Hello everyone, I came to this section to leave my suggestion for the Norton team to evaluate and implement.
I used the AVAST product, and what I liked was the manual product update, something that doesn’t happen with NORTON.
I want to update the Norton version manually, as is done in AVAST. Could you make this possible in the next version?
Because I think it’s awful that the Norton product is updated to a new version without the consent of the customers. Do it like AVAST does, since you are now part of the same GEN DIGITAL group.
AI Mode
Avast allows you to set independent update preferences for virus definitions (protection updates) and the application (product updates). This means you can have one set to automatic and the other to manual.
While the publication date on the public support pages may be listed as 2022, the information regarding update settings is still valid and reflects the current options available in Avast Antivirus and Avast One as of late 2024 and 2025 releases. The core functionality for independent updates has not changed.
What I want is for the Norton team to do the same thing that Avast does with their products.
Because it’s better for us Norton users to have control over when we need to update.
It’s good that you think the same as me, but there must be users who think the same.
Because on the Avast forum there are people who don’t update the product because it has several flaws, so they wait for the new version and don’t update in the meantime.
But here in Norton, if there’s an update, there’s no way to block the program update, which screws over a lot of people. That’s why I’m telling the Norton team to see what we’re requesting so they can do the same thing that’s done in Avast.
They’re giving us paying users the option to download or not.
Hello, I have a question. I updated my Norton threat database on December 24, 2025, and it showed the value in the image below, indicating that the number of definitions was 18,215,299 at the time.
Today I decided to update the virus definitions as of today, December 31, 2025, and the value is now lower than before, at 15,892,541, as shown in the image below.
My question is why did it get smaller? Since the trend is to increase, not decrease, and if it decreased, why? Where did the rest of the definitions go?
I can’t say why the size of the downloaded definitions declined. But for every day computing, Norton 360 uses an online database for virus detection. The downloaded files are used for when you do not have an internet connection.
AI Mode
The number of virus definitions in Norton 360 may appear to decrease because Norton periodically streamlines its definition sets. Old, obsolete definitions are removed and often consolidated into newer, more comprehensive signatures to improve performance and efficiency.
Here is a breakdown of why this fluctuation occurs:
Consolidation and Generalization: Older, specific signatures for very rare or obsolete malware are regularly superseded by a single, generic signature that can detect a broader range of threats. This reduces the overall count while maintaining or even improving detection capabilities.
Performance Optimization: Removing outdated and unused definitions helps keep the software efficient, reducing the burden on your computer’s CPU and disk resources during scans.
Threat Relevance: If a specific type of malware is no longer in distribution or has become irrelevant due to operating system security patches, its corresponding definition may be retired.
Streaming Updates: Norton relies heavily on real-time, cloud-based protection and “streaming updates”. When these temporary streaming updates are officially incorporated into the main, permanent definition set (often with a new version number), the number of individual components might be logged differently, potentially showing a temporary decrease in a specific log view until the next full update cycle is complete.
Troubleshooting/Glitches: In some rare cases, a sudden significant drop might indicate a temporary update error, a corrupted definition file, or a conflict with other software. Running Norton LiveUpdate manually a few times and then restarting your computer typically resolves such glitches.
In most instances, a decrease in the number of definitions is a normal part of the software’s maintenance process and does not indicate reduced protection. Your system remains secure through real-time cloud-based analysis and updated behavioral protection mechanisms.
===================
A decrease in the virus definition count is generally not a cause for concern. It is a normal part of the software’s operational maintenance designed to keep your Norton 360 program efficient and up-to-date.
Here’s why you shouldn’t worry:
Improved Efficiency: Norton routinely removes obsolete definitions for malware that no longer poses a relevant threat or that has been neutralized by operating system updates. This streamlining improves scan speeds and reduces the memory and processing power used by the software.
Consolidation: Instead of maintaining thousands of individual definitions for slight variations of the same virus family, newer definitions are often consolidated to cover broader threat categories more effectively. You have fewer total files, but broader protection.
