Jump to content
siliconman01

First Chance Protection Default to OFF

Recommended Posts

I recommend that the new First Chance Protection default be set to OFF in SAS Pro V3.7+. My brother's Dell system with a 866 megahertz CPU, 512 mbytes RAM and Norton Internet Security 2007.2, experiences a problem in that NIS 2007 will not boot up active with First Chance active. Note that NIS is set to "Load Auto-Protect during startup". Turning off First Chance brings his system back to normal.

Boot time and shutdown time takes almost 5 minutes with First Chance options set active on his 866 mhertz CPU.

Share this post


Link to post
Share on other sites
I recommend that the new First Chance Protection default be set to OFF in SAS Pro V3.7+. My brother's Dell system with a 866 megahertz CPU, 512 mbytes RAM and Norton Internet Security 2007.2, experiences a problem in that NIS 2007 will not boot up active with First Chance active. Note that NIS is set to "Load Auto-Protect during startup". Turning off First Chance brings his system back to normal.

Boot time and shutdown time takes almost 5 minutes with First Chance options set active on his 866 mhertz CPU.

I understand your concerns, but we will be leaving First Chance Prevention set to ON due to the fact most people would never turn it on, and that it does remove hard to remove items that may not be able to be removed by scanning - an 866Mhz system is actually quite dated nowdays - I do respect and understand your concerns - we have had very little complaints and/or issues in the hundreds of thousands of users that have updated thus far - we are keeping an "eye" on it to see if other users have problems.

Share this post


Link to post
Share on other sites

NIS on a 866 is a lot like pulling a camper up a hill with a compact car . NIS is well know bloatware and only seems to have negligible impact on a fresh super system (fresh install on a fast dual core , 2 gigs of ram and a blazing hard drive) . Even then it will begin to drag things down as you add software .

To be honest I have more confidence in SAS to kill malware on bootup so why not just reverse your current settings .

BTW if you are interested we can walk you through swapping NIS out for Antivir . IMO Antivir + SAS Pro is about as good as you are going to get for proactive protection . Antivir also have a free version and (new feature) rootkit scanner . This combined with the antirootkit power of SAS and you will be well protected .

This is an ongoing study about new malware and detection rates . Norton does not do very well : http://winnow.oitc.com/AntiVirusPerformance.html

EDIT :

Norton's impact on a system : http://www.thepcspy.com/articles/other/ ... ows_down/5 .

Share this post


Link to post
Share on other sites

Thanks much for your feedback. I certainly can understand your position concerning First Chance. I have turned it on for my own system which is 2.66 ghertz P4 with 1.5 gbytes DRAM, NIS 2007.2, to see if any conflicts show up on reboot.

I suspect the 866 mhz system is soon to be replaced. And I'm about to go quad core :wink:

It'll be interesting to see benchmark tests on SAS First Chance concerning boot delay times on 2 year+ older systems. With the security issues facing web users nowadays, a boot delay is a small price to pay...for sure.

Share this post


Link to post
Share on other sites

The one I posted is based on malware samples submitted by dozens of independent malware hunters as with very different hunting techniques . The samples are all submitted to VirusTotal.com first to see how well they are detected . VirusTotal has more than 20 antimalware engines and only the samples that are detected by less than %50 of vendors make it into the study . This makes it impossible to fake the results because if your application can't detect samples that are new to web then you that same app has no chance of scoring well .

The PC World figures don't add up because Kaspersky , NOD32 and BitDefender all out perform Norton by a significant margin . I see thousands of samples each week and from what I see the only way to get results like PC World is to cheery pick malware . Antivir has the best heuristics (detection by behavior , not definition) and easily out performs all front page apps in the PC World test . I did not believe it myself at first but after processing thousands of samples and using it myself I can't see a good reason not to use it . I used to be a big AVG fanboy , times change .

Share this post


Link to post
Share on other sites

As a computer tech that disinfects systems on a daily basis, I agree with nosirrah's statements regarding NIS.

I'm constantly using SAS to clean out malware infested systems that are running NIS.

IMO, NIS is one of the worst antimalware applications that I've encountered. It slows systems to a crawl and isn't very good at malware detection and removal. Furthermore, it's notorious for mysteriously dropping the internet connection and corrupting system files.

Share this post


Link to post
Share on other sites

I am not a Norton fan, but I assure you that NAV & NIS 2007 are not resource hogs. Don't just take my word for it, add up the running processes in XP and/or Vista and you'll find that it's extremely resource friendly and uses little ram. In fact it uses around 35MB in XP and less than 10MB in Vista.

Proof: http://www.wilderssecurity.com/showthread.php?t=173875

As far as the detection rates are concerned, the PC World test that was mentioned earlier was performed by AV-Test.org which is one of the most respected independent testing labs out there. You'll also find that AV-Comparatives.com is another credible site that shows Norton to have a high detection rate that rivals Kaspersky. The http://winnow.oitc.com/AntiVirusPerformance.html chart is crap since they use corrupted samples and some of the top performers are notorious for false positives (fortinet, esafe, etc.)

