In another thread about Norton Security's idle background activity, a Symantec employee said this: "Also, NS adds cloud scanning of files, hence your observation of network traffic."
I am not familiar with how Norton Security implements "cloud scanning" and what data is being transferred to/from the end user's computer .... so I searched for the term and found this thread from the NS beta test:
https<colon><slash><slash>community<dot>norton<dot>com<slash>forums<slash>sonar-7
Could someone from Symantec please explain Norton Security's "cloud scanning" and also address the issues that were brought up in the above-mentioned thread regarding the effectiveness/safety of Norton Security if the end user does not have an active internet connection?
Some quotes from the referenced thread (I am not saying these quotes are true; but now that the beta is over and NS has been released, I am just asking for someone from Symantec to address tester's concerns from the thread that were brought up during the NS beta):
"Norton Security’s SONAR feature fails to protect users big-time if an internet connection is not present at the time when the user runs the program in question."
The Norton Security products cannot be deployed while this issue remains unresolved. If SONAR needs an internet connection in order to work effectively, then SONAR needs to check for an active internet connection upon file execution. If an active internet connection can’t be found, then SONAR needs to follow Norton Download Insight’s lead above and prompt the user with a recommendation to “not use this file unless you know that it is safe”
I hope Symantec will seriously consider restoring local SONAR scanning before the official launch of Norton Security v. 22.x., or at the very least make it more difficult for the user to execute a file with an unknown reputation when SONAR is not available.
Now Symantec has decided to move SONAR's real-time heuristic scanning off the local hard drive and into the cloud in v. 22.x, compromising system security if the user is not connected to the Internet (or presumably, if connections to the backend Symantec servers are temporarily unavailable). Having SONAR residing in the cloud might simplify updates to the behaviour-based protection, but at what cost to the user?
Download Insight gives unknown files a Good trust rating (one step below Norton Trusted) and most users would assume that a Good trust rating means the file is safe to use. PRIOR demonstrated how easy it is to run these files in his videos. Up to now, Norton's premise has always been that SONAR's real-time heuristic detection will intervene and remove the unknown file if it behaves maliciously during execution. Now that SONAR has moved to the cloud in v. 22.x we have lost that secondary check for malicious behaviour if the user is disconnected from the Internet.
AVG, AntiVir, ESET, Panda and several other popular free and subscrition-based antivirus programs flagged this installer as suspicious/malicious (it was bundled with PUPs and trojans) while Norton's Download Insight gave this unknown file a Good trust rating.