Can I delete quarantined files/objects?

I've noticed that not a single threat that NIS has quarantined on my computer has the option to be deleted.  Why is this?  It appears that Norton has decided that since the threat is resolved, I would want to keep the file in question.  This is absurd.  How many people would be receiving a file they really want that just happens to be infected with malware?  Hogwash.  If I get malware, it was probably sent automatically from an infected machine; and I have no interest in the file.  In fact, I don't want it creating an ever-growing quarantine folded just wasting space on my computer.

 

I can conceive of a way to destroy someone's computer simply by using NIS or NAV as the agent.  Send the largest possible infected files your ISP will follow to the person's computer you wish to destroy.  Keep sending them over and over again, preferably while the person is away.  Each file will be cleaned and stored in the quarantine folder.  Overnight you should be able pump a fair number of gigabytes into that poor soul's quarantine folder.  And here's the kicker.  He's stuck with them!  So you can do it again the following night, launching your email from a different computer just in case he has the original sender on a black-list.

 

Below is a screen-clipping of the kind of actions Norton allows me for EVERYONE of the security risks it has quarantined.

 

Example.jpg

Hi! Mijcar,

 

I have a pop quiz; have you already opened NIS>Quarantine>Selected an item>Clicked options (below the recommended action box) then Selected Submit to Symantec? If you have then select the remove item from history this should delete the file. One thing to note, most ISP's will block a file that is continuously transmitted no matter where it comes from.

I really do not think that anyone should post methods to destroy people’s computers in this forum.


Tech83 wrote:

Hi! Mijcar,

 

I have a pop quiz; have you already opened NIS>Quarantine>Selected an item>Clicked options (below the recommended action box) then Selected Submit to Symantec? If you have then select the remove item from history this should delete the file. One thing to note, most ISP's will block a file that is continuously transmitted no matter where it comes from.


 

I'm sorry, but that is blatant nonsense.  I'm not referring to your words, but to the process itself.

 

How many regular users out there, people who never visit these boards -- how many of them would have the slightest clue about doing that?  I read the Help section and I was shown the following:

 

mijcar.jpg

 

That's it.  None of what you say appears to the regular user.  This is bad.

 

Moreover, consider:  Why should anyone send a file to Symantec that has already been identified as containing malware, or which has had it removed?  Symantec already knows about the malware; they don't need a submission.  And if the malware has been removed, why send them a clean file?  Both of these actions are absolutely pointless, a waste of the user's time, and an ever greater waste of Symantec's precious time that they should be spending analyzing new submissions.

 

Just give me a simple option to remove a file I have no interest in looking at or releasing back onto my computer.

 

What is worse is that the malware-makers are always one step ahead of the malware-catchers.  They create something new and there is always that interval between creation and detection.  What happens if the supposedly clean file really contains a second infection for which Symantec does not yet have a signature?  No, I don't want to play with the blasted file.  I don't need the blasted thing!  I just want it deleted and gone.

 

<<edit: resized image for better fit>> 

Message Edited by JerryM on 11-04-2009 10:44 AM

cgoldman wrote:
I really do not think that anyone should post methods to destroy people's computers in this forum.

 

It's called "white-hatting" (by me, anyway); and you can be sure that this simple method is well known.  I was merely making the point that a bloated quarantine folder (which has already been discussed in these forums) is damaging to the computer (which has also already been discussed in these forums).

 

Believe me, I know of at least a few other strategies to do real damage, not this simple thing; and I would never consider posting them anywhere.


Tech83 wrote:

Hi! Mijcar,

 

I have a pop quiz; have you already opened NIS>Quarantine>Selected an item>Clicked options (below the recommended action box) then Selected Submit to Symantec? If you have then select the remove item from history this should delete the file. One thing to note, most ISP's will block a file that is continuously transmitted no matter where it comes from.


 

Sorry, Tech, I forgot to mention that ttbomk removing an item from history is quite different from deleting it.  Removing it from history means that you don't want to read about it any more.  :smileytongue:  Deleting it means ... well, you know what that means.  Anyway, if Symantec really means for "delete from history" to also mean "delete from the computer", that can create a problem for the user.  What if the user knows the file is now safe since the malware has been excised and wants to keep the file but doesn't want to have the info cluttering up his or her computer (that is the user's choice, you know).  So the user clicks on "remove from history" and suddenly the file he or she wants is gone forever!

 

Nothing is more important in the interface between product and user than the correct and clear usage of words!

