• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos2 Stats

SONAR and "cloud scanning"

In another thread about Norton Security's idle background activity, a Symantec employee said this:   "Also, NS adds cloud scanning of files, hence your observation of network traffic."

I am not familiar with how Norton Security implements "cloud scanning" and what data is being transferred to/from the end user's computer .... so I searched for the term and found this thread from the NS beta test:

https<colon><slash><slash>community<dot>norton<dot>com<slash>forums<slash>sonar-7

Could someone from Symantec please explain Norton Security's "cloud scanning" and also address the issues that were brought up in the above-mentioned thread regarding the effectiveness/safety of Norton Security if the end user does not have an active internet connection?

Some quotes from the referenced thread (I am not saying these quotes are true; but now that the beta is over and NS has been released, I am just asking for someone from Symantec to address tester's concerns from the thread that were brought up during the NS beta):

"Norton Security’s SONAR feature fails to protect users big-time if an internet connection is not present at the time when the user runs the program in question."

The Norton Security products cannot be deployed while this issue remains unresolved. If SONAR needs an internet connection in order to work effectively, then SONAR needs to check for an active internet connection upon file execution. If an active internet connection can’t be found, then SONAR needs to follow Norton Download Insight’s lead above and prompt the user with a recommendation to “not use this file unless you know that it is safe”

I hope Symantec will seriously consider restoring local SONAR scanning before the official launch of  Norton Security v. 22.x., or at the very least make it more difficult for the user to execute a file with an unknown reputation when SONAR is not available.

Now Symantec has decided to move SONAR's real-time heuristic scanning off the local hard drive and into the cloud in v. 22.x, compromising system security if the user is not connected to the Internet (or presumably, if connections to the backend Symantec servers are temporarily unavailable).  Having SONAR residing in the cloud might simplify updates to the behaviour-based protection, but at what cost to the user?

Download Insight gives unknown files a Good trust rating (one step below Norton Trusted) and most users would assume that a Good trust rating means the file is safe to use.  PRIOR demonstrated how easy it is to run these files in his videos.  Up to now, Norton's premise has always been that SONAR's real-time heuristic detection will intervene and remove the unknown file if it behaves maliciously during execution.  Now that SONAR has moved to the cloud in v. 22.x we have lost that secondary check for malicious behaviour if the user is disconnected from the Internet.

AVG, AntiVir, ESET, Panda and several other popular free and subscrition-based antivirus programs flagged this installer as suspicious/malicious (it was bundled with PUPs and trojans) while Norton's Download Insight gave this unknown file a Good trust rating.

Replies

Kudos0

Re: SONAR and "cloud scanning"

@it was bundled with PUPs@

As it was said here., Symantec does not consider PUP toolbars/adware to be something bad... Well, users have to use 3rd soft to remove those PUPs.

Kudos0

Re: SONAR and "cloud scanning"

Just a quick note to add that Norton scans for  some adware, (probably the most dangerous).

If you run a Quick or Full System Scan you can see some Trackware & Adware displayed.

Regards,

Kudos2 Stats

Re: SONAR and "cloud scanning"

Krassius wrote: @it was bundled with PUPs@

As it was said here., Symantec does not consider PUP toolbars/adware to be something bad... Well, users have to use 3rd soft to remove those PUPs.

Hi Krassius:

You make a valid point, but please note that comments in the OP's post here are cobbled together from different replies and from different users in the thread titled SONAR in the Norton Security beta forum. The series of demo videos that elsewhere and PRIOR posted here in the beta forum shows how malware (I believe it was a remote access tool) is detected by Norton Security SONAR's heuristic (behaviour-based) cloud detection if the user executes the downloaded installer while connected to the Internet, and how that same malware can be executed and allowed to compromise the users system if the user is disconnected from the Internet and SONAR is unavailable.  The malware used in these demos is high-risk malware that would normally be detected and blocked by Norton Security when the user has an active connection to the Symantec cloud servers.

The point I was trying to make here in that same SONAR thread was that Download Insight will give any installer a Good trust rating if it cannot find a matching MD5 or SHA256 hash (signature) for that executable file in Norton's virus definition database and cannot determine the reputation of that file in the wider Norton community, regardless of whether it is a low-risk PUP or high-risk malware.  If Download Insight rates an installer as Norton Trusted the user can have some confidence that Symantec has evidence that the installer is safe.  However, if Download Insight rates a installer with an unproven reputation as Good and a Norton Security user executes this unknown installer while disconnected from the Internet they have no way of stopping the execution of the file if it behaves maliciously because SONAR's heuristic detection has been moved off the local drive and into the cloud in Norton Security.

