document, still the working is same (technology might have chaged). Phil_D is absolutely correct in this.

 

Vineeth--

Kudos0

Re: Norton Products' Scanning

Hi Floating_Red,

Vineeth provided a great link to information on Auto-Protect with detailed information on how it works.

I'll do my best to give you answers based upon your original questions.

01. Real-Time Protection: Does Norton Auto-Protect continually Scan, or does it only come in to Action when you Open, for example, a Document?  If it continually Scans, what does it Scan?

"Auto-Protect checks for viruses and other security risks every time that you run programs on your computer. It also checks for viruses when you insert any removable media, access the Internet, or use the document files that you receive or create. It also monitors your computer for any unusual symptoms that might indicate an active threat."

In other words, Auto protect scans the items that you are currently working with, such as opening a file and monitors for unusual activity. It does not scan your entire computer.


02. Checking for Threats in a Manual Scan: If Norton Products Scan for all Threats, then why does it "Check for:" certain Threats during the "Scanning Commonly-Infected Areas and Start-Up Files..."?  Is it just "Checking for:" Threats in the "Commonly-Infected Areas" of the computer, or is it Checking the whole Computer?  And how does the Norton Product decide what Threats to Check for?  And why does the Norton Product "Check for" more Threats during a Norton Full System Scan than a Norton Quick Scan?

"Quick Scan checks the areas of your computer that are often targeted by viruses."

The Quick scan checks those areas of your computer that are "prime targets" for infections.

"A Full System Scan examines your computer thoroughly."

The Full System Scan starts by checking the commonly infected areas and start up files and then goes on to scan the entire contents of your computer (with the exception of files that have been trusted by Norton Insight or those that have been excluded.)


I hope that I was able to clarify the issue a bit more.

[edit: grammar]

Message Edited by Phil_D on 06-04-2009 08:06 PM
"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: Norton Products' Scanning

Hi!  A lot of good information here in this thread.  I just wanted to help clarify some points on the second question: The seeming difference between a Quick Scan and a Full System Scan (at least, the differences in the common scanned areas) . 

A Quick Scan will scan the Start Up Area (Memory, processes loaded in memory, Registry item related to OS Start up, etc) BUT it only reports the number of processes scanned.

A Full System Scan starts by scanning the same Start Up Area and memory as the Quick Scan BUT it reports the number of files / items scanned.

So the difference is that a process may have many files active in that process; Quick Scan scans all of them but only adds a one to the total processes scanned and reported.  The Full System Scan scans the exact same processes as the Quick Scan but it reports, and adds to the total, every single file / item scanned.

Hope this helps with some of the confusion or lees clear points on the second question.

Win10 x64; Proud graduate of GeeksToGo
Kudos1 Stats

Re: Norton Products' Scanning

OK, looks like there is a question on Auto-Protect and scanning the system in real time.

The Auto-Protect part of Norton's 2009 products latches / inserts itself in to the File I/O area of your OS.  Between your hard drives, USB sticks and other sources of stored data and the CPU of your computer, the Operating System has what is called File I/O (File Input / Output).  Hard data to or from storage devices (even your RAM) moves in and out of your CPU via the File I/O.  By inserting itself there, Auto-Protect scans every bit of file traffic in the File I/O stream.  If there is no traffic in the File I/O stream then Auto-Protect stands by to intercept and inspect the next piece of File traffic.

So, in technical terms, Auto-Protect does not constantly scan your file system.  There are times it is idle; these are times your system has no File activity.  Auto-Protect does scan every piece of File I/O traffic as it happens.  On a busy system, this would seem to the outside observer to be constant scanning.  To the modern CPU, there are huge idle times while it waits for the data to come to it. 

This scanning of File I/O traffic is also why files in compressed (zipped or RAR) files are considered non-threatening by Norton.  Inside the compressed state, the files are not active; to become active they must pass through the File I/O path where Auto-Protect immediately scans them before they are written on the hard drive.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning

Okay, let's now deal with the Threats the Manual Full System Scan Scans for.  I want to know how the Norton Product chooses what Threats to Scan for in the Scanning commonly infected areas and start-up files....

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Norton Products' Scanning


dbrisendine wrote:

OK, looks like there is a question on Auto-Protect and scanning the system in real time.

