The Tech Herald

Review: Norman Security Suite

by Steve Ragan - Dec 9 2008, 18:55

Norman Smart Security review.(IMG:J.Anderson)

Norman Security Suite, version 7, offers several layers of security in one package. Compared to the other security suites reviewed on The Tech Herald recently, Norman has taken a complete opposite approach, and tailored the software towards the whole family. So the question is, does this opposite approach work?

Norman, as a company, can be considered the father or grandfather to many of the security suites you see today. The company name, and the flagship software name Norman, are often confused with another popular software title, Norton. But Norman, as a company and security offering, has been around since 1990, long before Symantec offered Norton to the masses.

Installing Norman Security Suite

Installing Norman was simple. This is the first sign that Norman is different than the other security vendors. The installation and configuration process flows like it does with Kaspersky or Norton, but at the same time it is designed so that anyone can understand it.

After you run through a simple install wizard, the first thing you are offered is an option for the Screen Saver scanner. Leaving this on by default will allow Norman to scan the computer when it is idle and the Screen Saver kicks on.

The configuration is a simple six-step guide. The first step asks a question on your experience level (Inexperienced User or Experienced User). Norman explains them as “average Internet user without expertise or interest in the technical aspect of computers,” for the Inexperienced User and “familiar with common firewall setup and understand terms like IP address and port number,” for the Experienced User.

The choice you make here will not remove any of the configuration options overall, but it will determine the default settings and control on the firewall. The best selection with this was to pick Inexperienced and move forward.

The next steps are mostly for the firewall. You will select from a list of browsers in step two, email clients in step three, and Network resources in step four. The choices you are offered depend on what is installed on the system. Step five will deal with other applications, for example Adobe, Windows Media Player or various Instant Message applications.

The sixth and final step is actually a list of tips for the inexperienced user. The most common advice is offered here, but when reviewing the software, I got to thinking about how my father (new to the computer world) would view this. In that case, I would have to say that the tips are seriously welcome, and it would mark the first time they have appeared in a review.

The installation and configuration took on a whole 5:50. At the end of the initial install process, there was a required reboot. While walking through the configuration wizard, Norman was running updates the entire time; it was at the end of the wizard that a second reboot was required to process these updates.

For the record, the computer tested was an Intel Pentium D 3.4GHz (Dual Core), 1024MB RAM, with Windows XP SP3. All system and installed software patches were applied.

Using Norman Security Suite

After the second reboot, once you are back to your desktop, you will notice that Norman is ready to go. The first thing you notice is the green and white that is the color scheme and how the control menu itself is rather sparse.

This is not necessarily a bad thing, as the menu gives you exactly what you will need to control the software. Yet, locating some of the options required several steps, and there is no “Advanced” view or any way to lower the number of clicks to access some options.

 

The home page is broken up into two blocks. The center block shows the status of the various settings, and the left block the same areas as well, but adds the link for the help and support menu.

The options available to you in the Home menu are exactly what you expect. There are no added bells and whistles. You can control Virus and Spyware protection, the Firewall, Parental Controls, and Internet Updates.

Clicking on each option will present you with various sub-controls and options. The Virus and Spyware Protection option for example will break down into On-Demand Scanning, a task editor, Quarantined files, and configurations. Under those options are more levels of control. Again, simple and to the point, but the slight lag in the menu when waiting for a new level and the amount of clicking needed can be frustrating.

When it comes time to update Norman, the process is smooth. There is a little window that will pop-up with a progress bar, and that’s it. The speed during the updates is fast, an entire week's worth of updates were downloaded in just a few minutes. During the installation, the software updated in the background, as it will all the time unless you launch an update yourself, with no performance issues whatsoever.

However, there is one major issue with the usability. The help section needs a serious overhaul. Unlike other security products, with dynamic help on each menu or an extensive documentation library (HLP Files) just a click away, you are pointed to a website if you need help while using Norman. There are some internal help pages, like one within the Firewall configuration for example, but that will only relate to the section you are in.