Since nothing is 100%, and Norton has been a pig since 2004, it's no wonder people continue to bash it. However Symantec listened to the complaints and showed us a refined product for 2007. If only McAfee could do the same. :wink: I highly recommend using SAS to supplement your AV. I install Kaspersky on my clients infected computers and it also misses a lot of malware. SAS usually picks up the rest, along with the smitfraudfix, roguefix, combofix, and other reputable malware removal tools. Again, nothing is 100%.

FWIW I do not have Norton on any of my pc's, but I felt compelled to clear up some of the misinformation in this thread.

Share this post


Link to post
Share on other sites

I must say that I strongly prefer the program default setting to be set the the safest possible. Then, if you want less security you can always start turring things off.

Doesn't make sense to be cautious with you security?

Share this post


Link to post
Share on other sites
I am not a Norton fan, but I assure you that NAV & NIS 2007 are not resource hogs. Don't just take my word for it, add up the running processes in XP and/or Vista and you'll find that it's extremely resource friendly and uses little ram. In fact it uses around 35MB in XP and less than 10MB in Vista.

Proof: http://www.wilderssecurity.com/showthread.php?t=173875

As far as the detection rates are concerned, the PC World test that was mentioned earlier was performed by AV-Test.org which is one of the most respected independent testing labs out there. You'll also find that AV-Comparatives.com is another credible site that shows Norton to have a high detection rate that rivals Kaspersky. The http://winnow.oitc.com/AntiVirusPerformance.html chart is crap since they use corrupted samples and some of the top performers are notorious for false positives (fortinet, esafe, etc.)

Since nothing is 100%, and Norton has been a pig since 2004, it's no wonder people continue to bash it. However Symantec listened to the complaints and showed us a refined product for 2007. If only McAfee could do the same. :wink: I highly recommend using SAS to supplement your AV. I install Kaspersky on my clients infected computers and it also misses a lot of malware. SAS usually picks up the rest, along with the smitfraudfix, roguefix, combofix, and other reputable malware removal tools. Again, nothing is 100%.

FWIW I do not have Norton on any of my pc's, but I felt compelled to clear up some of the misinformation in this thread.

I know what "studies" and "reports" say but do a simple google search for norton "protected" systems involved in HJT threads having their malware removed by other antimalare software . There only about a million of them .

Also google search for threads about people dropping Norton for another AV . The quote "my system is much faster now" is uttered over and over .

Then there are the techs . I defy you to find a real world malware remove expert that would recommend norton because it won't slow a system down and is good at preventing infections . I have been ripping Norton out of infested systems for a long time .

The other problems with Norton are that it is easy to break , hard to fix and needs a special removal procedure to remove all of it from your system . I know because I wrote one myself .

Did you read this : http://www.thepcspy.com/articles/other/ ... ows_down/5 ? The results mirror what everyone else is saying .

One other problem I have with Norton is their response time to a missed threat . If I ping SAS about a missed sample it is almost always detected within 24 hours (sometimes sooner) . I have seen norton take more than a week to respond on numerous occasions .

Norton is also a victim of their own popularity . If you are going engineer a new piece of malware it is a good idea to make sure that it can get by Mcafee and Norton because that is what comes preinstalled on the vast majority of computers .

Look , Norton has chosen their path into your system and it is not through industry expert recommendations .

Share this post


Link to post
Share on other sites

Norton's retail software is nothing more than a clever carrot on a stick. It represents one of the most successful marketing strategies in security software ever. Image over substance.

Share this post


Link to post
Share on other sites
Norton's retail software is nothing more than a clever carrot on a stick. It represents one of the most successful marketing strategies in security software ever. Image over substance.

Exactly.

Norton's popularity is due to a great marketing team, not product effectiveness.

My new customers that run Norton and have infected systems, are always shocked when I show them the SAS quarantine. As such, when a computer comes in my shop with Norton, it's always replaced with SAS. Ditto for McAfee.

SAS provides better protection, won't sludge the system, has infinitely better support, and is much cheaper to purchase.

Share this post


Link to post
Share on other sites

I know what "studies" and "reports" say but do a simple google search for norton "protected" systems involved in HJT threads having their malware removed by other antimalare software . There only about a million of them.

This is because Symantec has a huge market share, and most people have never heard of Kaspersky, NOD32, etc. so they stick with a "brand name". These people getting infected aren't technically savvy either. I don't care what AV they have installed they will still get infected. Even legitimate websites are getting hacked and their ad servers are serving up exploits and other malware. Tom's Hardware was recently serving up ANi exploits.

http://neowin.net/index.php?act=view&id=40241

Also google search for threads about people dropping Norton for another AV . The quote "my system is much faster now" is uttered over and over.

Norton AV/IS 2007 are just as efficient as Kaspersky when it comes to resource usage in XP/Vista. If you disagree try it for yourself and then report back. The ones complaining have other issues to resolve, or they are using an old version of Norton.