Cloud-Based Protection: Your primary protection does not rely solely on the locally stored definitions count. Norton 360 uses real-time, cloud-based analysis and behavioral protection heuristics to detect new and emerging threats instantly, often before a traditional definition is even created.
When to Be Concerned
A drop in definition count only becomes a potential cause for concern if it is accompanied by other warning signs, such as:
Error Messages: Norton 360 displays a “Fix Now” prompt, a red status indicator, or an explicit error message stating that updates have failed.
Inability to Update: Manually running the LiveUpdate feature multiple times fails to restore the count to the expected range.
System Instability: You notice unusual system behavior, significant slowdowns, or you have strong reasons to believe your system is compromised.
If you are worried, simply run LiveUpdate manually within the Norton application. If it completes successfully and the software reports that your system is “Secure,” your protection is working as intended.
Norton’s security approach combines two complementary methods: signature-based detection and AI-driven threat detection (also referred to as behavioral analysis or Advanced Threat Protection).
Here is how they differ:
Signature-Based Detection (The Reactive Approach)
Signature-based detection is the traditional method of antivirus protection, working much like how police use fingerprints.
How it works: Norton maintains a vast database of “signatures,” which are unique digital fingerprints, file hashes, or specific lines of malicious code from known viruses and malware. When you scan a file, the software checks if its unique signature matches anything in this predefined list.
Strengths: It is highly effective at instantly identifying and blocking known, widespread threats with very low false positives.
Weaknesses: It is fundamentally reactive. It can only catch threats that have already been discovered, analyzed by security experts, and added to the database. It is blind to brand-new, or “zero-day,” malware and polymorphic viruses (which constantly change their code).
AI-Driven Threat Detection / Behavioral Analysis (The Proactive Approach)
Norton’s AI-driven protection (part of features like Proactive Exploitation Prevention and Behavioral Protection) uses machine learning to identify threats based on their actions, not just their identity.
How it works: Instead of asking, “Does this file match a known virus?”, it asks, “Is this file acting maliciously?”. The AI engine establishes a baseline of normal system, network, and application behavior. It monitors activities in real-time for suspicious actions, such as:
A normal program (like a word processor) suddenly attempting to access or encrypt many system files (a typical ransomware behavior).
An application trying to make unusual connections to external IP addresses.
Unusual memory manipulation or privilege escalation attempts.
Strengths: It is proactive and excels at detecting new, previously unknown threats (zero-day attacks) and fileless malware that operates without leaving a traditional signature.
Weaknesses: In its early stages, behavioral analysis can sometimes produce more false positives (flagging a legitimate but unusual program as a threat) until it learns the normal baseline of your specific system.
By combining both methods, Norton provides a comprehensive, multi-layered defense: signature-based detection quickly stops the “known” threats, while the AI-driven system actively watches for anything “unknown” or unusual.
=======================
Norton’s use of a hybrid detection approach—combining traditional signature-based detection with AI-driven behavioral analysis—is highly significant because it provides a multi-layered defense strategy that addresses a wider spectrum of cyber threats than either method could alone.
The significance lies in:
Comprehensive Protection Against Diverse Threats
The hybrid approach ensures coverage for virtually all types of malware:
Signature-based detection handles the volume: It efficiently catches the millions of known, common, and established viruses and malware strains with high accuracy and minimal false positives. This removes the bulk of the threat landscape immediately.
AI/Behavioral analysis handles the novelty: It actively monitors for new, previously unseen threats (zero-day attacks), fileless malware, and sophisticated ransomware that changes its code (polymorphic viruses), which would otherwise bypass a signature-only scanner.
Proactive Defense Against Evolving Threats
The cybersecurity landscape changes constantly. The hybrid model allows Norton to adapt immediately:
Speed of Response: The behavioral engine can stop a brand-new threat the instant it attempts a malicious action on your system.
Reduced Reliance on Updates: While signature systems require constant updates to stay relevant, the AI system can detect malicious intent without needing to know a specific virus signature in advance. This ensures protection is continuous, even just after a new threat emerges.
Efficiency and Performance Balance
The hybrid model optimizes how system resources are used:
Optimized Scans: Signature scans are fast when checking for known items.