When you access the help link, you are offered an option to view Help and Troubleshooting. This link launches an internal browser, and consists of the company’s website, the support section of the website to be exact.

The process of locating help is frustrating, and is enough to make one turn to Google for answers. There is a link to the product manuals and FAQ’s from the support section, but those are rarely of any use if the issue you are searching for is not related to Parental Controls, connection problems, or installation issues. The small search box is misleading, as a search for “false positive” leads to no articles at all.

Scanning with Norman Security Suite

Scanning on Norman Security Suite is harsh. It does a decent job with catching some of the common threats, and detecting some of the newer Malware, but it seriously lacks the speed and the dynamic of the current security suites.

Not that the scanning on Norman is horrible, it has some positive technology with it, but if you compare it to the current 2009 suites, you will notice a huge difference. The technology that should be seen as a plus is Sandbox.

Norman’s Sandbox technology creates a little virtual environment for Malware to run in. If there is malicious activity, then Norman will flag the Malware and remove it. In Norman Security Suite, this is used when any file is accessed, as on access scanning is enabled by default. The on access scanner was able to flag some of the samples that normal scanning missed, earning it an extra point on the malicious sample test.

During the Full System Scan, Norman took the test three times to make sure there was nothing wrong. It wasn’t that there was an error on the system or with the software; it was that is was taking so long to scan.

On the lab computer, 5.80GBs of space were used on the disk. Of that space, 561MBs were used in a folder named 'content'. The content folder consisted of simple files to add bulk and give Norman something to work with.

The files used included fonts, images and icons, PHP, HTML, and CSS files, as well as ZIP and RAR archives for a total amount of 21,816 files.

Yet, it was because of all of the RAR and ZIP files that the scanning seemed to be never ending. Norman will scan each archive, and every file in it. It does not mark if it has already tested the file, or if it is a duplicate.

Files that were already confirmed as clean were scanned repeatedly. This is where the real power of some of the newer scanning engines and methods stood out. For example, Norton, BitDefender, and Kaspersky each keep a log of simple files, and if the scanned file is clean, unless it was changed somehow, they will not scan it again.

Norman doesn’t do this, which suggests that the scanning engine, even with the Sandbox technology, really has not changed much over the years. The scanning speeds demonstrated by Norman would have been acceptable in 2002, but not today.

For Norman to be so fast when it comes to updates, it made no sense for the scanning engine to be so far behind the others.

Full System Scan (Norman Security Suite)

Full Scan 1 - 01:06:00
Full Scan 2 - 01:09:00
Full Scan 3 - 01:07:00
Full Scan 4 - 01:12:00
Full Scan 5 - 01:06:00

Average Scan Time: 01:08:00

As a side note, this test was performed on both a virtual system and a physical system with the same specs. This was done to see if there were any differences. The only time there was a noticeable decrease in speed is when RAR and ZIP archives were ignored. Likewise, when the content folder itself was bypassed, the scanning decreased to an average time of about 35 minutes.

Malware Detection:

The Malware testing consisted of 39 samples. The initial test placed all 39 samples in a single folder, each inside a password-protected ZIP archive. Norman was launched to scan the password-protected archive and see if it would detect any of the samples. Norman, like several scanners before it, failed to flag the Malware within the archive.

The second part of this test called for Norman to scan all 39 samples outside of the archive. During this test Norman missed four samples, detecting 35 out of 39. The list of the missed samples is below.

PWS-A
VT Score: 15 out of 36
http://www.virustotal.com/analisis/9ba442990561c4eda79a399d89afe661

RAHack_1
VT Score: 23 out of 37
http://www.virustotal.com/analisis/34322259b7f2c5f0e1ad98b674ee0108

Rustock-D
VT Score: 21 out of 37
http://www.virustotal.com/analisis/17df7c481206844a539500e9f6822c1e

Virut-A
VT Score: 29 out of 37
http://www.virustotal.com/analisis/1206de260ca3d63a7cedc2d5b71c14c1

The third part to the Malware test centered on a self-extracting zip file, with several hundred KeyGens contained inside.