Then there are the techs . I defy you to find a real world malware remove expert that would recommend norton because it won't slow a system down and is good at preventing infections . I have been ripping Norton out of infested systems for a long time.

I am a tech and service systems for a living. My shop easily cleans malware from 100+ systems each month. If you're uninstalling Norton 2007 products you have a lot to learn IMO. Supplement Norton with SAS, AVGAS, BOClean, or another trojan detector since that is what most people are getting hit with nowadays.

The other problems with Norton are that it is easy to break , hard to fix and needs a special removal procedure to remove all of it from your system . I know because I wrote one myself .

I agree that the software is easy to corrupt. However the Norton removal tools (SYMNRT) works every time I use it.

Did you read this : http://www.thepcspy.com/articles/other/ ... ows_down/5 ? The results mirror what everyone else is saying.

I see Blackviper in there so that article is biased to begin with. Trend more efficient than NOD32 in boot delay.....yea right.

One other problem I have with Norton is their response time to a missed threat . If I ping SAS about a missed sample it is almost always detected within 24 hours (sometimes sooner) . I have seen norton take more than a week to respond on numerous occasions .

I've seen ESET's NOD32 take a month or two to add submitted samples. Check the Wilders Security forum for other complaints about ESET's backseat approach to adding samples to their signatures.

Norton is also a victim of their own popularity . If you are going engineer a new piece of malware it is a good idea to make sure that it can get by Mcafee and Norton because that is what comes preinstalled on the vast majority of computers .

I use Kaspersky on my rigs, and I use it to scan infected pc's when I service them. KAV also misses its fair share of malware. Nothing is 100%

Look , Norton has chosen their path into your system and it is not through industry expert recommendations .

I don't have Norton AV on any of my pc's, but people that base their bashing on past products should be more open-minded. Industry experts in malware testing show that Norton has a superior detection rate. So in your professional opinion IBK over at AV-Comparatives and AV-Test.org aren't credible testing labs and their reviews should be ignored? I'm sure that your expertise far exceeds their intellect.

My new customers that run Norton and have infected systems, are always shocked when I show them the SAS quarantine. As such, when a computer comes in my shop with Norton, it's always replaced with SAS. Ditto for McAfee.

SAS is meant to work alongside an AV and not replace it. I think Nick will also confirm this to be the case.

Share this post


Link to post
Share on other sites
Tom's Hardware was recently serving up ANi exploits.

The new exploit+new malware angle can only be covered by HIPS type protection . I have been researching the new exploits (I lead the MIRT team over at CastleCops , same user name) . There has been prolific hacking to install that exploit and it comes in several different variations . Exploits in general are more dangerous and the AVs have a reputation of not doing well against them . This is the last one I ran into :

STATUS: FINISHEDComplete scanning result of "index.php", received in VirusTotal at 05.11.2007, 23:32:05 (CET).

Antivirus Version Update Result

AhnLab-V3 2007.5.10.0 05.11.2007 no virus found

AntiVir 7.4.0.15 05.11.2007 EXP/IEslice

Authentium 4.93.8 05.11.2007 no virus found

Avast 4.7.997.0 05.11.2007 no virus found

AVG 7.5.0.467 05.11.2007 no virus found

BitDefender 7.2 05.11.2007 no virus found

CAT-QuickHeal 9.00 05.11.2007 no virus found

ClamAV devel-20070416 05.11.2007 no virus found

DrWeb 4.33 05.11.2007 VBS.Psyme.383

eSafe 7.0.15.0 05.10.2007 no virus found

eTrust-Vet 30.7.3628 05.11.2007 no virus found

Ewido 4.0 05.11.2007 Not-A-Virus.Exploit.HTML.IESlice.i

FileAdvisor 1 05.12.2007 no virus found

Fortinet 2.85.0.0 05.11.2007 no virus found

F-Prot 4.3.2.48 05.11.2007 no virus found

F-Secure 6.70.13030.0 05.11.2007 Exploit.HTML.IESlice.i

Ikarus T3.1.1.7 05.11.2007 no virus found

Kaspersky 4.0.2.24 05.11.2007 Exploit.HTML.IESlice.i McAfee 5029 05.11.2007 no virus found

Microsoft 1.2503 05.11.2007 no virus found

NOD32v2 2261 05.11.2007 no virus found

Norman 5.80.02 05.11.2007 no virus found

Panda 9.0.0.4 05.11.2007 no virus found

Prevx1 V2 05.12.2007 no virus found

Sophos 4.17.0 05.11.2007 no virus found

Sunbelt 2.2.907.0 05.05.2007 no virus found

Symantec 10 05.11.2007 no virus found

TheHacker 6.1.6.112 05.10.2007 no virus found

VBA32 3.12.0 05.11.2007 no virus found

VirusBuster 4.3.7:9 05.11.2007 no virus found

Webwasher-Gateway 6.0.1 05.11.2007 Exploit.IEslice

Not good .

From this thread : http://www.castlecops.com/t189303-2007_ ... avers.html .

