o let's consider the offline case.
In terms of detection: Personally I think that compared with avast, the detection of Norton is more dependent on the cloud. Particularly, in the offline case, Norton cannot detect "WS.Malware.2" and "WS.Reputation.1", which are corresponding to the emerging threats and security risks that have not been classified.
WS.Malware.2 | Symantec
WS.Reputation.1 | Symantec
So, I think avast should have a better detection ratio than Norton in the
offline case.
Sonar v.s. DeepScreen & Hardened Mode: DeepScreen and the Hardened Mode of avast rely on the reputation data stored in the cloud.
DeepScreen, Hardened Mode
In our tests, it seems that the local module of the Hardened Mode would take a default-allow policy when it cannot connect to the cloud.
What was worse, any application that is allowed by the Hardened Mode in the offline case
will still be allowed when your network connection is resumed
before you reboot your computer.
I have not tested DeepScreen, but I am afraid it may have the same property in the offline status...
The logic of
Sonar (Norton) is different from DeepScreen & Hardened Mode (avast). As shown in the link above, when DS & HM is enabled, avast will first lookup the cloud, then take its decision (allow, analysis, or block). By contrast, it seems that, Sonar could prevent an application as soon as that application has any malicious behavior defined in the local database. Of course, Sonar could communicate with the cloud to be more aggressive, but it can still work in the offline case. Furthermore, tests done in several years ago showed that some malware bypassing Sonar in the offline case would still trigger Sonar immediately when the network connection is resumed.
So, here I like
Sonar better.