“Remove from History” (if there is no ‘Remove this file’) does delete the file from Quarantine and your system.  The option to ‘Remove the file’ is for something that is not a certain risk; for anything other than Lowest or Low risk items, Norton will remove the file automatically and place the only copy of the file in Quarantine.  ‘Remove from History’ deletes the encrypted compressed file from the Quarantine folder / files.


dbrisendine wrote:
"Remove from History" (if there is no 'Remove this file') does delete the file from Quarantine and your system.  The option to 'Remove the file' is for something that is not a certain risk; for anything other than Lowest or Low risk items, Norton will remove the file automatically and place the only copy of the file in Quarantine.  'Remove from History' deletes the encrypted compressed file from the Quarantine folder / files.

I'm sorry, D, but based on the English language, I cannot allow myself to believe a word of what you just said.  (Even if it's true.)

 

According to Norton Help itself, which is official (whereas you only offer hearsay):

Example 3.jpg

Until you can provide an actual quote (and I would prefer a screenshot) from anywhere whatsoever in the NIS or NAV Help files that says what you "claim is true" is actually true, then I (and countless thousands of others) would have no reason to think that.

 

Please understand, D, I don't mean this offensively, nor is it directed against you.  This is about clarity of communication in a very important security product.  I'm sure you can understand where I am coming from.

Message Edited by mijcar on 11-03-2009 10:35 AM

I agree. Norton's help files are useless for a user who is trying to determine what actions Norton has taken when malware is discovered. For those of us that have learned not to depend on Norton alone, who use a layered approach to security, we need not only correctly worded help files but the ability to customize certain actions so that Norton does not conflict with our layered approach.

 

For example, I browse using Sandboxie which I trust more than Norton to keep my computer malware free while surfing the net. I also use a non-signature based HIPS to alert me if newly introduced files attempt to make modifications to important files, folers, or keys in addition to a tightly configured inboud/outbound firewall and router. 

 

I assume, but do not know, that the action Norton takes with respect to any malware might vary. For example, if Norton spots an executable which it knows to be malware it probaby stops it from running through quarantine. However, a threat it does not initially recognize might start performing actions which allow Norton to identify the executable as malware. Does Norton behave any differently? When a threat is removed, what does this mean exactly? Are all files introducted or modified by the malware quarantined by Norton so that no changes were made to the system? Or, do some modification remain despite the threat being removed?

 

If Norton advises me during a browsing session that it has detected malware, what should be my response during a Sandboxed browsing session? Since Norton has never detected malware on my system I am clueless regarding Norton's actions. Norton's help file lacks the specificity necessary for me to make an informed decision regarding its interaction with my other security measures.   

My apologizes for my previous post.  :frowning:

Michaeldayla

 

Norton is not designed to be operated in a layer with other AV products, indeed there is specific advice against doing so. I do not see why NOrton should deal with or make proposals in respect of other security measures. Nevertheless, I accept that there is always room for improvement in help files.


Tech83 wrote:
My apologizes for my previous post.  :(

 

Good heavens, T, there's nothing to apologize for.  I enjoy your posts, even when leavened with a dollop of sarcasm.  And you were offering information you thought useful.

 

Keep it up, T.


mijcar wrote:

dbrisendine wrote:
"Remove from History" (if there is no 'Remove this file') does delete the file from Quarantine and your system.  The option to 'Remove the file' is for something that is not a certain risk; for anything other than Lowest or Low risk items, Norton will remove the file automatically and place the only copy of the file in Quarantine.  'Remove from History' deletes the encrypted compressed file from the Quarantine folder / files.

I'm sorry, D, but based on the English language, I cannot allow myself to believe a word of what you just said.  (Even if it's true.)

 

According to Norton Help itself, which is official (whereas you only offer hearsay):

Example 3.jpg


If you want a test of this, go to www.eicar.org and try to download a test file.   NIS2010 will examine the file during the download phase and Quarantine the download.

 

1) Examine the Resolved Security Risks in History or go to Quarantine and view it there directly:

 

Download Insight Quarantine 110409.png 

 

2) Click on More Details or Options

 

Download Insight Quarantine Options Remove 110409.png

 

(Note : File system shows this right now [see below])

 

Download Insight Quarantine Files 110409.png

 

 

3)  Click on the "Remove this file From History" and confirm you want this done.

 

Download Insight Quarantine Options Remove Confirm 110409.png

 

4)  Check your file system and you will see that the CONFIRMED HIGH RISK ITEM has been removed from your system.

 

Download Insight Quarantine Files Post Removal 110409.png

 

 

A user does not have any other options from the Options pop up on any confirmed Malware.  Norton will not let you restore the malware onto your system; this is to protect users from making mistakes and accidentally infecting their systems. 

 

Do not literally take the Norton Help file or Users Manual as they were trying to write something to cover ALL levels of user expertise and "English". 

 

Does this help you mijcar?

 

[edit: Resized images to fit.]

Message Edited by shannons on 11-04-2009 08:10 AM

D, a couple of clarifications.

 

First, my post was mostly about the UNhelpfulness of Norton's Help menus.