Norton AV/IS 2007 are just as efficient as Kaspersky when it comes to resource usage in XP/Vista. If you disagree try it for yourself and then report back. The ones complaining have other issues to resolve, or they are using an old version of Norton.

I can't agree with this based on my own personal experience and from what I have heard reported by numerous industry experts . When it comes to detection rates they are not even in the same class .

(fill in the blank)IS is not recommended by industry experts to begin with . We don't like security suites because it makes all of your security far to easy to take out either in an attack or software malfunction . It is recommended to have 1 active AV , 1 active AS/AT , a good firewall capable of blocking certain IP ranges , 1 good hosts file and a handful of on demand scanners . HIPS are not right for everyone but are recommended . Also not for everyone but recommended is a second hard drive and an imaging tool .

If you're uninstalling Norton 2007 products you have a lot to learn IMO.

IMO you are setting your clients up for a return visit if you leave Norton installed on an infested system . Obviously what every they are doing combined with Norton's "protection" is not getting it done .

I agree that the software is easy to corrupt. However the Norton removal tools (SYMNRT) works every time I use it.

Now it is you that has a lot to learn . That tool does nothing about corrupted registry permissions or and leaves loads of remnants behind . I use subinacl.exe and a custom batch file to preemptively correct permissions before I even begin . I do use SYMNRT as a middle step but I go much further . I have an exported total uninstall file (not a standard option BTW , you have to dig it out yourself) that I use next . This will get the vast majority of the remnants . Then I do a final JV16 registry finder scan with a handful of symantec/norton only terms to get the stragglers .

This makes a system like norton was never there to begin with . Personally this is my definition of "uninstalled" .

I see Blackviper in there so that article is biased to begin with. Trend more efficient than NOD32 in boot delay.....yea right.

I have not used NOD32 so I can't say anything about that part , but the results for symantec mirror my own experiences with it .

I've seen ESET's NOD32 take a month or two to add submitted samples. Check the Wilders Security forum for other complaints about ESET's backseat approach to adding samples to their signatures.

Leading the MIRT team I get to scan thousands of samples through VT every week . I often rescan samples at a latter date to benchmark response time . Your statement does not mirror what I see . What I see indicates that Antivir , BitDefender , Kaspersky and NOD32 are both good at detecting new malware and respond quickly when they miss something .

BTW there is a new project starting up that does exactly this with malware samples from MIRT and other independent sources . When it is up I drop the link here .

I use Kaspersky on my rigs, and I use it to scan infected pc's when I service them. KAV also misses its fair share of malware. Nothing is 100%

Using Kaspersky indicates that you do know the score .

Personally I use a combination of a pair of custom batch files to lock and unlock (for updates , installes ...) permissions to critical hijack points , HIPS and drive imaging .

No resource drag and bullet proof , not that do anything dumb to begin with .

Industry experts in malware testing show that Norton has a superior detection rate.

Only in structured tests with cherry picked malware . When you dump a few thousand new samples collected by unaffiliated independent malware hunters into a real test you get a very different result .

You can test this yourself . Every time you come across a new sample scan it through Virustotal.com . Keep track of who detects it and who doesn't . There is no way to argue with the results . I do this each and every day and know that published reports of Norton's "amazing" detection rates are often the result of fixed testing .

I will point out this link again : http://winnow.oitc.com/AntiVirusPerformance.html

That chart is dynamic and 100% unbiased . You can check it daily to see it fluctuate . The samples in the study are taken from several real word sources :

Samples collected through the various help forums around the web .

Real world tech collected samples from client machines .

Honey pot collected samples .

Exploit research fallout .

Hunting based on known dangerous behavior .

Email malware .

Samples harvested from P2P networks .

This study was started without the knowledge of the malware hunters so it is double blind . The MIRT team (where most of the samples come from) contribute to a listserv that distributes to ALL vendors so all vendors in the study are on equal footing in terms of our help to them .

Note the lack of vendor advertising on that page . You don't see that on the fixed tests .

Share this post


Link to post
Share on other sites

I will point out this link again : http://winnow.oitc.com/AntiVirusPerformance.html

That chart is dynamic and 100% unbiased . You can check it daily to see it fluctuate . The samples in the study are taken from several real word sources :

Samples collected through the various help forums around the web .

Real world tech collected samples from client machines .

Honey pot collected samples .

Exploit research fallout .

Hunting based on known dangerous behavior .

Email malware .

Samples harvested from P2P networks .

This study was started without the knowledge of the malware hunters so it is double blind . The MIRT team (where most of the samples come from) contribute to a listserv that distributes to ALL vendors so all vendors in the study are on equal footing in terms of our help to them .

Note the lack of vendor advertising on that page . You don't see that on the fixed tests .

Please take a moment to read this entire thread regarding your OITC chart: http://www.wilderssecurity.com/showthread.php?t=162088

Take note of the experts (the orange names) who confirm that your chart is unreliable. Corrupted samples, false positives, etc.