As elsewhere and others noted, a few simple tweaks to the Download Insight trust ratings and pop-up warnings displayed before file execution could give users adequate warning that they were about to execute one of these "unknown" installers while they are disconnected from the Internet and SONAR is unavailable.  No one was suggesting that SONAR had to moved out of the cloud and back onto the local machine before Norton Security was officially released.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 32.0.3 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos2 Stats

Re: SONAR and "cloud scanning"

Imacri,

Your post in this thread was well said.

Originally, I was going to include links to the source of the comments I cobbled together in my original post, but lately I have observed a very long delay in the time it takes posts containing links to be displayed (even if those links are just to other pages in these forums) ... so I did not include links in my OP.

My concern (and the reason for my OP) was that (as least during the beta) Norton Security has a potential exposure that allowed customer's computers to be compromised (in some cases) when/if the user's computer was disconnected from the internet. High-risk malware "that would normally be detected and blocked by Norton Security when the user has an active connection to the Symantec cloud servers" was being allowed to run if the user did not have an active internet connection!

The following scenario was brought up (and demonstrated) during the beta:

If Download Insight cannot find a matching signature for an installer, cannot find that installer's reputation, gives that installer a "good trust rating", and this installer gets run when the user's computer is disconnected from the internet (and thus SONAR's cloud based detection is not available), then it appears the user's computer could be compromised (if the installer contains maleware).

Has this potential exposure (identified during the beta) been addressed ... or does it still exist?

Yes, some tweaks to Download Insight might give users warnings that they were about to execute an "unknown" installer, but I wonder if the Symantec users who are not computer savvy would actually read and understand the warnings.

For the sake of argument, I wonder why users cannot be given the choice between having their SONAR detection local or in the cloud. Don't the older products (NIS, N360) still have their SONAR locally ... and hasn't Symantec stated that those old products still provide full/complete protection and that we will be able to use those products for the "foreseeable future". If local SONAR exists (and is good enough) for the old products, why not (optionally) provide local SONAR in the new products?

If Norton Security had the option of local SONAR, would that address the exposure described above?   

Kudos2 Stats

Re: SONAR and "cloud scanning"

geek47:

Has this potential exposure (identified during the beta) been addressed ... or does it still exist?...

If Norton Security had the option of local SONAR, would that address the exposure described above?   

Hi geek47:

To the best of my knowledge, the potential exposure that elsewhere and PRIOR identified during beta testing still exists, although it's difficult to be sure since Symantec removed all beta tester threads in the Norton Security beta forum dating back to 24-Jul-2014 just prior to the official launch of NS v. 22.x.  Note that users will now get an Access Denied message if they try to view the beta forum when they are logged out of the Norton forum.

If Norton Security had the option of local SONAR, then yes, users should be protected in the scenario described above because if the user chose to run the "unknown" file assigned a Good trust rating and it behaved maliciously, local SONAR would offer a second layer of protection and immediately halt the execution of the malicious file even if they were disconnected from the Internet.

The main advantage of having SONAR reside in the cloud is that updates to the Behavior and Security Heuristics can be updated centrally on the Symantec cloud servers and no longer have to be pushed via LiveUpdate to the local machine.  According to the Virus Definitions and Security Updates page, the last behavior-based security updates were delivered to NAV/NIS/N360 on 15-Sep-2014 and if you check the security history at History | Show | LiveUpdate in these products and check the details of each LiveUpdate around this date you should see something like this:

Having SONAR in the cloud and quickly updated when new malware variants are identified in the wild isn't necessarily a bad thing.  It's just that there are serious problems with the current implementation that makes it far too easy for NS users to execute malicious files when they're disconnected from the Symantec cloud servers and SONAR is unavailable.

EDIT:

I made some suggestions for possible tweaks to Download Insight in the NS beta forum topic Question RE: v. 22.x Protection While Disconnected From Internet that build on comments by elsewhere and PRIOR and might address some of these problems.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 32.0.3 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos2 Stats

Re: SONAR and "cloud scanning"

Imacri,

I can see how it would be advantageous to have SONAR use the cloud ... where the very latest behavior and security heuristics could quickly be made available to customers ... without needing that data to first be pushed to the end user's computer. So it appears that Symantec's argument for cloud based SONAR is that it provides more timely Behavior-Based Protections.

But consider that:

1. Symantec says this regarding their old products (underlining is mine): "We recommend that you continue using your current product until the functionality to convert your subscription is available. Norton AntiVirus, Norton Internet Security, and Norton 360 products will continue to receive the best protection Norton has to offer."

2. As you mentioned, the last update to the Behavior-Based Protection for NIS (later than 2012) was September 15, 2014 (14 days ago). So, it appears that having the "best protection Norton has to offer" means having Behavior-Based Protection updates that are 14 days old.

Seems confusing. If 14-day-old protections is "best protection Norton has to offer", then what really is the advantage of cloud-based SONAR?