Smart Monitoring: Behavioral analysis runs continuously in the background but only takes action when behavior deviates significantly from the norm, minimizing the performance impact on your everyday computer use.
In essence, the hybrid approach provides a “belt and suspenders” security model: the signatures act as a strong foundational layer against known threats, while the AI/behavioral analysis acts as an essential, dynamic second layer of real-time vigilance against the unknown.
=================
A new threat is incorporated into Norton’s protection mechanisms through a rapid, automated, multi-stage process that leverages their vast Global Threat Network and specialized threat labs.
The Discovery Phase
The process begins with the identification of a potential threat from several sources:
User Submissions: Users can submit suspicious files or URLs to Norton’s threat labs for analysis if they suspect a false negative (something missed by the scanner).
Honeypots: Gen Digital operates “honeypots”—decoy systems designed to attract malware and automatically capture new samples in a controlled environment.
Global Threat Network (Telemetry): The most significant source is real-time data collection from millions of Norton, Avast, AVG, and Avira users worldwide. When the behavioral engine on a user’s machine flags an anomaly (something acting suspiciously but not yet identified), metadata about that activity is sent anonymously to the cloud for further analysis.
Analysis and Classification (AI & Human Labs)
Once a sample is obtained, it enters the analysis phase:
AI Pre-analysis: Machine learning algorithms rapidly assess the data. They categorize the file’s attributes, code behavior, and potential maliciousness. AI can cluster rare variants together, allowing analysts to focus on potential new malware families.
Human Threat Labs: Suspected zero-day threats or complex samples are escalated to human security analysts in Gen Digital’s threat labs. These experts reverse-engineer the malware to understand its full functionality, its payload, and how it evades detection.
Incorporation into Databases
The outcome of the analysis determines how the threat is handled and incorporated into the systems:
For Signature Databases (The Reactive Layer):
If analysts determine a file is definitively malicious, they extract unique “fingerprints” or snippets of code—the signatures.
These signatures are immediately added to the master virus definition database.
The updated definitions are distributed to all user devices via the LiveUpdate feature. This process is highly automated and can happen within minutes or hours of a major outbreak, moving a threat from “unknown” to “known” status globally.
For AI Detection Engines (The Proactive Layer):
The data from the new threat (behaviors, attributes, command-and-control communication) is used to retrain and refine the AI models.
The AI models learn the new malicious patterns, improving their ability to spot similar, future variations of the malware generically (e.g., using a “-gen” flag for detection) based on behavior rather than a static signature.
This improves the AI’s ability to detect deviations from a “normal” baseline, enhancing its proactive capability against future novel threats.
This simultaneous updating of both signatures and AI models is what allows Norton’s hybrid system to stop the bulk of existing threats instantly while remaining agile enough to block new attacks as they emerge.
I have another question about LiveUpdate. I want to know how to block it through the Norton firewall so that the Norton program doesn’t update to the new version?
I’m asking this because Avast has separate malware updates and antivirus program updates, but Norton doesn’t do the same.
I don’t want to update Norton to the new version until I’m sure I won’t have problems on the machines I have.
Hello @New_Style_xd
Sorry, I’m not aware how to block/stop Norton product updates.
-------------------------------------------
Norton 360 does not allow separate, granular controls for definition updates and product (application) updates in the same way Avast does.
In Norton 360, the primary update mechanism is called LiveUpdate, which is designed to download both virus definitions and routine program patches together.
Combined Updates: The “Automatic LiveUpdate” setting controls both types of updates simultaneously. It is highly recommended to leave this on for optimal protection.
Critical Product Updates Bypass Settings: Even if you disable “Automatic LiveUpdate,” critical product updates and essential security patches for the Norton application itself are often handled separately and will still download and install automatically to ensure the software remains secure and functional. These essential updates are the typical cause of the restart prompts you may be trying to avoid.
Manual Control: The only control available in the settings allows you to choose whether to apply updates immediately or only after a system reboot, but not to choose which type of update is downloaded.
In contrast, Avast is known for providing distinct settings here to manage virus definitions and application updates independently.
