App Review Norton Security 360 Deluxe 2023

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

Nikos751

Level 20
Verified
Malware Tester
Feb 1, 2013
969
Sometimes due to the IPS block, the program can’t continue with its malicious behaviour and this is the reason why it’s not picked up by other components.
This can be observed with other anti-bot components such as the Avast Resident Shield, Bitdefender Online Threat Defence, CheckPoint/ZoneAlarm Anti-Bot and others that block malicious traffic.

I am not sure what’s the reason for Symantec/Norton not to remediate programs instantly once they’ve generated an IPS-detected traffic, as far as I remember, Kaspersky System Watcher and Avast instantly remediate programs if there is traffic to a suspicious host. That, plus the program not being widely used and signed should be a clear evidence that it shouldn’t be left.

That’s one thing they really need to look at. For example CheckPoint can be configured to start incident remediation straight away.

Nevertheless, the traffic is blocked so it can’t do its harm. Power Eraser scan is advised to clean the infection. They should just start a background scan with it and remove everything.

I am not a product manager there sadly.
That was my exact point I was trying to communicate! it's the only con of the product. Maybe the components do not communicate well with each other.
 

Nikos751

Level 20
Verified
Malware Tester
Feb 1, 2013
969
Also, i want to add that while IPS can block malicious connections trying to establish, Sonar can work in the background collecting behavior data, so maybe detections can happen even after several hours or whole days, when many attributes show a higher malicious score. That's the way Sonar works from v4.0 released in 2012 and it's maybe a way to reduce FP's or submit more data to the NortonLifelock malware analysts.
This way, a more sophisticated malware can be detected at endpoint level, for example logic bombs malware or other malware that can hide via time based tactics. More like an EDR with no ability to represent such abilities in video testing. Another product with a smaller analysis time threshold, will flag something as malicious or not malicious quickly, but if it misses something, things are more dangerous.

I don't know for how long other vendors analyze behaviors, but this no-reaction time while blocking connectivity, brings me such thoughts to mind @Trident @Shadowra
 
Last edited:

Trident

Level 26
Verified
Top Poster
Well-known
Feb 7, 2023
1,515
Maybe the components do not communicate well with each other.
They communicate via the STAR bus, which is described here: Star Malware Protection Technologies

for example logic bombs malware or other malware that can hide via time based tactics.
Hiding via time-based tactics, such as doing something on a specific date or only after a reboot is a valid concern. The emulator which works between the static analysis scan and SONAR should detect instructions related to that and should “trick” the malware into believing these events have occurred by supplying fake time, date, system uptime and others.
Behavioural blocking has no time threshold, data is written continuously about every process on disk as it works.

From my observations, SONAR doesn’t have issues with executables, it is more iffy with Non-Process Threats that hide behind valid and signed Windows executables. SONAR would either just terminate the attack without even deleting the original file, or it won’t really detect anything. Trend Micro AEGIS and F-Secure DeepGuard work the same way so not sure what’s going on, there is some limitation there that engineers know of.
 

Nikos751

Level 20
Verified
Malware Tester
Feb 1, 2013
969
They communicate via the STAR bus, which is described here: Star Malware Protection Technologies


Hiding via time-based tactics, such as doing something on a specific date or only after a reboot is a valid concern. The emulator which works between the static analysis scan and SONAR should detect instructions related to that and should “trick” the malware into believing these events have occurred by supplying fake time, date, system uptime and others.
Behavioural blocking has no time threshold, data is written continuously about every process on disk as it works.

From my observations, SONAR doesn’t have issues with executables, it is more iffy with Non-Process Threats that hide behind valid and signed Windows executables. SONAR would either just terminate the attack without even deleting the original file, or it won’t really detect anything. Trend Micro AEGIS and F-Secure DeepGuard work the same way so not sure what’s going on, there is some limitation there that engineers know of.
About threshold you mean about Norton or the other big ones too like BitDefender? Scoring system is not sth everyone is using though, I would like to now that
 
  • Like
Reactions: JB007 and Trident

Trident

Level 26
Verified
Top Poster
Well-known
Feb 7, 2023
1,515
About threshold you mean about Norton or the other big ones like BitDefender?
None of them has any time threshold, they all work more or less the same way. What they call “process ledger is maintained” and that happens by recording all relevant actions. To know what’s relevant, the product will use a “filter” which will remove safe events or events not related to security. Everything else will be continuously recorded in a database stored on disk and will be continuously run again and again through classifiers. These classifiers will output probability of the program to be safe/malicious in percentage. Once certain percentage (or score in points) is reached, the remediation engine will be supplied with data from the recordings and will start undoing what it can. This can be days after the initial execution. There is no timeframe.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
5,992
Does Norton has a specific feature to block/disinfect/files rollback with ransomware like Bitdefender, Avast etc? Or it depends on its superior malware detection/disinfection capability? Norton website says

Quote

Virus Protection Promise includes a virus removal service provided by a Norton expert and may come with the following qualifying subscriptions........ In the unlikely event that we are unable to remove the virus from your PC, Mac, Android and/or iOS device, you may be entitled to a refund of the subscription.

Unquote

Huh? System already screwed then they say you may be entitled for a refund.

What if Norton fails to prevent a ransomware infection for files and folders not protected by Norton? Any rollback of encrypted files feature? If no, then NeuShield Data Sentinel can use for remediation. One con is that it don't work with removable drives....only fixed drives.

Norton allows the backup to removable drives. Are the backups protected against ransomware like its cloud backup?
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top