Symantec (if they ever choose to respond to this thread) may counter with something like ... "we will update the cloud-based Behavior-Based Protections much more frequently than we update local-based Protections".  However, that would make me wonder how they can also say that the old products (with 14-day-old Behavior-Based Protections) have the "best protection Norton has to offer".

Is the best that Symantec can offer (to customers of the old products) protections that are 14-days-old?? Are those 14-day-old protections sufficient? And if 14-day-old protections are sufficient for the old products, then why not give users of the new products some options: local based SONAR with 14-day old protections that are good enough for the old products and do not have an exposure when/if the computer does not have an active internet connection, or cloud based SONAR with with more timely protections, but ONLY if the computer has an active internet connection.  

Is the movement of SONAR's protections from local to cloud the only significant change between the old products and the new products? If that is the case, and especially if there is no response from Symantec on how they plan on addressing the exposure identified when the SONAR's protections are in the cloud and end user does not have an active internet connection, then I will be moving to one of Symantec's competitor's products when my NIS subscription expires.

Kudos0

Re: SONAR and "cloud scanning"

@it was bundled with PUPs@

As it was said here., Symantec does not consider PUP toolbars/adware to be something bad... Well, users have to use 3rd soft to remove those PUPs.

 If I may quote Quads....
"Norton does detect PUP's but as PUA's or as it's name like webcake your yontoo, the program in question just has to cross the line first.   Quads"

Kudos3 Stats

Re: SONAR and "cloud scanning"

Imacri,

Thanks for the info.

>perhaps Symantec is starting to take steps to improve their popup warnings when users are disconnected from the network and SONAR is unavailable.

That would be nice. I wonder if the experiments performed by elsewhere and PRIOR can now be repeated using the released version of NS to see what improvements have been made?

>Unlike a virus definition set that has to be updated every time a new malware variant with its own unique MD5 or SHA256 hash (signature) is identified in the wild, heuristic detection is based on the general behavior of malware (e.g., edit of the Windows hosts file, rapid addition of entries to the Windows registry, opening of communications on high ports) and in general, changes in these types of malicious behaviors do not change over time as rapidly as the signatures of newly released malware variants.

Understood. But doesn't the fact that heuristic detection behaviors do not rapidly change over time ...  sort of conflict with the claim that having SONAR in the cloud gives the user more timely access to the very latest updates to behavioral protections. If updating the behavioral protections (that do not change frequently) on a frequency of say twice a month are sufficient (as seen in the way the old products with the "best protection Norton has to offer" work) .... then why not offer users of the new products two options: local and cloud based SONAR?

I am of the opinion that changing the pop-up warnings are needed, but I also think that too many users will just ignore the pop-ups (and if they do not have an active internet connection, they could be risking exposure). If Symantec offered options, then customers who know they often use their computers in places where there is no active internet connection could choose local SONAR, and users who know their computers will always be connected (until of course their router hangs, etc) can choose cloud based SONAR. A win-win.

Of course, I know I have a better chance of winning the lottery than convincing Symantec to go back to local SONAR (as an option). I wonder if the independent comparison sites will soon have one phase of their tests with computers connected, and another phase with computers disconnected ... to see how all security products compare in how well they protect users in each case.

Kudos4 Stats

Re: SONAR and "cloud scanning"

geek47 wrote:

Seems confusing. If 14-day-old protections is "best protection Norton has to offer", then what really is the advantage of cloud-based SONAR?...

Is the movement of SONAR's protections from local to cloud the only significant change between the old products and the new products? If that is the case, and especially if there is no response from Symantec on how they plan on addressing the exposure identified when the SONAR's protections are in the cloud and end user does not have an active internet connection, then I will be moving to one of Symantec's competitor's products when my NIS subscription expires.

Hi geek47:

I was just reading the product update announcement for the latest NS v. 22.0.1.14 here and the fixes in this version are:
     - Updated text for a popup window when scanning without a network connection
     - Fixed a problem with the popup not appearing in certain scanning situations

Those descriptions are a bit vague but perhaps Symantec is starting to take steps to improve their popup warnings when users are disconnected from the network and SONAR is unavailable.

Regarding the number of days since the last update for the Behavior and Security Heuristics, Symantec has more information on how their heuristics detection of malware works here on the Behavior tab of the STAR (Security Technology and Response) site.  Unlike a virus definition set that has to be updated every time a new malware variant with its own unique MD5 or SHA256 hash (signature) is identified in the wild, heuristic detection is based on the general behavior of malware (e.g., edit of the Windows hosts file, rapid addition of entries to the Windows registry, opening of communications on high ports, etc.) and changes in these types of malicious behaviors do not change over time as rapidly as the signatures of newly released malware variants.

And just FYI, I also don't understand Symantec's decision to move SONAR into the cloud.  On balance, I think there are more negatives than positives in having SONAR functionality completely dependent on a connection to the Symantc cloud servers.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 32.0.3 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: SONAR and "cloud scanning"

Hello Imacri
If I keep reading your excellent detailed explanatory posts along with this. 
You just may have me convinced to change horses.