KeyGens are used to crack commercial software, and most of those downloaded online are malicious. This particular file is known to be malicious, as several of the KeyGens included in the package are Malware. Scanning the KeyGen archive showed nothing malicious. The second the archive was executed however, Norman flagged it by detecting Zlob.COCA.

Malicious URL Detection:

The malicious URL detection test consists of five URLs, known to be malicious and picked at random from a current list of rogue Web sites. These sites contain Drive-By-Downloads, or malicious software, each with the goal of infecting the user who visits them.

To pass this test Norman had to block access to the malicious site by using the Firewall, or detect the Malware downloaded from the site.

hxxp://91.203.92.121/7-v3av.exe

Norman failed to block this site, or the executable downloaded. Once launched the EXE was allowed to run freely.

VT Score: 23 out of 37

http://www.virustotal.com/analisis/7a17c2f61943163ec1a6b9146d2e5461

hxxp://porntubedot.com/movies/WatchFreeMovie.php

Norman blocked the fake codec as JS/Exploit_based.D

hxxp://0scanner.com/free/

Norman went crazy on this site blocking all sorts of malicious content.

VBS/CleanRestore.A , W32/FakeAlert.JS, and W32/Tibs.gen242 were each detected on this site.

hxxp://premiumnonfat.cn/all/load.php?id=xxxx

Norman missed the Malware from this site, and only once it was installed and attempted to send out Spam did the Firewall take any action. Once the email application was blocked, another loader was initiated and the Malware that came with it crashed the system.

VT Score: 6 out of 37

http://www.virustotal.com/analisis/47eaf837b22b6030346a839fa458dcd2

hxxp://antivirus-pro-site.com

The program, Antivirus Pro, instantly warns the user of several problems, and will gladly fix and remove these issues once registered. The nature of this URL, and the software downloaded, is a scam. The cost of $29.95 includes the offer of $9.95 for software updates, and $9.95 to get Anti-Spyware protection.

Norman offered no warnings, and did not notice once that the application was installed and running.

 

Spam Detection and Filtering

These days when you buy computer protection, Spam filtering is just something that is there. Symantec, Kaspersky, BitDefender, Sophos, CA, McAfee, and ESET just to name a few all offer Spam protections in their security software.

Norman does not. While Norman Security Suite will block against malicious email attachments, and it did so with ease during testing, it does not block against Spam. Because the Spam test is worth five points overall and there is a need of at least 95-percent out of the box Spam filtering, Norman earned no points during this test.

 

Out of the 1000 email messages downloaded, not one was flagged as Spam or anything else for that matter. The malicious attachments, as promised, were blocked the instant they are accessed.

Conclusion

When it comes to security software, it is expected if not demanded that the big names do well. Anything less than a 90-percent score from McAfee or Symantec, means something is seriously wrong.

However, Symantec and McAfee are just two of the security companies used each day at home or the office. Norman is one of the minorities when it comes to security, you don’t see a lot of coverage about them, and you should. They have been around longer than most people are aware of, and they are always working to develop something new.

Overall, they have some great technology, but Security Suite, with its mediocre performance, is a serious disappointment.

The lack of Spam filtering, the slow scanning, and the lack of documentation within the product are deal breakers. New users to Norman will be confused, and frustrated epically if they are coming from another “known” vendor.

The sparse design of the application, offering little clutter and access to options right where you expect them is great on the surface. Yet, for advanced users who want control over the software, the constant clicking coupled with a somewhat sluggish user interface, will drive them bonkers.

The things that hit Norman hard during testing are things that can be easily improved. For example, the scanning engine and the way files are checked. The Screen Saver Scanning is great, a welcome way to use idle CPU cycles. Yet, it could be argued that this is in place because the scanning on demand takes too long.