Add that biased chart to go along with your Norton bashing, among other misinformation, and one has to wonder about your credibility not only as a poster, but as a Castle Cops "expert".

Share this post


Link to post
Share on other sites

Hi EliteKiller

Its ironic that the experts at Wilders decrying the test methodology are infact predominently employees of the vendors(AV's....just ask God :lol: ) that underperformed in that *test* model do you not think ?

Yet again if you take the IBK methodology towards AV testing where a high percentage of the test bed have not seen any meaningful execution into memory(outside of the labs)for many years now.How do you think that those results gathered reflect apon any given *database* to perform against todays(in the wild and emerging threats) ?

Both test beds have *weak* points and both have limited benefits in the information presented IMO

Reguards Norton and my experiences>>>

Every computer that i have taking in to service or recover for the first time have had Norton or Mcaffee software installed.

Of the infected ones(not bad housekept stuff) about 75% have been out of date on their subscriptions(3months+) and predominenetly used by high risk surfers.The other 25% are fully updated but still bypassed.

I'm of the opinion that some folks will get hosed due to their surfing habits despite which security package/solution is implemented :roll:

Heres an overlooked fact we have to put things into perspective the *more* copies of a software in circulation the greater the amount that will be *bypassed*.

Since Norton is still the most widespread security solution i would expect no less for it to have the most compromised machines as proportional to the number of enduser's.

The same can be said about compatability issue's,the more widely distributed a software is then more compatability issue's where present will surface.

Next to look at the bloat(resource use) of security suites such as Norton/Mcaffee.The end consumers demand more protection,the retailers demand more protection so the mainstream vendors give them *suites* with all the bells and whistles conceivable and oh yes it comes at a price....all thoes extra resources required to run them.

So will these suites protect *joe high risk surfer from his/her self* ?

....of course not but then software are softwares doing a job not miracle workers :lol:

Heres another downside to widely used security software,they make an inviting target for the malware writers to exploit.The old addage of *Security through obscurity* goes streight out the window and was confirmed by Symantec and certain other popular AV's release of their own patch's recently to plug vulnerabilities in their software that have been exposed :shock:

Net result i would not reccomend any mainstream solution such as Norton and whenever i service a computer Norton/Mcaffee is ripped out.

They are replaced with a free layered solution that is both slimmer in resource usage and offers a more elevated degree of protection :)

Is this Norton bashing or is it just a reality check on the *state* of the internet security today and what is ultimetly *risk* management :)

HTH :)

Share this post


Link to post
Share on other sites

Well, the whole Norton debate is pointless since everyone has their opinion on what they think works best. Simply because people that post their HJT logs and ask for malware removal assistance have Norton loaded doesn't tell you anything at all other than how to make an assumption. These people generally fail to keep their AV or AS updated, fail to use common sense while surfing the web or checking email, and in the end that is the source of the infection(s). I install quality malware removal tools on my clients pc's and unless there is an automatic update, or a scheduled scan, they will usually fail to do it themselves. You can only lead a horse to water......

However it's a fact that Norton 2007 products use less memory and resources than earlier versions. Those that disagree obviously do so out of spite and hearsay. nosirrah refers to a single biased website to show that Norton 2007 is bloated. I guess it must be a fact then.

fatdcuk, I wasn't referring to the Inspector, who works for F-Prot, I was referring to the experts from AV-Comparatives. They aren't employed by any security firm, and there is little advertising on their site. If you or anyone else thinks that there is reason to question their opinions on respectable testing sites, their methodology, or their opinions then it would be nice to see facts back up any rebuttal that may come forth.

In regards to the OITC chart, there is no denying that Fortinet, esafe and other front runners are known for excessive false positives. Panda has better detection than Kaspersky? Norton in dead last is predictable considering the people behind the OITC chart. Couple those results with the honeypot crap, junk files, and the entire chart is nothing more than opinionated BS that should be ignored.

Share this post


Link to post
Share on other sites
NIS 2007 is not bloated or resource hogging Fact!

Fact is that it use's what it uses when required= Fact!

So forget about task manager and cpu usage by executables to see what you believe to be resource usage,how many drivers is Symantec dropping,how many services are loaded at boot etc.

Lots of hidden stuff that Joe average consumer/security guru overlooks or is blissfully unaware off :wink:

A big software suite is indeed a big software suite,when its all running it needs its share of the resource pie :shock:

I have not singled Norton out(indeed i brought good old Mcaffee into the same cat) but purely a believer of security by obscurity,a concept of not putting all your eggs in one basket.This is my standpoint and one i will happily promote where i curry influence :)

Share this post


Link to post
Share on other sites
NIS 2007 is not bloated or resource hogging Fact!

Fact is that it use's what it uses when required= Fact!

Isn't that true for any AV or AS, especially during real-time protection? Let me ask you this, how many pc's have you tested or used NAV/NIS 2007 on? What exactly are you basing your NAV/NIS bloat claims on? SAS uses more memory than NAV/NIS 2007, but as we all know it doesn't tax the system. My point is you can't base results on memory usage alone. Even then the memory usage by NAV/NIS 2007 is very low, and in Vista is uses even less when you compare it to XP. Earlier I posted links w/ screenshots to back this up so it's not just my opinion.