@geek47   Thanks for starting this Thread

Kudos2 Stats

Re: SONAR and "cloud scanning"

I am still waiting for someone from Symantec to describe what they have done (or plan on doing) to address the exposure (discovered during the Norton Security beta test) associated with not having an active internet connection when using Norton Security's cloud-based behavioral protections.

If this issue is neglected, then it's only a matter of time before some customer takes advantage of Symantec's offer to refund the cost of Norton Security if the product fails to remove a virus.

Kudos0

Re: SONAR and "cloud scanning"

bjm_ Imacri is awesome. Her attention to detail, is legendary around here !

Windows 10 Home X 64 Norton Security Premium Current
Kudos0

Re: SONAR and "cloud scanning"

geek47, if you're concerned about this perceived flaw in NS, you could always try MalwareBytes Pro, which operates in real time.

Normally, we wouldn't suggest that option, but MBytes assure us it will work harmoniously with AV programs, and some users here are using this combo with no problems.

The choice is always the user's, however.

Windows 10 Home X 64 Norton Security Premium Current
Kudos2 Stats

Re: SONAR and "cloud scanning"

 if you're concerned about this perceived flaw in NS, you could always try MalwareBytes Pro, which operates in real time.

F4E,

Thanks for your suggestion.

I could not find a product named MalwareBytes Pro. I did find MalwareBytes Anti-Malware (free) and MalwareBytes Anti-Malware Premium ($24.95 for 1year/3 PCs).

I do not think the exposure in Norton Security that I am concerned about is merely "perceived". This exposure is associated with not having an active internet connection when using Norton Security's cloud-based behavioral protections, and is fully documented (and demonstrated via videos) in this thread:

https<colon><slash><slash>community<dot>norton<dot>com<slash>forums<slash>sonar-7


It is my understanding that the old Symantec products (NIS, N360) do not have this exposure, because they use local-based behavioral protections. This exposure has come about because the new Norton Security uses cloud-based behavioral protections (which are of no use if the customer's PC does not have an active internet connection at the time that a file must be checked prior to execution).

If running a third party application (MalwareBytes) is the only way to avoid this exposure in the new Norton Security, then that brings up a concern. I have the highest respect for the MalwareBytes product ... but I feel that I should not be required to run it (or any third party product) to resolve an exposure in the new Norton Security.

Symantec needs to address this exposure and inform us customers on what they will do to resolve it. Or, as you said, the choice is the users .... and (if the exposure is not resolved) this user will choose to move to one of the other security products on the market that are highly rated by independent comparisons.

Kudos1 Stats

Re: SONAR and "cloud scanning"

geek47 wrote:

If running a third party application (MalwareBytes) is the only way to avoid this exposure in the new Norton Security, then that brings up a concern. I have the highest respect for the MalwareBytes product ... but I feel that I should not be required to run it (or any third party product) to resolve an exposure in the new Norton Security.

Symantec needs to address this exposure and inform us customers on what they will do to resolve it. Or, as you said, the choice is the users .... and (if the exposure is not resolved) this user will choose to move to one of the other security products on the market that are highly rated by independent comparisons.

Hi geek47:

Also note that Malwarebytes  (MBAM) is not a traditional antivirus like Norton, McAfee, AVG, etc..  The MBAM support article Does Malwarebytes Anti-Malware replace antivirus software? states:

"Malwarebytes Anti-Malware is not meant to be a replacement for antivirus software. Malwarebytes Anti-Malware is a complementary but essential program which detects and removes zero-day malware and "Malware in the Wild".

I use MBAM Premium to protect my system against lower-risk PUPs (potentially unwanted programs) and PUMs (potentially unwanted modifications) like adware and browser re-directors, but I still rely on my Norton AV as my first line of defense to handle higher-risk malware like viruses, worms, etc.  I was also fortunate enough to purchase a PRO/Premium license for MBAM back in the day when a lifetime license cost under $30 US.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 32.0.3 * IE 9.0 * NIS 2013 v. 20.5.0.28 * MBAM Premium v. 2.0.2.1012
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos1 Stats

Re: SONAR and "cloud scanning"

Thanks Imacri.

I used MalwareBytes a few years ago to help clean up my daughter's computer ... but she later removed it. I have not installed it on my computer ... perhaps I'll give it a try.

However well MalwareBytes does its job ... I still have a problem if we Symantec's customers need to install a third party app to fill in a protection gap in Norton Security. As I understand it, the protection gap that I am referring to has come about because Symantec moved Norton Security's behavioral protections to the cloud (i.e., the Symantec servers), and if the user does not have an active internet connection, then the cloud-based protections cannot do their job and malware (PUPs, PUMs, etc) could be allowed to run. The older products used local-based behavioral protections and thus did not have this issue.  

