Hi folks,
Can you materialize a difference between the aggressive and default heuristic? I mean for instance something like this ... having enabled the aggressive level means that at 1000 files it makes 10 files more being flagged as malicious. And how many of them are false positives? Does Symantec have such statistics available? Just curious because I am pondering to switch to the aggressive level. What do you suggest me?
Thx & regards,
pegas
We have seen some difficulties with the aggressive mode triggering action against some of the recovery partition files in some laptops. If this could be a problem that applies to your machine, I would not recommend using aggressive mode.
as to comments by delphinium
see Topic > What is RMC_AR32.EXE
I run with Aggressive Heuristic Protection....maybe, Aggressive Mode was causal to this event.
Good catch on that bjm. It is certainly a possibility. I didn't read that thread as I was not familiar with the file in question or I might have twigged.
Hi folks,
Can you materialize a difference between the aggressive and default heuristic? I mean for instance something like this ... having enabled the aggressive level means that at 1000 files it makes 10 files more being flagged as malicious. And how many of them are false positives? Does Symantec have such statistics available? Just curious because I am pondering to switch to the aggressive level. What do you suggest me?
Thx & regards,
pegas
Foremost thanks for your hints.
to AllenM:
There is no particular reason on my side in question of using the aggressive mode. I never been hit by a malware as I have quite safe surfing habits. I was just curious what's the difference between them. If I had known the negative impact is minimal (FPs etc.) I would give it a try. Therefore I was hoping to have a standpoint and/or figures from Symantec folks coming directly from their laboratories. Moreover I recall but I don't know where I caught it that the aggressive mode increases efficiency of heuristic about cca 25% (in default mode it is 70%) it means to nearly 95%.
BTW, I wasn't talking about elevating of SONAR. I know that it would be very dangerous as detected threats mean the files are deleted instantly. I rather meant heuristic setting only (under Computer settings).
to delphinium:
It would be a real pain. Having plagued the recovery partition is not sort of a result I am looking for, indeed :-)
All in all, your comments lead me to leave the heuristic in default. I have tweaked my NIS2010 a bit already. I have enabled the verification of MS files, removing cookies automatically and early loading. Do you think another tweaking might be useful?
Nevertheless I would be very grateful for Symantec laboratory figures as I have asked in my topic post.
Don't hesitate to elaborate the topic more.
regards,
pegas
I run with aggressive switched on and have safe surfing habits,As I don't stray off my usual one or two sites that I go to and I don't hear boo from it!
You can always try it and see what happens and turn it off if you don't like it...
I don't see any harm in learning about the different aspects of NIS2010...some things I will play with some things like the firewall I won't touch!!
mo wrote:You can always try it and see what happens and turn it off if you don't like it...
Yes, that's right until your learning and hanky-panky ends in a fatal error as damaged recovery partition definitely is ;-) Anyway I may give it a try.
It's me again 
I re-read the help file and there is stated that while the aggressive mode is enabled it scans ALL files on computer for heuristics. Does it mean that all scans (quick and full) will last fundamentally longer? If the aggressive mode triggers verification of ALL files what files are checked for the default setting only? Quite unsure about that.
Hello delphinium et al
Thnx...
I toggled to Aggressive with 2009 and continued with 2010. I do not consider myself an advanced user...just wanted to see what it would do. My experience to date is similiar to mo . My habits are very simple by comparison to perhaps other users...so, that may be why Aggressive has not posed an issue.
Cheers
It is likely to be an issue with certain software in a limited number of machines. Lenovo and IBM had issues and some of the files were reported as Bloodhound.MBR.
It doesn't appear to be widespread, just something to be aware of.
I run all my computers with SONAR set to aggressive and heuristics set to aggressive and never had problems.
I also do the same config.changes to my clients' Nortons and they have had FP problems , too.
3play wrote:I run all my computers with SONAR set to aggressive and heuristics set to aggressive and never had problems.
I also do the same config.changes to my clients' Nortons and they have had FP problems , too.
Hi 3play,
When you said "too" it seems you might be indicating that your clients have had the same experience as you (not having problems).
Did you mean to say that they have NOT had problems with FP's or do have problems? 
Best wishes.
Allen
AllenM wrote:
3play wrote:I run all my computers with SONAR set to aggressive and heuristics set to aggressive and never had problems.
I also do the same config.changes to my clients' Nortons and they have had FP problems , too.
Hi 3play,
When you said "too" it seems you might be indicating that your clients have had the same experience as you (not having problems).
Did you mean to say that they have NOT had problems with FP's or do have problems?
Best wishes.
Allen
Actually I have found false positive alarms but from files/software I use and it wan't connected to agressive heuristics.
I mean that no client of mine have ever complained of FP using Norton . I am sure that if there is something they'll call me and report it.
Thank you.