 

Second, one of the options actually is "delete the file"; you just don't usually get it.

 

Third, it does appear that what is being offered the use is the chance to restore a cleaned-up previously-infected file.  So there would be good reason to remove it from history WITHOUT actually deleting the file -- assuming the user actually wanted to use it.  I will add that this situation has occurred to me.  Very seldom, yes, but it has occurred:  a time I needed the information so badly that I risked openning the file once it was supposedly cleaned.  So, not only is there a different grammatical implication between "delete the file" and "delete the log entry"; there is also a different situation to which each applies.

 

Fourth, are you certain the file is actually off your computer?  And if that one is, what about files that have been cleaned up?  Why would Norton delete them unless specifically told to?

 

Do you see the problem.

 

What I want -- and what I think users deserve -- is what NIS used to offer:  A clear quarantine manager that gives me a display of quarantined items and allows me to point and choose an action, once of which would be to delete.

 

Second best would be a pop-up that when I point an action tells me all the consequences of that action.  For example, if you're right about deleting a log entry also deleting the file, then when I point at "delete log entry" there should be a pop-up that says "deleting this log entry will also result in deleting the file."

I feel I want to add to this.  There seems some confusion here about my intentions for starting this thread.  Only in a small way am I attempting to solve a problem of my own.

 

I am trying to draw attention to a much larger problem affecting software that I really like.

 

From the very beginning, back in the beta days of NIS 2009, I and other users kept finding out that while the product was a good one, the interface sucked.

 

Instructions, definitions, clarity of directions, help menus -- these were counter-intuitive if they existed at all.  They suggested doing the wrong thing or that something different would happen than the user intended.  The pop-up's we get after background scans are intrusive and uninformative and poorly visualized.

 

Here we are in NIS2010, long past beta days, and the same design problems are still there.  I am not talking about engineering bugs; those affect everyone and Symantec jumps right to it when someone points one out.  I am talking about ease-of-use and user-friendliness -- these elements are terrible and unimproved.  Just look at the number of how-do-I queries we get on these boards from competent, computer-savvy posters!  It's one thing for a complete novice to be confused by technical instructions; it's quite something else for a sophisticated computer user of many years to not be able to decipher help screens, set-up menus, and settings options.  And, as I said, those horrible pop-up's!!!

 

After two years of mostly successful development, it's time for Symantec to get some human-design engineers on board that know what they're doing, preferably people with a background both in English and design psychology.

Norton is not designed to be operated in a layer with other AV products, indeed there is specific advice against doing so. I do not see why NOrton should deal with or make proposals in respect of other security measures. Nevertheless, I accept that there is always room for improvement in help files.

 

 

I don't think I asked Norton to make proposals with respect to other security measures. I simply agreed that in many respects Norton's help files are misleading and expressed the further opinion that they fail to adequately explain the actions Norton takes in response to a security threat.

 

I did not state that I use any other real-time AV product while running Norton. I do not. While Norton may be among the best AV products, it alone is not the answer to the malware epidemic. I run Norton AV, not NIS. I must use, therefore, a firewall product from another vendor and other software to enhance security. Why shouldn't Norton, and this forum, provide guidance in the use of Norton with other products which must be used?

 

A layered approach to security is recommended by most malware vendors. For me, that layered approach starts with keeping Windows and all other software patched, including all browser addons and plugins. It means browsing with Sandboxie or VM software to prevent malware from doing permanent damage to files and systems. It means disabling services I do not use and adding services which enhance security. It means password protecting all accounts. It means running regular security checks to verify system integrity and that of firewall and router configurations. It means multiple layers of email filtering so 100% of email which reaches my inbox is legit. It means other simple security measures anyone would take if they were aware. Many users are unaware, which is why botnets grow.         

 

I refuse to rely solely on Norton, or any other AV product, to protect my system. In my view, an AV product is really the last line of defense, not the first. It the last, best hope to avoid damage when security has been compromised. Better to avoid compromise than hope for containment. This forum is full of posts from users who have become infected while relying on Norton.

 

If you wish to rely solely on Norton that is a choice you're free to make. I will continue to compliment a good AV product with other security measures. 

 

 

 

 

 

 

 

 

I certainly agree with mijcar about the help files.  In some ways they are clear and helpful, but in many instances they are contradictory or highly incomplete.

 

On a very basic level, note that the help file instructions often directly contradict the program defaults (and can hugely contradict advice from support or experts).  A simple example:  The default setting in NIS 2010 for Microsoft Office Automatic Scan is OFF, yet the guidance that pops up if you click the question mark near that option says, "Always keep this feature turned on..."

 

I really like NIS 2010, but I was disappointed that these kinds of discrepancies were not addressed.  People should be able to depend on a security product to give them good, consistent advice.   Admittedly I just upgraded to 2010 and haven't looked at help extensively, but -- other than for new features and a cleaner look -- what I have seen thus far looks unimproved.  And it sure didn't take much searching to come up with a sample help-vs.-product-default discrepancy (the one cited above). 

