I once submitted malware samples to Symantec and later they sent me an email telling me the samples have already been detected by Cloud Protection. However, Norton didn't detected the samples when I re-scanned them and even ran them, until the next SDS update was installed. Sadly, SDS updates are not frequent.

It seems like the Symantec Cloud Protection is not accessible to Norton users and Norton is not so responsive to new threats, compared to Avast (streaming update) and Kaspersky (UDS). This leaves Norton users with a big security risk.

Norton should try to be more responsive to new and emerging threats, using Cloud Protection and any other technology. 

yes, norton should start using avria tech. Their cloud is one of the best ones. 

peter11:

From what I see norton should work on their cloud detection, because other avs do have that. As a major brand av, norton needs to make it to the same level of other avs. 

Yeah. It is evident that Norton relies heavily on SDS updates (traditional virus definitions) rather than cloud-based definitions to detect new viruses. I'm hoping Norton will adopt the cloud protection technology developed by its subsidiary, Avira. Avira performs admirably in terms of cloud detection.

From what I see norton should work on their cloud detection, because other avs do have that. As a major brand av, norton needs to make it to the same level of other avs. 

Vitalik93:

Anthony Qian, have you contacted support regarding this problem? Just interesting what they say...

Hi,

I contacted customer service a long time ago, and they told me that it was normal. 

Anthony Qian, have you contacted support regarding this problem? Just interesting what they say...

Vitalik93:

As far as I understand from these comment on Malwaretips Norton offers different threat processing methods for endpoint and consumer products. Symantec Endpoint Protection has somethinhg like "early warning services" that allows it to remove threats immediately after they was added to the cloud. Norton cunsomer products don't have it.

Yes, that's a guess of McMcbrad. Nobody knows why Norton can't achieve real-time cloud detection until Norton or Symantec staff responds. I believe the problem is serious, but it appears that officials do not think so.

As far as I understand from these comment on Malwaretips Norton offers different threat processing methods for endpoint and consumer products. Symantec Endpoint Protection has somethinhg like "early warning services" that allows it to remove threats immediately after they was added to the cloud. Norton cunsomer products don't have it.

Why comment about Symantec, Kaspersky, other....with NortonLifeLock Community.

Norton offers specialized protection that helps in keeping you and your devices safe. Your PC is protected from viruses, online threats, identity theft and financial scams. 

• Total Cloud Protection - a feature that scans your PC directly using cloud-based virus definitions.

• Static Data Scanner (SDS) - These user-mode modules enable an enhanced security model, improved protection efficacy, and better resource management.

https://support.norton.com/sp/en/us/norton-security/current/solutions/v111382660 - 2020

Introducing Symantec Data Scanner (SDS) Technology 

Norton Security provides its protection in two modes: kernel and user modes (more info).

In kernel mode, Norton Security provides real-time protection by monitoring the activities of all running processes; and performs various security checks on calls made by applications running in user mode. Our antivirus engine running in kernel mode ensures that malicious codes are not making unauthorized modifications to the key areas of OS and user environment. This ensures threats like rootkits are blocked; and infected files are not getting onto the system.  In user mode, Norton Security performs the analysis of memory access and ensures safe execution of applications running in the system. The protection in user mode prevents advanced threats from executing malicious CPU instructions and making memory modifications.

Norton Security PC client v22.7 introduces our next generation antivirus engine featuring Symantec Data Scanner (SDS) technology as well as a newly architected real-time protection system (Auto-Protect). SDS is a user mode only solution targeting modern platforms and products. With the introduction of SDS all file scans will execute in user mode, providing improved security and better resource management.  Beyond improved security, SDS also delivers refined detection technology that enables our Response Ops team to detect threats sooner.

The new engine can monitor the activities of processes and file IOs in kernel mode and scan in user mode without trading off performance of the system. Scanning in user mode provides additional flexibility by removing memory limitations in kernel mode. This also supports other enhancements included in this release such as our enhanced emulator. Moreover, it allows flexibility to develop features that are not possible to do in kernel. Furthermore, SDS can expand the security checkpoints in-memory access by malicious processes and perform more sophisticated repairs under certain conditions.

https://community.norton.com/en/blogs/product-update-announcements/introducing-symantec-data-scanner-sds-technology - 2016

Auto-Protect is the first line of defense against threats by providing real-time protection for your computer. Whenever you access, copy, save, move, open or close a file, Auto-Protect scans the file to ensure that a threat has not attached itself. By default, it loads when you start your computer to guard against threats and security risks. It also monitors your computer for any activity that might indicate the presence of a threat or security risk. Auto-Protect can determine a file's type even when a threat changes the file's extension.

When a threat, threat-like activity (an event that could be the work of a threat), or a security risk is detected, Auto-Protect alerts and takes the necessary steps to either clean, quarantine, delete or leave alone (log only) the detection of a threat depending upon the actions configured for each detection type.

Whenever you access, copy, save, move, open, or close a file, Auto-Protect scans it to ensure that a threat or security risk is not present.

A Full System Scan will detect viruses and security risks by examining all files and processes (or a subset of files and processes). A Full System Scan can also scan memory and load points.  (Note, though, that no AV product can detect threats which exist only in memory and are not written to the disk.)

Note: Auto-Protect does not scan inside compressed files due to the amount of time required to uncompress the container file and scan each file.  A Full System Scan will scan inside compressed files.

Okay.  I'm still curious what you guys mean by "Norton Cloud"?