Improve the help system, make it something separate from the company website, and include a strong knowledge base. Adding help to the GUI would be a plus as well.

Add to the Firewall, and improve Internet Security. Lastly, where is the Spam filtering? This layer of security hurts Security Suite, because email is a very relevant attack vector.

Norman, as a company, has earned the respect of their corporate peers. Yet, there is plenty of room to grow with their Security Suite.

The final score for Norman Security Suite is 73.96 out of 100.

Testing Methodology

Norman Security Suite was installed on a Windows XP computer with Internet Explorer 7 and Service Pack 3.

The Microsoft updates were current and all additional software updated. The system used was an Intel Pentium D 3.4GHz CPU (Dual Core) with 1024MBs of RAM.

The following is a breakdown of the lab testing with point values.

Installation (10 points total)

This test covers how fast the software installs, and rates the configuration options. How simple is it to install?

Norman earned 10 points.

Navigation and Controls (10 points total)

This test rates how easy the software is to navigate and use. Are all the menus and controls easy to locate? Are the various functions and controls easy to understand? Is there help for the options? If help is available, how easy is it to locate?

Norman earned 8 points.

Scanning (15 points total)

Scanning covers the scanning speed, the various scanning options, and control. One aspect that is important in the control measurement was how easy it was to halt a scan in progress.

Norman earned 10 points.

Detection (15 points total)

This test centered on signature updates and controls, as well as monitoring and detection. One of the focal points was how accurate the detection was when locating Malware.

Norman earned 11 points.

Resources (15 points total)

Does the software drain system resources? Can the software be completely disabled? If there are help files available, how complete are they? Are the help documents easy to follow and are they relevant?

Norman earned 10 points.

Software Options (10 points total)

Does the software include other features that layer security? Are there other features that are added in that are non-security related? Are these features useful? Do they overlap one another or other features on the computer?

Norman earned 10 points.

Malware Testing (10 points total)

This test uses 39 samples of Malware, each worth .26 points (rounded up). The goal is to have each one discovered by the detection engine. The test is in two parts, where the samples are zipped in a password-protected archive and scanned, and then placed into an unprotected archive and scanned.

There is a loss of one point if there was no detection for password-protected archives. This is because some engines will flag password-protected files for inspection, which is a good protection point. As the bulk of the AV market allows exemptions for various files and file types, the legit password-protected files could later be exempted.

Norman earned 7.96 points.

The KeyGen Test (5 points total)

The KeyGen test is a simple test to pass for any vendor. As the self extracting executable launches, the first thing it does is write a temp file that links to a downloader. The downloader, as well as the various KeyGens in the archive, all link to Malware.

Norman earned 5 points.

Malicious URL Testing (5 points total)

The malicious URL test takes five random URLs, known to be malicious, and judges the software's reaction to what the user does. The software is judged based on its response to visiting the site and its reaction to any software downloaded. The software must react in order to pass this test.

Some of the URLs tested were discovered by the team at Malware Database (http://malwaredatabase.net) and shared with The Tech Herald.

Norman earned 2 points.

Spam Blocking Test (5 points total)

This test rates the Spam-blocking ability of the software. A full score means that the software blocked 95 percent of the Spam samples sent.

Norman earned 0 points.

TOTAL SCORE: 73.96 / 100

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Asian Market Gets McLaren 625C

Sportscar maker McLaren have announced they will release a special model just for the Asian ...

Mercedes-AMG C63 Pictures

We have added some great pictures of the new Mercedes-AMG C63. With a 4.0 liter engine ...

Mercedes-AMG C63 Details

Mercedes have released details of their new Mercedes-AMG C63. This top end of the C-Class li...

Volkswagen Beetle Classic Model Prices

Volkswagen has announced prices for the new limited edition Beetle Classic model. The new Cl...

Chevy Colorado And GMC Canyon Ship To Dealers

General Motors have started shipping their new 2015 Chevy Colorado and 2015 GMC Canyon to de...