Yes, I could install MBAM to mitigate Norton's gap in protection. But other Symantec users who perhaps do not have enough "horse power" in their computer to run several security apps simultaneously, or perhaps are not computer savvy enough to figure out that they need MBAM, etc ... would still be exposed.

One solution would be for Norton Security to display a pop-up (when the user's computer does not have an active internet connection) warning the user whenever a potentially unsafe executable is about to be run. But too many users just ignore pop-ups like that.

If Symantec refuses to update Norton Security with an option for local-based behavioral protections, then they need to at least tell us what they will do to address this potential protection gap.    

Kudos1 Stats

Re: SONAR and "cloud scanning"

geek47 wrote:

However well MalwareBytes does its job ... I still have a problem if we Symantec's customers need to install a third party app to fill in a protection gap in Norton Security. As I understand it, the protection gap that I am referring to has come about because Symantec moved Norton Security's behavioral protections to the cloud (i.e., the Symantec servers), and if the user does not have an active internet connection, then the cloud-based protections cannot do their job and malware (PUPs, PUMs, etc) could be allowed to run. The older products used local-based behavioral protections and thus did not have this issue.

If Symantec refuses to update Norton Security with an option for local-based behavioral protections, then they need to at least tell us what they will do to address this potential protection gap.    

Hi geek47:

NAV/NIS/N360 do not provide protection against most lower-risk PUPs and PUMs like adware and browser hijackers, even with local SONAR protection, but you'll also find that most other AV programs like McAfee, AVG, etc. have the same gap in their protection.  See the Lifehacker article The Difference Between Antivirus and Antimalware (and Which to Use) for a good summary on the subject.

Many users in this forum use the free version of Malwarebytes Anti-Malware (my personal preference) and/or SUPERAntiSpyware as a second opinion scanner and run a manual on-demand scan every week or so (or whenever they suspect they could have some malware on their system) just to check for any lower-risk PUPs and PUMs that might have been missed by their Norton AV.

And I agree with you 100% - I won't be upgrading to Norton Security until I'm sure that Symantec has addressed this lack of heuristic behaviour-based malware detection when the user is disconnected from the network now that SONAR has been moved to the cloud.
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 32.0.3 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: SONAR and "cloud scanning"

Thanks Imacri ... I'll give MalwareBytes a try.

Meanwhile, we wait for someone from Symantec to tell their customers how they will address the potential exposure in Norton Security that can occur when the user's computer does not have an active internet connection.

Why is it that I think we will be waiting for a long time <sigh>.

Kudos1 Stats

Re: SONAR and "cloud scanning"

Hi, geek47. AV-TEST ran a series of situations as to how well programs repaired an infected system. MalwareBytes Free which is what I also use, performed extremely well.

http://www.av-test.org/en/news/news-single-view/17-software-packages-in-a-repair-performance-test-after-malware-attacks/

Windows 10 Home X 64 Norton Security Premium Current
Kudos0

Re: SONAR and "cloud scanning"

Thanks F4E for the link to the comparisons by AV-TEST. MalwareBytes certainly was highly ranked.

I am looking forward to seeing independent comparisons that include Norton Security. Hopefully the test sites will test and rank various products in environments that include both an active internet connection and a disconnected/inactive internet connection. I would especially like to see how Norton Security compares to other products when the computer (being protected) does not have an internet connection.

In the mean time, I'll check out MalwareBytes. 

Kudos0

Re: SONAR and "cloud scanning"

Kudos0

Re: SONAR and "cloud scanning"

I've downloaded, installed, and run MBAM .... no threats found.

The product is easy to setup and use, and the full scan only took about 5 minutes ... I will definitely keep MBAM around and use it as needed. Thanks to all those who recommended the product.

However, I would still like to hear from Symantec about the potential exposure that exists in Norton Security if one does not have an active internet connection.

Kudos0

Re: SONAR and "cloud scanning"

Here's a very new test of Norton Security on Youtube:

https://www.youtube.com/watch?v=Pyqq2xURHJk

Kudos0

Re: SONAR and "cloud scanning"

Test of NS on Youtube started out promising, but then it gets bad. Video by "The PC Security Channel". They tested the beta a while ago and it was excellent, but today's test is not so good. It is good up until around 10 mins into the video.

On Youtube, search for:

norton security 2015 v22 review

Kudos3 Stats

Re: SONAR and "cloud scanning"

Test of NS on Youtube started out promising, but then it gets bad. Video by "The PC Security Channel". They tested the beta a while ago and it was excellent, but today's test is not so good. It is good up until around 10 mins into the video.

On Youtube, search for:

norton security 2015 v22 review

Have you been reading this thread at Wilder's and from this post on?