According to the email I received from Symantec, they define Cloud Protection as:

Total Cloud Protection provides protection for our users while also substantially reducing the AV on-disk definition size by keeping content for rarely detected items in the cloud. This allows Auto-Protect as well as scans to look up file reputation information as well as definitions, without the need for on-disk definitions.

Norton users can use Cloud Protection to defend themselves from new malware right away, without having to wait for the next SDS update.

 Maybe, you want NortonLifeLock Submission Portal < https://submit.norton.com/ > to respond faster, be more responsive and transparent, to users submissions? 

 Yes, that's one part of it. Besides processing submissions faster, they need to deliver new virus definition faster. This can be done by Streaming Updates (currently used by Avast and previously by Norton) or Cloud Protection (used by major AVs now). However, as previously mentioned, Norton's Cloud Protection is ineffective and users have to rely on traditional SDS updates to protect themselves from new threats.

Okay.  I'm still curious what you guys mean by "Norton Cloud"?

Maybe, you want NortonLifeLock Submission Portal < https://submit.norton.com/ > to respond faster, be more responsive and transparent, to users submissions? 

R U comparing Norton retail real-time detection vs. Kaspersky retail real-time detection?
R U comparing Norton retail on-demand scan detection vs. Kaspersky retail on-demand detection?
You have machine/s running Norton and machine/s running Kasperky? 

I have been using Kaspersky and Norton in rotation for more than three years. In terms of cloud protection, Kaspersky does much better than Norton. Undetected new malware sample, after being submitted to Kaspersky's Threat intelligence portal, will typically be blocked in 20-30 mins, and a relatively accurate detection name will be given (e.g., UDS:Backdoor.MSIL.NanoBot.gen). Once the sample is blocked in the Cloud, all Kaspersky users connected to KSN will be immediately protected against this threat. That's what I want Norton to achieve. 

Vitalik93:

+1 vote from me. Norton Cloud should work better. Kaspersky cloud detection is a good example here for NortonLifeLock.

R U comparing Norton retail real-time detection vs. Kaspersky retail real-time detection?
R U comparing Norton retail on-demand scan detection vs. Kaspersky retail on-demand detection?
You have machine/s running Norton and machine/s running Kasperky? 

What are you calling "Norton Cloud"?

+1 vote from me. Norton Cloud should work better. Kaspersky cloud detection is a good example here for NortonLifeLock.

"Total Cloud Protection requires the Insight feature to be enabled and may have limited or different detection names on older support versions of SEP "

Insight feature is the Reputation Lookup. Often this is done by Proxy, and generally works well to get a reputation on a file before it is actually written fully to disk.

I do know that one issue that SEP has, dealing with reputation, is that once a verdict is reached on a file, the SEP client stores the results away, and even if the reputation of a file has changed, the SEP client will not ask again. The work around is a cleanwipe OR there is a way to reset the local reputation by API call if you know how to do so.

For the OP, if you get another issue like this, consider completely re-installing the client, to see if you get a different result. I don't know enough about Norton, and how it works compared to SEP since the breakup of the to companies.

According to the email Symantec sent to me, they define Cloud Protection as:

Total Cloud Protection provides protection for our users while also substantially reducing the AV on-disk definition size by keeping content for rarely detected items in the cloud. This allows Auto-Protect as well as scans to look up file reputation information as well as definitions, without the need for on-disk definitions. Total Cloud Protection requires the Insight feature to be enabled and may have limited or different detection names on older support versions of SEP.

If Symantec's Rapid Release is pushed to Norton clients via LiveUpdate, I am not sure whether the Reputation Revocation List is the so-called Rapid Release. Reputation Revocation List is Norton's most frequent kind of updates anyway

I think it's called "Rapid Release" on the Symantec/Broadcom side for SEP clients. I do know there is information sharing, such as threats between these 2 companies (Norton/Symantec), I'm unaware of what happens behind the curtain @ Norton and if they have some sort of "Rapid Release" for Norton clients.  Would love to know more though.

If anyone finds out, please post.

Thanks again for the info.

Hopefully someone from Norton might chime in here and explain more. It can be very confusing to the casual user as well as the experienced user. And although most users might not be interested in all the details it might help some in comparing products.

Can I infer that the Norton definitions can be as much as 24 hours behind on a new virus? 

From my experience, Norton/Symantec generally spends a lot of time (usually 1-5 days) in processing and analyzing the malware sample I submitted. So your idea is correct. As far as I know, ESET and Kaspersky process samples much faster than Norton. Last time, Kaspersky even responded to my submission and added UDS definition in just half an hour!

Also, does cloud based protection mean that no database exists on the local system?

No. Almost all the AV products in the market have database on the local system. Cloud protection is designed to make AV more responsive to new virus. Usually, a new virus definition will first add to the cloud database and then add to traditional on-disk virus database. 

What if I am not connected to the internet and I pop in a USB stick my friend just handed me?

Your AV will only use the on-disk virus definition.

And Norton does have cloud based protection but we the users never have access? 

I think Norton has cloud protection. However, just as I said, in the Email from Symantec, they said the new virus has already been detected in the Cloud Protection, but in fact Norton cannot detected at that time, although both Norton and Symantec use the same engine. So I think Norton's cloud protection is somewhat laggy. 

Thank you for those explanations.

Can I infer that the Norton definitions can be as much as 24 hours behind on a new virus?  Also, does cloud based protection mean that no database exists on the local system? What if I am not connected to the internet and I pop in a USB stick my friend just handed me? Or does the local system have the last cloud based data downloaded?

And Norton does have cloud based protection but we the users never have access? So the updates then would come down at various times throughout the day from the cloud based database?