Hi,
From my own experience, (that being having had Aggressive set for both Heuristics (and Sonar when it became available) since the day I installed Norton) I have not had any problems with it. I would consider myself as someone who does come into contact with plenty of potentially virus-ridden programs (LAN's....). I would imagine that every so often I have had an FP, but I have not had any damage done to my pc's because of it. In the case of non-obvious FP's, I count it has a virus, or program that could have... shady functions.
Matt
OK folks,
I enabled the aggressive heuristics and will see. However I keep my hands off SONAR as I know in its aggressive mode deletes detected suspicious files immediately even if they may be false positives. Will let you know how it goes with the aggressive heuristics on my VAIO.
Regards,
pegas
Well, while some of my questions were already answered some of them faded away through this thread. Therefore I summarize them below and I would very appreciate if Symantec employees and/or forum masters could comment upon each query.
1. Can you materialize a difference between the aggressive and default heuristic? (more to see post #1 and 6)
2. I re-read the help file and there is stated that while the aggressive mode is enabled it scans ALL files on computer for heuristics.
a) Does it mean that all scans (quick and full) will last fundamentally longer?
b) If the aggressive mode triggers verification of ALL files what files are checked for the default setting only?
and a new one ...
3. What action is triggered by heuristics? A prompt requiring user's decision about detected file or instant deletion of detected file? I would like to know what expect.
Thx in advance and regards,
pegas
Hi Pegas, below are my answers with respect to how I understand Norton to work. I'm sure other forum members will be able to give you more specific and detailed information, but here is something for the meantime :-)
pegas wrote:Well, while some of my questions were already answered some of them faded away through this thread. Therefore I summarize them below and I would very appreciate if Symantec employees and/or forum masters could comment upon each query.
1. Can you materialize a difference between the aggressive and default heuristic? (more to see post #1 and 6)
Unfortunately I am unsure of this one. Firstly, if the help file says that it enables scanning of ALL files, then that is exactly what it does. However, I have always understood it to make the heuristics more sensitive as well - but I am not sure.
2. I re-read the help file and there is stated that while the aggressive mode is enabled it scans ALL files on computer for heuristics.
a) Does it mean that all scans (quick and full) will last fundamentally longer?
Yes, However, the difference, as I understand, should not really be noticeable unless you literally have 1000's of GB of data
b) If the aggressive mode triggers verification of ALL files what files are checked for the default setting only?
Runnable (executable) files would most likely be those scanned by default.
and a new one ...
3. What action is triggered by heuristics? A prompt requiring user's decision about detected file or instant deletion of detected file? I would like to know what expect.
This depends. Norton prefers to go for the clean/delete and quarantine then notify approach. I understand Heuristics to be sort of "generic" detections in a sense, and as far as I know, Norton's instructions on what to do with the virus are contained within it's definitions - so in this case, "generic" definitions - and so there are multiple things it may do. I do not think that it will ask your permission though, unless it is a low-risk item and you have specified in the settings that you would like to have your permission asked when deleting low-risk items. One way or another, you will always be notified - not necessarily asked.
Thx in advance and regards,
pegas
mattsegers wrote:Hi Pegas, below are my answers with respect to how I understand Norton to work. I'm sure other forum members will be able to give you more specific and detailed information, but here is something for the meantime :-)
pegas wrote:Well, while some of my questions were already answered some of them faded away through this thread. Therefore I summarize them below and I would very appreciate if Symantec employees and/or forum masters could comment upon each query.
1. Can you materialize a difference between the aggressive and default heuristic? (more to see post #1 and 6)
Unfortunately I am unsure of this one. Firstly, if the help file says that it enables scanning of ALL files, then that is exactly what it does. However, I have always understood it to make the heuristics more sensitive as well - but I am not sure.
2. I re-read the help file and there is stated that while the aggressive mode is enabled it scans ALL files on computer for heuristics.
a) Does it mean that all scans (quick and full) will last fundamentally longer?
Yes, However, the difference, as I understand, should not really be noticeable unless you literally have 1000's of GB of data
b) If the aggressive mode triggers verification of ALL files what files are checked for the default setting only?
Runnable (executable) files would most likely be those scanned by default.
and a new one ...
3. What action is triggered by heuristics? A prompt requiring user's decision about detected file or instant deletion of detected file? I would like to know what expect.
This depends. Norton prefers to go for the clean/delete and quarantine then notify approach. I understand Heuristics to be sort of "generic" detections in a sense, and as far as I know, Norton's instructions on what to do with the virus are contained within it's definitions - so in this case, "generic" definitions - and so there are multiple things it may do. I do not think that it will ask your permission though, unless it is a low-risk item and you have specified in the settings that you would like to have your permission asked when deleting low-risk items. One way or another, you will always be notified - not necessarily asked.
Thx in advance and regards,
pegas
Many thanks for your thorough comments which made me clear the item 1. and 2 . However as regards the item 3. I would really appreciate the official statement from Symantec because it is most important to know how the aggressive heuristics is going to behave.
So moderators and/or forum masters I kindly encourage you to clarify the item 3. above.
Thx and regards,
pegas