A little bit of knowledge is... well a little bit of knowledge.
Kudos0

Re: SONAR and "cloud scanning"

That was poor and questionable testing at best. Not even a realistic test. It cannot be taken serious. The first mistake was not setting both Sonar and Heuristic to Aggressive at the start.
Kudos1 Stats

Re: SONAR and "cloud scanning"

For anyone interested, I believe this is the youtube link  -  http://www.youtube.com/watch?v=Pyqq2xURHJk

A little bit of knowledge is... well a little bit of knowledge.
Kudos0

Re: SONAR and "cloud scanning"

Hello,

I would like to ask whether the Symantec somehow stand, or to comment on this video from The PC Security Channel on youtube? After all, it's not so little damage to the Norton product? It can do this thanks to threaten outflow of customers and general confidence in the products side by Norton. It is very clearly seen in the videos some moments that the executed test is very misleading and thus unreliable. In some comments under the video you can see how the people of inspiration and product Norton Security trust. It is a great pity. I think Norton products were and are among the best.

Kudos2 Stats

Re: SONAR and "cloud scanning"

FattiesGoneWild wrote: That was poor and questionable testing at best. Not even a realistic test. It cannot be taken serious. The first mistake was not setting both Sonar and Heuristic to Aggressive at the start.

I would suggest that users instead watch the series of three YouTube videos created by community member PRIOR.  Links are posted in the NS 2015 Public Beta Forum in the thread titled SONAR at https://community.norton.com/comment/5382983#comment-5382983

This series of videos demonstrates how high-risk malware bundled inside a .rar file (I believe it was a remote access tool) on the user's hard drive is correctly detected and blocked by Norton Security SONAR's heuristic behaviour-based cloud detection if the user attempts to run the executable while connected to the Internet, and how that same malware can be executed and allowed to compromise the user's system if the user is disconnected from the Internet and SONAR is unavailable.  In particular, the third video in that series shows how easily a system can be infected on a Win 7 machine in the absence of an Internet connection, as opposed to the second video using a Win 8 machine where the Win 8 SmartScreen feature will warn the user they are disconnected from the Internet.

I think these videos by PRIOR and the accompanying comments by elsewhere explaining how the tests were run are a fair assessment of how a system can be compromised in the absence of SONAR.  As elsewhere noted in that SONAR post, much of the danger could be mitigated by warning NS users that they are about to execute a file with an unknown reputation without SONAR protection, especially if they are running NS on a XP, Vista or Win 7 machine:

"The Norton Security products cannot be deployed while this issue remains unresolved. If SONAR needs an internet connection in order to work effectively, then SONAR needs to check for an active internet connection upon file execution. If an active internet connection can’t be found, then SONAR needs to follow Norton Download Insight’s lead above and prompt the user with a recommendation to “not use this file unless you know that it is safe”. The Windows 8 SmartScreen feature handles the 'no internet connection' scenario effectively."
-------------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 32.0.3 * IE 9.0 * NIS 2013 v. 20.5.0.28
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Kudos2 Stats

Re: SONAR and "cloud scanning"

It may not be nearly as effective but SONAR is there without an internet connection.

This is SONAR working without an internet connection.

Kudos0

Re: SONAR and "cloud scanning"

malexous: thanks. Unfortunately, I cannot see the image you posted ... it is still in moderation (long moderation times are one of the many bugs in these new forums). Can you, or anyone, please explain what protection Norton Security's SONAR can provide when the user's computer does not have an active internet connection? If an exectuable starts to run and exhibits suspicious behavior, what can Norton Security do (to protect the user) if there is no active internet connection ... and thus no way to access cloud-based behavioral protections. In this case, how would Norton Security prevent the executable from running or installing malware?
Kudos0

Re: SONAR and "cloud scanning"

Hi geek47,

I do not know if this can be of any help, but NS still downloads & installs SONAR defs via LU.

My guess is that a local db, maybe smaller compared to NIS, maybe not, is still present.

Cheers,

Kudos0

Re: SONAR and "cloud scanning"

Thanks for the most interesting post malexous.  I find that quite encouraging.  

You appear to be giving us much more useful and helpful information than anyone at Symantec/Norton.  

Mike
Kudos1 Stats

Re: SONAR and "cloud scanning"

Thank you Apostolos. It would be nice if Symantec had the courtesy of providing their customers with an official explanation of what protections Norton Security provides when the user's computer does not have an active internet connection. Other user posts in this thread imply that an exposure exists. Perhaps the independent test labs will test and report on this case (i.e., compare the level of protection provided by all products when there is no active internet connection).
Kudos0

Re: SONAR and "cloud scanning"

Thanks for the most interesting post malexous.  I find that quite encouraging.  

You appear to be giving us much more useful and helpful information than anyone at Symantec/Norton.  

Hi Andmike,

Like my friends from France would say:  " C'est un bordel total !!"

Cheers,

Kudos1 Stats

Re: SONAR and "cloud scanning"

Here is some gobbledygook from Norton.

