NPE uses cloud-based analysis, so it doesn't require signatures, and second opinion scanners generally don't require behavioral analysis.
Question malware found
- Thread starter classicaran
- Start date
- Featured
- Status
You mentioned Hitman Pro uses several engines; how much the size of?
If less than 300 mb (B sig >270 mb), then it is not using the full sign.
If behavioral analysis is not required, why included in AV?
If cloud-analysis alone is sufficient, Norton would not use signatures at the first place.
You are speaking about security solution auditing robust, complete AV results.
Norton Power Eraser uses aggressive heuristics to flag suspicious files that the normal product doesn’t flag. This includes executables with reputation other than good, scripts in start menu/startup (or anything else they see for the first time) and others.
These aggressive heuristics can pick up more malware but also, introduce the potential for false positives. That’s why it is recommended that 2 products are maintained. One accurate for real time protection and one aggressive to check whether it has failed.
Still not convinced NPE can audit K or McAfee in tests; if NPE is that great, no one would pay for AV, and it is easy to exclude FP.
It’s easy to exclude a FP when you know what’s a FP. Majority of users have no idea whether a file is malware or not and even after VT reports, they don’t know. This topic is a classic example of it.
I asked Tim Lopez at one point (he remembers me on the norton forum from my childhood) why they even need power eraser. Why they can’t just offer Power Scan/aggressive scan and so on.
He said it is used as a disclaimer of responsibility and support.
The aggressive heuristics pick up more malware for sure (more than any technology that dwells on the file and uses a 55 nested if-then-else statements and 3000 boolean values).
But they introduce noise and they are not for the general masses, certainly not for Pete that uses his laptop to watch Wednesday on Netflix or grandma Barbara that uses the device to call the grandkids.
You cannot deploy for these people aggressive tools that require expertise. The solution is to use all these bloated technologies (reputation, sigbatures and so on). There is just no other way.
No one can confirm it is FP with 100% confidence without forensic study documenting the damage; when K detects sample A, while McAfee do not, I have 50% possibility K detection is FP and 50% possibility McAfee is FN.
but cannot guarantee missing some samples; actually I find determining the sampe is malicious or not is not that easy, especially when you get near equal distribution of reputable AV divided between detection and no detection; forensic study is irreplaceable to determine with high confidence the nature of the sample.
That’s what heuristics essentially are. They are not laws (like the gravity law) they are assumptions that most of the time are merely good enough for the task.
E.g. most of the home users systems are unmanaged. Unmanaged users are unlikely to ever put any sort of script in start menu/startup folders. Hence, it can be deduced that no script should ever be there, whatever is there is malware.
This alone is gonna remove quite a lot of evasive malware.
But there will be this 1.25% of users that wanna automate something.
When you have millions of users, this 1.25% is enough to flood the forum and support (and don’t forget reddit) with complaints and exaggerated statements how bad the product is (and by itself worse than a virus).
This is where all the dwelling and heavy analysis comes into play, to determine now is this script malicious or is it really a user that tried to automate something. And it allows for evasions by the attackers.
Both approaches have their application.
Also, whilst we are this subject, even on MT it was mentioned that McAfee doesn’t offer a proper exclusion system which is true.
That’s not because McAfee doesn’t know how to do it, they have developers that they pay very generously and such developers will write the logic in 30 min.
McAfee doesn’t wanna give users such system, because then we get subjects like this.
Similarly, the automated removals with no questions asked by Norton, McAfee, Trend and others have been criticised by users millions of times.
Again, these removals are a form of poka yoke, if you ask the users and they keep pressing “exclude”, again you get these threads (and millions like them).
But then this poka yoke brings very high responsibility as well.
That’s not because McAfee doesn’t know how to do it, they have developers that they pay very generously and such developers will write the logic in 30 min.
McAfee doesn’t wanna give users such system, because then we get subjects like this.
Similarly, the automated removals with no questions asked by Norton, McAfee, Trend and others have been criticised by users millions of times.
Again, these removals are a form of poka yoke, if you ask the users and they keep pressing “exclude”, again you get these threads (and millions like them).
But then this poka yoke brings very high responsibility as well.
The size of Hitman Pro is 13.6 MB to be precise x64.
Hitman Pro is not Bitdefender, which downloads tons of signatures based on the cloud.
I used HitMan Pro for several years, all it did was find FP's, nothing else (and at times was a pain in the rear) - Now occasionally I will install an alternative AV solution & scan & let it run for a few days then if it finds no abnormalities I image back, I actually keep an up to date image of Emsisoft, just as a sort of second opinion, it maybe isn't 'normal' to do that but it does a double check.
In case the product is confident it has no FALSE positive detections.
Norton's default settings are tuned for balance, while NPE (Norton Power Eraser) is tuned for aggressive remediation. This aggressive tuning is why NPE is prone to false positives, but it's also how it catches threats the main engine might miss.
Even tuning to "aggressive" is not a guarantee for catching every single piece of malware; the only way to get sure is to have perfect signatures and behavioral analysis, which does not exist and will not exist.
I agree there's no guarantee for catching every piece of malware, regardless of the tuning, and I certainly didn't claim one for either and or any product. My point was about the difference in tuning between Norton's default balance and NPE's aggressive approach. Regarding your prior statement, you seemed to imply the main Norton product was superior to NPE, which led others to question why NPE is frequently used as a secondary check after initial scans.
It is superior; if inferior, I would save my money and get a free, small sized (15 mb) NPE rather than Norton.
Think of the two engines as a security guard versus a SWAT team. The primary Norton antivirus engine is the ever-present guard, excelling at preventing threats from ever getting in, making it the best choice for daily protection. But if a major threat has already breached your defenses, Norton Power Eraser is the specialized SWAT team you call in for its aggressive and powerful ability to neutralize the problem and secure the system.
- Status
You may also like...
-
-
Testing Orion Malware Cleaner Designed by Me- Started by Trident
- Replies: 8
-
Help Needed: Suspicious Activity & Possible Malware on Windows 10 PC- Started by Thomas Ellias
- Replies: 4
-
40+ Passwords Found in Data Breach - Help Me Understand What Actually Happened- Started by vaultedlogic
- Replies: 24
-
Testing real-time protection of antiviruses with 10.124 Sample- Started by Dexter_Morgan31
- Replies: 120