The Auto-Protect part of Norton's 2009 products latches / inserts itself in to the File I/O area of your OS.  Between your hard drives, USB sticks and other sources of stored data and the CPU of your computer, the Operating System has what is called File I/O (File Input / Output).  Hard data to or from storage devices (even your RAM) moves in and out of your CPU via the File I/O.  By inserting itself there, Auto-Protect scans every bit of file traffic in the File I/O stream.  If there is no traffic in the File I/O stream then Auto-Protect stands by to intercept and inspect the next piece of File traffic.

So, in technical terms, Auto-Protect does not constantly scan your file system.  There are times it is idle; these are times your system has no File activity.  Auto-Protect does scan every piece of File I/O traffic as it happens.  On a busy system, this would seem to the outside observer to be constant scanning.  To the modern CPU, there are huge idle times while it waits for the data to come to it. 

This scanning of File I/O traffic is also why files in compressed (zipped or RAR) files are considered non-threatening by Norton.  Inside the compressed state, the files are not active; to become active they must pass through the File I/O path where Auto-Protect immediately scans them before they are written on the hard drive.


Let's say am using I.E. and am Browsing.  Will Auto-Protect Scan I.E. while am using it or just when Files are getting Downloaded?

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Norton Products' Scanning

The reason why more Files are Scanned in a Full System Scan is because it Scans for more Threats than a Quick Scan.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Norton Products' Scanning


Floating_Red wrote:

Okay, let's now deal with the Threats the Manual Full System Scan Scans for.  I want to know how the Norton Product chooses what Threats to Scan for in the Scanning commonly infected areas and start-up files....


The Full System scan and the Quick scans all start with scanning the same files. This is a copy of the second post in this thread -

A full system scan checks the whole computer for threats. Whereas a Quick scan scans the following areas:  

 Files that are associated with processes currently running in memory

 Files with start-up folder entries

 Files with system start INI file entries

 Files with system start batch file entries

 Files that are referenced to system startup registry keys

 

The reference here to the full system scan is in regards to what a total scan in Full System verses Quick  will scan.  They both start out the same.  It is the reporting in history that is different.  Quick scan reports the PROCESSES totals that are scanned via the files listed above.  A Full System scan reports the FILES total that are scanned via the files listed above.  A running PROCESS may have more than one file in use; a Quick scan will report a total of one when scanning that process, a Full System scan will report the number of files scanned in that PROCESS.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning


Floating_Red wrote:

Let's say am using I.E. and am Browsing.  Will Auto-Protect Scan I.E. while am using it or just when Files are getting Downloaded?


Auto Protect will scan the files that IE uses to browse;  what you see on your screen is the rendering of the temporary files that IE downloads to your system and then assembles into the visually displayed page.  Thus the temporary files are scanned by Auto Protect that way and consequently so is IE's browsing session, from a file scanned stand point.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning


Floating_Red wrote:

The reason why more Files are Scanned in a Full System Scan is because it Scans for more Threats than a Quick Scan.


From everything Symantec has told us, the Full System Scan and the Quick Scan scan for the exact same Threats in the Memory / Start Up area.  The difference is the reported items; Process count vs. File count.  Obviously, the Full System scan will continue to scan after the Memory / Start Up area and have a much higher total when finished but in following you questions from before I believed that this is what you are interested in.
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning


dbrisendine wrote:

Floating_Red wrote:

The reason why more Files are Scanned in a Full System Scan is because it Scans for more Threats than a Quick Scan.


From everything Symantec has told us, the Full System Scan and the Quick Scan scan for the exact same Threats in the Memory / Start Up area.  The difference is the reported items; Process count vs. File count.  Obviously, the Full System scan will continue to scan after the Memory / Start Up area and have a much higher total when finished but in following you questions from before I believed that this is what you are interested in.
This who thing with Processes' Count, I don't believe.  I think it is total rubbish.  I stand by what I said in my Quote you Quoted.  Un-less someone from symantec [Employee] jumps in here and says it is true, along with something to say that it does do this, then I stand by what I wrote/said.
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos2 Stats

Re: Norton Products' Scanning

A number of folks have taken the time to respond to your question and their answers have expanded upon the basic information that is available in the Help Section of the Norton Product.

Just because you choose not to believe it, I don't think it fair that you label that information as rubbish, when clearly it is not.

"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos2 Stats

Re: Norton Products' Scanning

Floating_Red,

The quote is from the second post in this thread of yours.  The person who stated this IS an Symantec employee.  In fact several of the posts in this thread have been done by Volunteers.  Someone who has been here on the Forum as long as you have, I thought would know that Volunteers are Symantec employee's who have donated their off time to help here.  They are still bound by the same rules and regulations as an on the clock employee.