"Symantec recommends that your computer remains connected to Internet to get the real-time protection against threats and proactively detects unknown security risks on your computer." About SONAR Protection

Kudos1 Stats

Re: SONAR and "cloud scanning"

Some Symantec cutsomers actually choose to use their computers offline, and sometimes ones Internet connection fails. Symantec needs to consider those cases and fully disclose what exposures customers have when running Norton Security without an internet connection.
Kudos4 Stats

Re: SONAR and "cloud scanning"

I was advised by a senior Symantec staffer that he would get someone from the *team* to best answer our questions as to the extent that Sonar protects us when offline. That was on 7th October. Still waiting.

Windows 10 Home X 64 Norton Security Premium Current
Kudos0

Re: SONAR and "cloud scanning"

I was advised by a senior Symantec staffer that he would get someone from the *team* to best answer our questions as to the extent that Sonar protects us when offline. That was on 7th October. Still waiting.

 Lol!!  But kudos for the "smiley" face...

Cheers F4E,

Kudos1 Stats

Re: SONAR and "cloud scanning"

I was advised by a senior Symantec staffer that he would get someone from the *team* to best answer our questions as to the extent that Sonar protects us when offline. That was on 7th October. Still waiting.

Thanks F4E. 

When they finally get around to answering our questions .... it would be nice if it was a dialog (two-way communication between customers and Symantec) and not a monologue consisting of something like this:  Symantec recommends that your computer remains connected to Internet to get the real-time protection against threats and proactively detects unknown security risks on your computer.

Symantec needs to address the issues raised here in this thread, and also the issues, examples (including videos) from the thread titled SONAR.

Kudos0

Re: SONAR and "cloud scanning"

Whats the use if almost all functionality of security software is migrated to cloud? . . . . . . . A few years later these companies will ask us to channel all the network traffic through their vpn gateway such that you have TOTAL protection. What is the difference between an paid anti virus in cloud, when compared to similar alternatives like virustotal and herdprotect? Both will be just a mirror image of each other, latter without a firewall but with multiple antivirus engines of different makes! We all know Symantec employees will get to address issues like this a LOT late.
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos1 Stats

Re: SONAR and "cloud scanning"

F4E:

I was advised by a senior Symantec staffer that he would get someone from the *team* to best answer our questions as to the extent that Sonar protects us when offline. That was on 7th October. Still waiting.

Symantec: it has been almost THREE WEEKS since you told user F4E that  someone would address the Norton Security exposure issues (described in this, and other, threads) that could occur when a users computer does not have an active internet connection and an executable is run that behaves suspiciously (and possibly installs malware).

It appears that Norton Security cannot provide any behavioral protection when the user's computer does not have an internet connection.

We (your customers) are STILL WAITING for an explanation of how Symantec will address this exposure in the new Norton Security .....

Kudos1 Stats

Re: SONAR and "cloud scanning"

Symantec:

It has now been 4 weeks since we were told that someone (from Symantec) would address the Norton Security exposure issues described in this thread (i.e., the potential lack of behavioral protection when a customer's computer does not have an active internet connection).

In particular, please provide recommendations of what customers should (or should not) do if they are using a computer (protected by Norton Security) that computer does not have an active internet connection.

If you are not going to address this potential exposure, please at least have the courtesy of telling us not to expect any information on this issue.

Kudos0

Re: SONAR and "cloud scanning"

Hi, geek47. I'll try another reminder. 

Windows 10 Home X 64 Norton Security Premium Current
Kudos0

Re: SONAR and "cloud scanning"

I have the same problem. could help.

Las mejores Repisas para bodegas en Chile
Kudos0

Re: SONAR and "cloud scanning"

Maybe I'm missing something, but if you're not on line, how are you going to pick up a virus, malware, etc? You had to be on line to download the file (program) and it should have been scanned by Norton at that time. If you're concerned about a virus when you run the program, run it for the first time on line. If you're worried the malware, virus, Trojan, etc would appear after the third or fourth time you run the program, all I can ask is where and what the heck did you download? If you're loading a program from a disk or USB, then again, just be on line when you do that for the first time and you should be protected. I may be naïve but I just don't see a problem here. Looks to me like Norton is providing the most up to date protection you can get by using the cloud.

Kudos4 Stats

Re: SONAR and "cloud scanning"

Hi PhxFlyer.

I think the concern relates to things like SD cards, USB drives etc which may be connected to the device.  The internet is not the only source of data or malware.

Mike
Kudos1 Stats

Re: SONAR and "cloud scanning"

I see many instances of where a laptop is used for a video presentation in locations where there is no internet connection. The presenter(s) bring their material on a USB stick.

Would be nice if Norton could explain the potential danger in these cases.