Message Edited by Ardmore on 11-05-2009 03:00 PM

Ardmore

 

Your point may be valid but not in my view for the reasons you express. Your quote is out of context.

What the help file says in respect of your example is "By default, the Microsoft Office Automatic Scan option is turned off."

What the advice says is "Always keep this feature turned on to allow Norton Internet Security to scan all Microsoft Office documents that you receive through email messages or through Internet download."

 

There is no conflict whatsoever. The default is that the scan option is off. The advice is saying in effect that if you wish to allow NIS to scan Microsoft office documents that you should keep this feature turned on. Had the wording said "Always keep this feature turned on." then I would agree that there is a potential conflict.

 

What I think would be useful, because you have identified many instances, is if you were now to fully document those instances and why they are contradictory or incomplete.

 

 

cgoldman -

 

I don’t have time to do a thorough review.  But I did dig up some May 2009 help files, and I see that substantial clarity has indeed been added throughout in 2010.  E,g, in the older version I found one page headed “Security Alert” that says, “When a security risk is detected, Norton Internet Security notifies you with an alert message,” and outlines the possible responses the user can make.  But in 2010 Help, where Security Alerts are mentioned, context is given -- that is, it is noted that this only applies when Automatic Program Control is off.

So there are clearly a lot fewer discrepancies or head-scratchers in 2010’s Help, but some do remain.  For example, there is a page headed, “Ensuring that protection settings are turned on.”  It goes on to say, “Norton Internet Security is configured to provide your computer with complete protection against viruses. In addition, Norton Internet Security protects your computer against spyware, adware, and other security risks.   The default settings provide complete protection for your computer. However, you should ensure that your protection features are turned on for maximum protection.”  But this is then followed by a list that includes features which are in reality disabled by default, including Early Load, Microsoft Office Automatic scan, and Remove Infected Compressed Files.

As for the fact that the page you refer to points out that Microsoft Office Automatic scan is off by default, even that begs the question of “why?” when there is an adjacent explanation which seems to recommend having it enabled.  Wording like “By automatically scanning all Microsoft Office files, Norton Internet Security maintains a higher level of security”  clearly looks like a keep-it-activated recommendation to me, despite your take on it.

And as for what started this thread -- removal of an item from quarantine -- the wording “remove this file from history” is not really a clear explanation of the action that will take place.  At the very least it leaves a bit of doubt, which you don’t want when we’re talking about system safety.  All that would be needed is to add the three words “and your computer.”

 

Finally, there is the less-clear-cut, but still relevant, issue of routine recommendations from support (and some experts here) that seem to be strongly contradicted in Help, e.g., the advisability of disabling of compressed-file scanning.

Message Edited by Ardmore on 11-05-2009 08:28 PM

I am absolutely delighted that this thread has stirred up such a hornet's nest of responses.  That's absolutely what is necessary.  But reading through all the responses and supposed explanations shows that in reality there is still a dearth of understanding.  And that shows the problem that exists in terms of simple users trying to understand a complex application with unclear help entries.

 

To show what I mean, I am going to follow my own advice on another thread and reduce my broad query to a narrow one and one meta-question to go along with it.

 

Here it tis:

 

I have just received an email from a friend.  He is sending me a copy of a tax file I urgently need.  The file is large.  He has compressed it and attached it to email.  The attachment is called Jeff.zip.  Unbeknownst (excuse my flowery language, but Shakespeare was my subminor in graduate school, really irritating my math teachers by the way, but that's another story, and no explanation for my really long Miltonian sentences) to my friend, his computer was rife will malware, one of which sneakily snuck in a virus into the zip file (this can easily be done by ... well, never mind).

 

So here comes my email with the deadly attachment.  Norton leaps to the rescue. "Stand back, son," it says, despite my advanced years, "let me deal with this one."

 

It grabs that attachment and wrings the very virus straight out of it.

 

Then (as far as I can tell) it sends the cleaned up zip file to jail.  So there it is, the now exorcised (my metaphors are shifting it seems) Jeff.zip, pure as the driven snow (in the days preceding large smoke and pollution yielding plants).  I would like that file.  Truly.  I need it because my Uncle Sam wants the information on it.

 

So I open the Norton Console and click on Quarantine and there the now nice Jeff is mentioned on the arrest lists.

 

And here's the question:  If I click on "Remove from history", will I lose the file?

 

Meta-question:  Why do I have to ask that question here instead of being able to readily find a clear answer in the Help documents?

 

P.S.  If I misunderstood anything in my presentation, my apologies, but that, too, is the result of my inability to get clear descriptions of processess and what to expect.