Choose what you want to believe; that is our way of freedom here.  However, that does not change the facts.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning


dbrisendine wrote:

Someone who has been here on the Forum as long as you have, I thought would know that Volunteers are Symantec employee's who have donated their off time to help here. 


They are Support Agents Off-Duty, which I think is the Support Agents you get when you go to "Support".

_______________________________________________

And am just saying that I don't believe all the Processes stuff being said in this Thread; that doesn't mean I don't apperciate everyone Replying to my Thread.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Norton Products' Scanning

I understand what you are saying but the one's I deal with, after 4 years of doing Symantec support, I tend to believe.  At least, I have seen them solve problems with inside knowledge of the products that people outside of Symantec and their 'contracted' support agents would not know.  Let's see if there has been enough of a discussion here to get a response.
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning


dbrisendine wrote:

Floating_Red wrote:

Okay, let's now deal with the Threats the Manual Full System Scan Scans for.  I want to know how the Norton Product chooses what Threats to Scan for in the Scanning commonly infected areas and start-up files....


The Full System scan and the Quick scans all start with scanning the same files. This is a copy of the second post in this thread -

A full system scan checks the whole computer for threats. Whereas a Quick scan scans the following areas:  

 Files that are associated with processes currently running in memory

 Files with start-up folder entries

 Files with system start INI file entries

 Files with system start batch file entries

 Files that are referenced to system startup registry keys

 

The reference here to the full system scan is in regards to what a total scan in Full System verses Quick  will scan.  They both start out the same.  It is the reporting in history that is different.  Quick scan reports the PROCESSES totals that are scanned via the files listed above.  A Full System scan reports the FILES total that are scanned via the files listed above.  A running PROCESS may have more than one file in use; a Quick scan will report a total of one when scanning that process, a Full System scan will report the number of files scanned in that PROCESS.


This does not answer my question.  Maybe people are mis-understanding my question, but I don't know how clearer I can make it than this:

How does the Norton Product, in a Manual Quick Scan and Full System Scan, decide what Threats to Scan for?  For example, in a Quick Scan, it always Scans for the same Three Threats; in a Full System Scan, it was Scans for the same Threats (50%) and Scans for a few Threats not Scanned before in the Previous Full System Scan?  Does this makes sense?

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Norton Products' Scanning

Floating_Red -

Wow.  That is a different question than what I thought you were asking.  But let me ask you this; are you saying that on your system in a Manual Quick Scan when it starts checking for HackTool.A or one of the other names that come up, you only see three?

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning

Yes, I am pretty sure that Hacktool.Unreal.A is one of the Threats; the other two are SecurityRisk.ProxyDNS and SecurityRisk.ProxyURL (I think it Proxy in the second Threat.  Norton Quick Scan always Scans for these Threats every time a Norton Quick Scan is Ran.  And two Threat I have noticed that the Manual Full System Scan Scans for is VirusBlast and W32.Downadup.B whenever a Full System Scan is Ran.  I can understand why Downadup.B is Scanned for, but why is none of the other Downadup Family Scanned for?  Why is it just W32.Downadup.B? 

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Norton Products' Scanning

Glad you brought that up because I have had different things show as scanning in the Quick Scan since I first installed NIS2009.  I see a different item scanned than SecurityRisk.ProxyURL; I get a SafeStrip whatever that is.

Could be that NIS is scanning for the same things but do to CPU / Graphics cycles not everybody will see the same 'flashed / currently scanning' titles?

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Norton Products' Scanning


dbrisendine wrote:

Could be that NIS is scanning for the same things but do to CPU / Graphics cycles not everybody will see the same 'flashed / currently scanning' titles?


It could be.  I'd like to find out how the Norton Product knows what Threats to Scan for.


dbrisendine wrote:

I get a SafeStrip whatever that is.


If someone knows what this is, please shed light on it.

Thanks!

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos2 Stats

Re: Norton Products' Scanning

Scanning for SafeStip refers to scanning for this Misleading Application.
"Anyone who isn't confused really doesn't understand the situation."   Edward R. Murrow
Kudos0

Re: Norton Products' Scanning

Just for interests sake My Quickscan items are Proxy DNS,safestrip,cookies, Hacktool.unrealA (not in order of appearance on the scan)

Thanks Phil for pointing out what "safestrip" is.

Cheers Mo Windows 7 64 bit, NIS2013

This thread is closed from further comment. Please visit the forum to start a new thread.