I was wondering if norton power eraser could be stopped by an external program after it reboots the computer. I'm wondering this is because if NPE could be stopped after the reboot it would be rendered useless if someone who created the malware tried to make sure that it couldn't complete it's job and render the attempt at stopping the malware fruitless.
I guess it just comes down to production and competence of manufacturers. If in the modern day of such vulnerabilities and possibilities to manipulate and even make PC's unusable, we still have doubts whether we should implement thorough security solutions, it is unreasonable. I guess it could be a cost issue? Slower production? As I am unaware of how actually motherboard security works, I will refrain from further comments.
Josh Ross:I do not think most modern motherboards allow unsigned/non-permitted updates. They have to check the signature and the file of the Bios to confirm its legitimacy. Unless I am wrong.... Which would make me a little bit scary? I guess there are plenty of fail-safe's that I am not aware of as well.
Some do check, some don't, and some fail to check properly. Some fail to protect secure variables so the bios/UEFI config (aka cmos) can be tampered from windows (with admin privileges).
A "you cannot flash the bios" jumper should be just about standard. It would also be nice if the BIOS was on an SD card rather than some propriety flash memory on the motherboard. Also ROM based failsafe bios should be standard.
While these would be nice I've seen almost none of them in the real world.
I do not think most modern motherboards allow unsigned/non-permitted updates. They have to check the signature and the file of the Bios to confirm its legitimacy. Unless I am wrong.... Which would make me a little bit scary? I guess there are plenty of fail-safe's that I am not aware of as well.
Josh Ross:Even though, getting help from anti-virus provider is still a lot. Not detecting at all is far worse than at least knowing something. On the other hand, if the user is more tech savvy, it causes a lot of overcomplicated questions.
If something is not detected, how do you know about it? Shouldn't be too many questions about a lack of a detection. On the other hand if you have a file that should detected, then you have something to submit.
I doubt rootkits you and I could get would be a very low-level one. Bios level? Not sure if that is actually a thing but if it boots up and infects bios, then it could be over for your motherboard.
That comes down to whether your motherboard vendor allows unsigned updates and/or has poor security design. Also the attacker has to target your specific motherboard, which usually isn't worth their time.
A "you cannot flash the bios" jumper should be just about standard. It would also be nice if the BIOS was on an SD card rather than some propriety flash memory on the motherboard. Also ROM based failsafe bios should be standard.
Even though, getting help from anti-virus provider is still a lot. Not detecting at all is far worse than at least knowing something. On the other hand, if the user is more tech savvy, it causes a lot of overcomplicated questions.
I doubt rootkits you and I could get would be a very low-level one. Bios level? Not sure if that is actually a thing but if it boots up and infects bios, then it could be over for your motherboard.
Josh Ross:Regardless, it still should deal with a majority of the rootkit issues... right?
If run from the infected OS, sometimes, unless the rootkit is NPE aware, then maybe not. Run from outside the OS (pre-boot in PE mode) the rootkit is inactive and is just another file -- hiding better from NPE has no effect since the rootkit is inactive.
F 4 E:NPE should be able to deal with most threats, but should always be used with caution as it may remove needed system files.
How to act on NPE detects... I my view on it is 90% of it's value is the detection and opinion, no so much the removal.
"Nothing detected" -- Great!
"Something detected" -- Well, what is it? Do I know that program? Submit to Symantec.
NPE should be able to deal with most threats, but should always be used with caution as it may remove needed system files.
Regardless, it still should deal with a majority of the rootkit issues... right?
From what I've examined in Norton it seem that ELAM check the digital signatures on all drivers and passes that on to Norton when it loads. I don't think it has remediation (not totally sure), and I don't think it uses signatures. Not sure Symantec is going to get into those details.
NPE in a preboot environment has full access to the Norton reputation system (known good/bad, and unknown), and can submit samples. It is not effected by code loaded by the OS, because the OS is not loaded.
Early Launch COMBINED with Boot Time set to Aggressive, and you're pretty much covered.
If Early Launch works as F4E says, then my thoughts are also correct on the topic. I mean that is essentially the purpose of anti-rootkit, is to boot before it and stop all of the malicious intents. It is obviously not going to be 100% accurate, but in most cases, it should do the job.
Maybe you should ask Symantec. I stand by my post.
From what I have seen ELAM doesn't get a lot of use, I don't think the primary definitions are even loaded by ELAM.
Early Launch Anti-Malware Protection should take care of that. Settings > Antivirus---- Ensure set to ON.
Also Boot Protection to Aggressive, as this ensure Norton loads before anything else.
The Early Launch Anti-Malware Protection feature provides enhanced security level when you start your computer. It ensures better protection by running all the necessary components of your Norton product that are required to block any malware from functioning when you start your computer.
A good question, I was also wondering that, so I did some research. It's doubtful that a rootkit will launch itself before NPE, it's just how it's set up. It would take a lot of crafting to deny specifically this part of the software, and even so, you can still block root kit from doing its business after launch, denying its services or access to the internet. But as Peter said, no anti-virus, anti-malware, anti-rootkit, anti-*Insert name here* software will protect you 100%, your best options is to be careful and not get a rootkit because they are quite nasty to deal with.
This is yet another prime example of why running NPE from before the OS boot is great function.
https://community.norton.com/en/forums/when-do-we-get-nbrt-npe-back
Hope they bring that feature back to NBRT soon.
One reason that NPE needs the reboot is to catch rootkit malware. But even NPE is not able to catch 100% of malware. That is why sometimes you have to get expert help.
If you think you are infected with something that NPE is not catching, post back and we can try to help.
I should have been more specific about witch restart I meant. The restart that I was talking about was the one where it actually deletes the malware but it deletes it before the desktop loads making it impossible for me to end it's task. But when I said task manager I meant a program that can end tasks before a user could like maybe rootkit type malware that is loaded before NPE.
Why not try it for yourself?