Again, everyone has their opinion on what works best. I don't care how "expert" anyone is, people base their security recommendations to others upon an opinion. There's nothing wrong with that, but in the end it would be nice to see people be a little more open-minded about things. If you despise a product, don't put it dead last on a so-called reliable chart, which is what OITC has clearly done. :|

Share this post


Link to post
Share on other sites

This is starting to get a little out of had so maybe we should all make a closing statement and leave it at that .

Norton in dead last is predictable considering the people behind the OITC chart.

I can't get behind that because that cart mirrors what virustotal depicts when I submit new malware . On the flip side Antivir does very well according to that chart and that also is in line with what I see when I submit to virustotal . I also can assure you that I have nothing to do with the apparent performance of the vendors on the OITC chart . That chart was in effect long before I knew that it existed .

One thing to keep in mind is that chart does not depict detection rates of the sum total of all currently live malware , it only depicts the detection rates of malware that is detected by %50 or less vendors at virustotal . If you were to include all malware then obviously the results would be different .

Look , if you want proof all of this is independently verifiable . Take a new sample and resubmit it to virustotal a few times a day for a few days . You can see for your self who is "the man" . BTW I know for a fact that Norton (for reasons that have never been explained) has not responded to numerous requests for contact information in regards to establishing a Virustotal sample hook up . I believe that they are the only Virustotal vendor that this is the case for .

Like I said , go and do some independent malware hunting and benchmarking and see what you can come up with . It is better to gain knowledge through personal experience anyway . Who cares what an "expert , yes I am poking fun at myself" or a "chart" or a "forum" says when you can go out and check yourself .

I will go on record as saying that I did do some norton bashing in this thread , no sense in pretending that I didn't .

IMO Between price , performance , being easy to break , hard to fix , performance degradation and (as fatdcuk mentioned) engineered against because of prominence I do not see it a recommendable antivirus application .

I also agree with the fact that this does come down to personal preference . Just like politics or religion the potential for escalating arguments is always there .

I do think that debates like these do have their value though as it draws attention to the strengths and flaws of the entire antimalware industry .

This has been fun BTW , I hope that no one has any hard feelings .

Share this post


Link to post
Share on other sites
Like I said , go and do some independent malware hunting and benchmarking and see what you can come up with . It is better to gain knowledge through personal experience anyway . Who cares what an "expert , yes I am poking fun at myself" or a "chart" or a "forum" says when you can go out and check yourself .

I get paid to clean infected computers so my comments are not entirely based upon charts, reviews, or forum feedback. They are also based on real world experiences that consist of dozens of different computers, operating systems, software configs, etc. :D

My comments are not aimed at anyone not recommending Norton AV/IS 2007, or even their Corporate AV. You are free to recommend whatever you want, which again is based on your opinion. Those that assume NAV/NIS 07 is bloated with inferior detection rates are the only people that I have a problem with. It's sad to see that people let opinions get in the way of fact.

Bah, I edited my post for clarity right when someone was posting again. :oops:

Share this post


Link to post
Share on other sites

Install Norton Anti-Virus 2007 on one PC, Kaspersky Anti-Virus 6.0 on another PC, Avira Antivir 7 on a third PC. Update products, and with real-time protection enabled, throw stuff (really bad stuff) at all three. See what happens. See how good Norton's (or McAfee for that matter) real-time protection really is, it's a joke. Whether the stuff comes directly off a webpage in the Internet, or raw files from a flash drive, Norton's or McAfee's "protection" is a disgrace. I'm around both all day long 5 days a week. I see how good they really are in real life situations. It's like a new house in Alaska that has been insulated and weatherproofed with only newspaper and then on top of it all, they leave the front door wide open.

Share this post


Link to post
Share on other sites

Its amazing how this thread degenerated into a Norton bash thread from a simple request to change something in SAS. Really...:)

Those of you still bashing Norton, go ahead and read the below thread:

http://www.wilderssecurity.com/showthread.php?t=162429

Norton still has its faults, but it is MUCH improved over all previous versions. Not so much of a PC killer at all anymore! It is fast, has SONAR which is pretty good, and detection rates are also not bad at all. Also see below:

http://www.pcworld.com/product/testrepo ... did=29902#

PC World says BitDefender is the heaviest. If we put things overall, NAV still may come across as quite heavy, but since the resource test was performed at DEFAULT settings, and default settings vary for all the AVs, one cant be too sure ;)

That being said, NAV and NIS 2007 are very good products, and obviously Symantec is finally doing something right. :)

Removing NIS to accomodate SAS is not a solution, NIS is a good product with VERY good detection rates. Two of the industry's most well-respected testing websites prove this.

Nossirah,

I belive winnow.oitc.com is not as reliable a test as you think.

VirusTotal has more than 20 antimalware engines and only the samples that are detected by less than %50 of vendors make it into the study.