Kudos3 Stats

Re: SONAR and "cloud scanning"

PhxFlyer:

Maybe I'm missing something, but if you're not on line, how are you going to pick up a virus, malware, etc? You had to be on line to download the file (program) and it should have been scanned by Norton at that time.

Yes, Norton Security will scan a downloaded file for viruses ... independent of whether or not the computer has an active internet connection.

But Norton Security's SONAR (whose database is located on Symantec's servers and thus ONLY accessible if the computer has an active internet connection) does not check for the presence of viruses ... it checks for suspicious behavior when an executable is running. More details about SONAR's behavioral protection can be found here.

One could have previously downloaded an executable that (when later run) installs malware onto a computer. Norton's anti-virus could scan that executable and declare that it is free of any known viruses. Then, later (when the computer does not have an active internet connection) the user could run that executable. If the computer does not have an active internet connection at that moment, then the SONAR behavioral protection database is not accessible, and thus if that downloaded executable starts to exhibit suspicious behavior ... SONAR cannot deal with the possible malware that the suspicious executable might try to install.

One solution might be to just not run any executables when ones computer does not have an active internet connection. But that is not practical. As has been pointed out by others in this thread ... sometimes laptops are intentionally used when there is no internet connection available ... and sometimes ones ISP connection is down, but the user still needs to use their computer while it is offline.

Another solution would be to give users the option of having the SONAR database stored locally on the their hard drive. I believe that is the way Symantec's older products worked. Why not give users who are running the new Norton Security, and who have large hard drives and fast internet connections (to download and save the SONAR database locally), the option of keeping a SONAR database on their hard drive? In that case, SONAR's behavioral protections would always be available.

Since Norton Security's SONAR behavioral protection is (currently) ONLY available when an active internet connection is present, then Norton Security has a potential exposure. Symantec needs to acknowledge and address this issue, and (at the very least) provide definitive recommendations to us customers as to what we should (or should not) do when we need to use a computer (protected by Norton Security) that does not have an active internet connection. In that case (no active internet connection), how do we avoid getting malware from an executable? To date, Symantec seems to be just ignoring this issue.

Kudos1 Stats

Re: SONAR and "cloud scanning"

The enormous success of Norton's recent security programs is largely due to their excellent and well deserved reputation for blocking malware from entering your PC. I can recall only one test where another product was able to to do a tiny bit better, but both scores were in the stratosphere. While you would need to be extremely unlucky for it to happen, there is some chance of something slipping through, in addition to the points made by others about off-line sources of entry. Malware infections are a percentage/chance "game." What are your chances of visiting a particular site or downloading a program on a day when NS was not capable of blocking a particular malware that is part of an extremely low percentage set? Probably close to zero. I mean you really have to have severely angered the malware gods in someway for that to happen.

Norton's emphasis has always been on blocking, not on detecting. It's on demand detection scores while good are not outstanding, which makes behavior blocking very important in Norton's over-all approach to security.

After reading this thread for the upteenth time last night and giving it a lot of thought I believe the critics are correct. While NS remains one of the top products that provide excellent overall protection, the Norton approach to behavior blocking could well be considered by many as being a not being the solution they would prefer. It has obvious advantages such as speed and up to the second data, but it does present an issue when a device is not online. Perhaps the solution lies with the consumer. If they know that they on occasion use their device while not connected to the net, that should be a factor in their buying decision.  Respecting users such as myself who are always online, while rare, on occasion my internet service will go down for periods of a few minutes to a couple of hours. In addition, over the past several years there have been occasions where a local connection required a visit by a technician to repair-typically the next day.

I currently own a 664 day subscription to NS but uninstalled it early this morning. The critics are correct that Norton should provide a more complete explanation of what behavior-blocking abilities, if any, NS retains when the protected device is not connected to the net. At the very least NS should provide for users such as myself who intend to always be online, a large warning pop-up the my internet connection has been interrupted or terminated. I don't always keep an eye on my network icon.

While I still believe that even with this Sonar issue, over-all NS provides excellent protection, at the moment this factor has caused a certain degree of discomfort.

I'm certain at some point my reaction, which is more emotionally than rationally based. will subside and I will reinstall NS, but ATM I can not rely on it.

I have not been a particularly lucky person over the past decade, in fact I have had some instances of terrible luck. For example, there are probably hundreds of thousands of stocks on the numerous exchanges that one can buy. Typically, every year the Securities and Exchange Commission will suspend trading in 10-15 stocks because it has reason to suspect fraud. The suspension lasts only 10 days but the damage is usually permanent. Well, I actually invested in one of these stocks and lost it all. There is something like a  %.ooooo4 chance of a potential investor "investing" in one of these stocks. Perhaps such a person as myself with that kind of luck should not use NS. I think that's close to the percent chance of a diligent PC user having his/her device damaged by an infection while using NS offline.

This thread is closed from further comment. Please visit the forum to start a new thread.