joen wrote:
soj:
> How can a Pulse Update every 5 to 15 minutes be considered "poor?"
When content is more important than frequency.
> CR is a non-technical publication, and it seems more likely to me that when they rate Updating,
> it has to do with how quickly a local signature database is refreshed,
> rather than the specific signatures that each update contains.
There's an assumption in there.
> The way they define "Updating," though, is somewhat ambiguous
> as to whether they are using a measure of quantity or quality.
No kidding.
I more or less agree with you though. Cars are pretty technical, and CR does a pretty good job of evaluating them. I would say though that that's one of the few areas that they do a good job of.
Specifically with regard to this issue, unless CR knows the _content_ of the NIS updates their opinion isn't worth much on that aspect of their study.
There's an old saying: even a blind pig finds an acorn sometime. Meaning I don't disagree with their overall conclusion.
It seems to me that Symantec's products are not of the same quality that they previously were. Their reluctance not to participate in the AV Comparisons study, and issue a lame excuse instead, was one indicator of a possible concern about being evaluated.
A look at the threads in this forum, going back always, shows that Symantec's ability to fix problems, which was never speedy, has deteriorated further.
The previously disclosed loss of NAV source code, and the claim on Friday of NIS source code also, if true, may be diverting effort. It's tough to believe anything you hear about this.
Hi, joen. Comments as follows:
Update frequency: Considering that pulse updates come down as often as every few minutes - I don't think Symantec can be faulted for update frequency. Thus, I infer that CR is commenting on update rapidity when it comes to zero-day exploits.
Now, one of the things known about NIS is its effectiveness at using heuristic scanning to capture new variants of malware - where all that has changed between the old variant and the new variant is its signature. The heuristic scanning in NIS is quite effective at "unmasking" an existing piece of malware that has simply changed its "coat" (and thus no longer matches its signature in the scanning database).
However, one of the inevitable design compromises that occur when using an effective heuristic scanner is an increased prevalence of false-positives. This is unavoidable. Thus, in order to prevent false-positives from items that should no longer be "trapped" by heuristic scanning - any new-signature-database-updates must also interact with the heuristic scanner - in order to inform the heuristic scanner that "yes, we know about this the other way - you don't need to pitch-a-fit over this one because we are catching it by its signature".
Therefore, the "update" for a newly-templated piece of malware for NIS is not just its updated signature-set. It is also the changes necessary to inform the heuristic scanner to look for the new malware's infection-pathway - so the subsequent releases of that malware in a new "coat" will be properly trapped by the heuristic scanner.
Note: Malware writers know the above. Thus, for a new piece of malware to be truly effective for even two days - the malware writers must re-engineer their malware such that not only does it have a new signature (so it is not detected by signature-based scanning) but they must also re-engineer the infection pathway in such a manner that the heuristic detector does not go "aha - I know what you are" and squash the infection dead using that mechanism instead.
Keeping the "smarts" in a good heuristic-scanner up-to-date without creating a storm of false-positives is no easy task. However, it is the only methodology that makes the malware writers work hard to produce any malware version that has a viable attack vector for more than 24-48 hours.
Having a good heuristic scanner makes run-of-the-mill "script kiddy" attacks non-viable - since the "script kiddies" are not capable of re-engineering the malware at a level where its infection-pathway is changed such that the heuristic scanner is fooled. This ensures NIS is effective against the vast majority of "dingbat" malware - as well as the pool of "typical" malware-in-the-wild that are spread by botnet-infected machines, spam, and/or poorly-protected websites with mediocre or incompetent webmasters.
So, the "fight" devolves to a cat-and-mouse game between the most-sophisticated malware writers - and the top-tier Anti-Malware companies - such as Symantec. IMO, everybody else who does not have an effective heuristic scanner falls by the wayside into the also-ran category.
From the above - it also becomes obvious that having a "trapping" mechanism that quickly detects the newest release variants is an important part of keeping an Anti-Malware product effective. And then, once "trapped" - it is just as important to have the ability to "template" the malware. This "templating" includes devising signature detection that does not false-positive on files supplied with Consumer Software as well as investigation of the infection-pathway along with devising methods to detect the infection process which do not false-positive on actions taken by legitimate software.
If you are wondering whether "devising methods to detect the infection process which do not false-positive on actions taken by legitimate software" is technically demanding... Well, duh... Yeah, dude, it is! 
So, Symantec are on the horns of a dilemma. Do they release a signature update - pronto like? Yeah, that's a good idea. Do they follow that up with an update which adds the proper "smarts" to the heuristic detection engine? Yeah, that's a good idea as well.
Does devising an update to the heuristic engine take a little while longer both for development and testing for false-positive elimination? Yes, Sherlock - it does.
Please let us know if you are able to devise a method of overcoming the limitations of Computer Science such that Symantec can snap their fingers and come up with instant updates that are reliable, effective and do not create false positives. If so, I'm sure Symantec will be at your door shortly - prostrating themselves at your feet and pleading for you to take their money and show them how. 
Now, explain the above in words-of-one-syllable to CR - such that CR understands the problem. And then, get CR to explain that to the masses of the great unwashed - in such a manner as they understand the difference between "engineering that works" and "engineering that looks good".
As usual, should any of your Impossible Missions Group be captured or killed, the Secretary will disavow any knowledge of your actions. Good Luck Mr. Phelps. You're going to need it. 
Hope this helps your understanding.