How does that guarantee in any way that it is indeed malware? It could very well be corrupted files, considering less than 50% means even 1 or 2 AVs' detections will be counted into the study. The study also includes lots of RISKWARE type applications. EVERY AV has a different definition of riskware. What Kaspersky or Avira may call riskware may not apply to AVG, for example.

This makes it impossible to fake the results because if your application can't detect samples that are new to web then you that same app has no chance of scoring well .

Maybe the results are not "fake", but they are definitely NOT accurate, due to corrupted files, riskware etc.. I receive samples occasionally from the VX community, and often quite a few of them are harmless or corrupt samples which are detected by other AVs due to deliberate or inadvertent (non-deliberate/technical) reasons. And if you want to know how I know they are harmless/corrupt, the answer is that an AV vendor tells me. Now who exactly is out of the question. :)

The PC World figures don't add up because Kaspersky , NOD32 and BitDefender all out perform Norton by a significant margin.

So you're saying AV-test.org and Andreas Marx is POS. Tell that to the AV industry. Have you ever accounted that sometimes VirusTotal does not detect samples which an AV installed on your computer would? There are many reasons for this, maybe due to implementation, updating or some others as well.

Also, since NAV does not update as frequently as KAV, for example, it could simply be that the signatures are added too late to catch the threat. By the time the user gets it though, in most cases NAV would have updated enough.

Antivir has the best heuristics (detection by behavior , not definition) and easily out performs all front page apps in the PC World test

Nobody ever denied that, not even AV-test.org. ;)

I did not believe it myself at first but after processing thousands of samples and using it myself I can't see a good reason not to use it

Do you really think that detection rates are the one and only priority for someone to choose an AV? If your AV detects 99% of malware and does not have support worth a damn, would you still use it? Not bashing AntiVir here, but choosing an AV depends on a lot of factors such as cost, speed, resource usage, even the GUI, support, virus submission and analysis service, features, functionality, compatibility and a lot more. A lot of people run after detection rates like its the saviour of the world. AntiVir's forum based support is not the best, its decent, even good, but not the best. If your 99% detection AV caught just one virus and your AV vendor does not wish to support you and add detection, then your entire 99% detection rate has essentially gone to hell...

Sure, AntiVir is a good product, I like it myself, but using an AV based purely on detection rates is like giving partial treatment to the class bully because he is good at academics...

I used to be a big AVG fanboy , times change .

I used to have KAV based AVs, and then switched to BitDefender, and in my sample sets (I have hundreds), I see AVG (Internet Security, paid edition) detecting more than BitDefender....But that doesn't mean anything, nor will it ever mean anything. What matters (to ME) is the support and virus analysis service, which both AVG and BitDefender are pretty good at.

Norton's retail software is nothing more than a clever carrot on a stick. It represents one of the most successful marketing strategies in security software ever. Image over substance.

Maybe this was true in the past, but today, it is an AV with a very strong unpack support and unparalleled polymorphic virus detection in the industry...

This is because Symantec has a huge market share, and most people have never heard of Kaspersky, NOD32, etc. so they stick with a "brand name". These people getting infected aren't technically savvy either. I don't care what AV they have installed they will still get infected. Even legitimate websites are getting hacked and their ad servers are serving up exploits and other malware. Tom's Hardware was recently serving up ANi exploits.

Agreed. Believe it or not, use Avira/Kaspersky/whatever or not, there are THOUSANDS of malware samples that EVERY AV is missing out there, and when the market share of one particular AV is higher, they are hit by undetected samples harder, and hence the stereotype "NAV sucks" is formed... :shock:

Leading the MIRT team I get to scan thousands of samples through VT every week . I often rescan samples at a latter date to benchmark response time . Your statement does not mirror what I see . What I see indicates that Antivir , BitDefender , Kaspersky and NOD32 are both good at detecting new malware and respond quickly when they miss something .

I cannot and will not agree with that statement with regards to NOD32. Eset always add samples from well-known organizations, but NEVER from its PAYING USERS. Go ahead, buy a license of NOD32, send them a sample from a personal email ID (rename yourself if necessary) and see what happens. Eset has even admitted this, they are mostly concerned with adding samples from sources like AV-test.org, AV-comparatives and MIRT. So tomorrow if a user gets infected, Eset is not going to help worth a damn unless you start making a hue and cry on the official forum. See through the NOD32 official forums, MANY people have complained about this.

Only in structured tests with cherry picked malware

Cherry picked malware? From where? Even if you collect samples from each and every AV vendor and put up all the AVs against it, it becomes a pretty random sample set. Do you have any idea where AV-test and AV-comparatives are getting their samples from apart from AV vendors? I don't either. Judging by your statement, you are saying that VirusP's virus.gr tests are reliable and trustworthy because they are performed by an independent VXer with no affiliations whatsoever.

And if you don't know, AV-test and AV-comparatives are 100% independent, and do not put any bias on the results.

When you dump a few thousand new samples collected by unaffiliated independent malware hunters into a real test you get a very different result .

And in the same way, Andreas Marx and Andreas Clementi are the same type of malware hunters, except that they know to separate harmless and corrupted crap files from real malware. Maybe their sources are different, maybe their samples come from a different section of the world.

If you put it this way, you are again saying that virus.gr and malware-test.com are reliable, as malware-test is using honeypots to get its samples and VirusP is independent.

Malware-test's honeypot comes from Chinese, Taiwanese and English sources, so the results are strange. At the same time, malware-test's honeypot is using a system similar to MIRT, and they have not sorted the corrupted/garbage/harmless files out...

Okay, NOD32 getting 49% is reliable, and Kaspersky scoring less than AVG in malware test is reliable by your analogy... :roll:

The fact is, just because YOUR sample set doesn't show the same results as others, this doesn't mean the OTHER tests are faulty compared to yours. There are many Chinese AV tests out there which show NOD32 and Kaspersky to be very bad compared to others (Malware-test is an example), and their sources of malware are all different. Basically, every testing organization is doing the same thing as MIRT, but due to regional differences you will see differences in detection rates. At the same time, most of these "tests" have many corrupted samples which alter the test results heavily. Lets face it, neither you nor I have the resources or tools required to sort out crap/garbage files from real malware, so in most cases we have to rely on what the AVs tell us.

Try to be more open-minded, and think about it.

Its ironic that the experts at Wilders decrying the test methodology are infact predominently employees of the vendors

ehhem....Stefan Kurthzhals from AVIRA did not approve of the test. Do I need to remind you that AVIRA engine is used in WebWasher, which is one of the highest scoring AV?

Let me quote Stefan Kurtzhals here:

"The graph is interesting, but the test samples contain lots of false positives and garbage executables. Also, the test doesn't show you the high false positive rate some of the scanners have, they are running in "paranoid" mode on Virus Total. Also, the scan results are incorrectly rated. For example, information messages in the scan log are rated as detection."

Yet again if you take the IBK methodology towards AV testing where a high percentage of the test bed have not seen any meaningful execution into memory(outside of the labs)for many years now.How do you think that those results gathered reflect apon any given *database* to perform against todays(in the wild and emerging threats) ?

Maybe not AV-comparatives, but the PC Welt tests of 2006 by AV-test.org surely used samples ONLY FROM 2006 during the testing. And Symantec still scored very well in that test....

I also can assure you that I have nothing to do with the apparent performance of the vendors on the OITC chart . That chart was in effect long before I knew that it existed .

A thing EVERYONE should know about the OITC chart is that it was NEVER INTENDED TO LOOK AT THINGS FROM A HOME USER PERSPECTIVE. If you noticed, it heavily favours Gateway level AVs and FP giants. The difference between AntiVir and WebWasher just proves this.

In a gateway, paranoid level scanning is very important, i.e. security>false positives. For this reason the risk taken is minimum and hence for the sake of potentially improved security many AVs used on gateways are FP giants and also have stupid packer detections. Such examples are below for WebWasher:

Win32.Malware.gen#FSG (suspicious), Win32.Malware.gen#PECompact (suspicious), Win32.Malware.gen#PECompact!84 (suspicious), Win32.Malware.gen#PECompact!92 (suspicious), Win32.Malware.gen#Upack (suspicious), Win32.Malware.gen#Upack!94 (suspicious), Win32.ModifiedUPX.gen!84 (suspicious), Worm.Win32.ModifiedUPX.gen (suspicious), Worm.Win32.ModifiedUPX.gen!84 (suspicious), Worm.Win32.ModifiedUPX.gen!90 (suspicious),

In many cases, these cause lots and lots of FPs. Heuristics based and packer based FPs apply to many AVs, including VirusBuster, Sophos, Fortinet, eSafe, VBA32 etc. Why? Because this is paranoid protection. Even if only one scanner picks something up, it is counted into the study, so there are potentially lots and of FPs in the OITC study. But this won't matter for gateways, because gateways need paranoid protection. AVs used in Gateways also detect lots of riskware a with happy triggers, and AVs popular in home user market will probably ignore this riskware because from home user perspective many such tools are pretty harmless. So as you can see, this is not a black and white thing.

In retrospect, the OITC results are meant to gauge the zero day protection ability of various AVs at the GATEWAY level. Due to different requirements and characteristics at the home user level, these results do not apply for home users. :)

I hope my post wasn't too offensive, I realize I may have behaved rudely in a few lines, and I'm sorry for that. I do appreciated the good work MIRT is doing, but it would be wrong to call OITC suitable for home users. Even the maintainer of the OITC results will tell you the same thing: That they were never interested in looking at things from a home user perspective. ;)

Share this post


Link to post
Share on other sites

...very strong unpack support and unparalleled polymorphic virus detection in the industry...

It's fictitious statements like this that clearly expose just how Symantec has been able to dominate the commercial av market the last couple of decades. It's no wonder that small and large businesses that use their products continue to suffer as a result of their marketeering vs engineering strategies.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...