Review: Norton Internet Security 2009

Symantec’s Norton Internet Security (NIS) 2009 promises “zero impact” performance, making it faster and lighter that any other Norton product, all while keeping the same level of protection. Recently, The Tech Herald got the chance to put NIS 2009 through its paces. The results are below.

Installing NIS 2009

The computer tested was an Intel Pentium D 3.4GHz (Dual Core), 1024MB RAM, with Windows XP SP3. Norton was installed with only the base configurations, and aside from running Norton Insight before scan testing, the software was used in its out-of-the-box state. Various Malware samples, as well as known malicious links, were tested. The samples and the links will be detailed below.

The first thing you notice about NIS 2009 is how fast it installs. There are no layers of advanced install settings, just an offer to join Norton Community Watch and pick the install location. For this test, the install directory was the default location and the option for Norton Community Watch was left enabled. (This is highly recommended.)

The install took about four minutes. This is more than the 60 seconds recorded in the PassMark Software test, but far faster than Norton 360 and other Symantec products. Once started, the progress bar moved across the window with no delay. The longest part of the install process came when drivers were installed and the services started. This is also when you will register your Norton product, and sign-up for a Norton account.

After installation is complete, the program launches the main interface. At first glance the main interface for NIS 2009 looks similar to an IT systems dashboard rather than a simple AV control center. Every option for the basic control of the software is in plain view. There is topical help for the various options, simply hover the mouse over an information icon, and an extensive help section that covers the entire program. If you want to add some flavor, the interface has five different color schemes.

Using NIS 2009

The main interface of NIS 2009 has four sections, the most important being the three sections that control how the program acts. The Computer, Internet, and Identity sections manage all of NIS 2009’s functions and provide information.

The Computer section for example, contains links to scanning history, live updates, the quarantine vault, and scanning controls. The scanning controls offer three features, Quick Scan, Full System Scan, and Custom Scan. You can also enable and disable Virus, Spyware, and Advanced protections. Moreover, it also displays the amount of time that has passed since the last definition update. (Definition updates happen frequently, as the program does this on its own in the background.)

The Internet section controls Intrusion Prevention, Email scanning, and Firewall options. There is also a link to view the Home Network, which is another layer of protection. If you have more than one computer in the house, the standard NIS 2009 package can cover three computers. The network overview will detail all the information and show you areas where this is lacking security.

The Identity section controls Anti-Phishing and your Identity Manager. The Identity Manager allows you to auto-fill forms, store personal information, and access your password manager.

The controls in each of these sections also offer a granular level of control by clicking the settings link in each section.

The other sections displayed on the main interface include a link to CPU Usage, Norton Insight, and a giant icon that displays the overall security level of the system.

The CPU Usage link shows you the current level of resource availability on the system. In addition, the usage monitor will show you both memory and CPU usage, as well as detail what percentage is being used by Norton.

Norton Insight is a new feature in the 2009 version of Norton Internet Security. What it does is “increase computer performance by identifying trusted files that do not require scanning,” allowing faster speeds when performing system scans. Norton Insight will take a few minutes to run.

During testing, Insight scans did lag the system for a short time (less than 60 seconds). It was also observed that the first Full System Scan that runs after using Norton Insight will be slower than previous scans. However, future scans are much faster.

Scanning with NIS 2009

Scanning with NIS 2009 is quick. This is largely due to Norton Insight. On the lab computer, 5.80GB’s of space was used on the disk. Of that space 561MB was used in a folder named content.

The content folder consists of simple files to add bulk and give NIS 2009 something to scan. The files used included fonts, images and icons, PHP, HTML, and CSS files, as well as ZIP and RAR archives for a total amount of 21,816 files.  It should be noted that none of these files were malicious.

There were eight Full System Scans ran during the NIS 2009 test. Of these eight, only the first five was used for the total weighted average. The sixth, seventh, and eighth scans were run to prove that the first scan is always slower after using Norton Insight.

The results of the scan testing are below.

Full System Scan (Norton Internet Security 2009)

Scan One: 0:00:24:41
Scan Two: 0:00:04:31
Scan Three: 0:00:22:57
Scan Four: 0:00:03:39
Scan Five: 0:00:04:03

Average Scan Time: 0:00:11:58.2

As you can see, scans one and three were significantly longer than the rest. Those scans were run after Norton Insight was used. This lead to the theory that using Norton Insight will always add scan time to the first scan that is ran after Insight is updated. To test and prove this theory, scans six, seven, and eight were initiated.

Scan Six: 0:00:03:10
Scan Seven: 0:00:23:18
Scan Eight: 0:00:03:52

The results were as expected; there is a proven slowdown on the fist scan after using Norton Insight. This also plays with other oddities in the scanning test. During testing it was observed that the total number of files scanned and the total number of trusted files varied each time a scan completed. While not a deal breaker with the credibility of the scanning engine, the inconsistency should be noted.

Overall, the scanning engine performed faster than previous Norton products, so this is a plus.

Malware Detection

The Malware testing for NIS 2009 consisted of 39 samples. Each of the samples is a mix of known malicious code and newly discovered variants of the malicious code. The initial test placed all 39 samples in a single folder, each inside a password protected ZIP archive. NIS 2009 was then initiated to scan the folder and attempt to detect the Malware, and if possible, remove it.

Sadly, the password protected files proved too much for Norton. After reporting that 79 files were scanned, none of them were reported as harmful to the system, despite the fact that they all were.

The next test involved unpacking all 39 malicious samples and placing them in a single ZIP archive, with no password protection. Norton did pass this test, detecting all but one file as malicious. The single file, a variant of a password stealing Trojan, was not detected at all, even after it was executed.

The final malicious sample test involves an executable zip file with several hundred KeyGens. KeyGens are used to crack commercial software, and most of the ones you download online are malicious. This file is known to be malicious, as several of the KeyGens included in the package are Malware. 

When attempts were made to extract the KeyGens, the process failed. Norton detected “Downloader.Zlob.gen3” and halted the self extracting archive. In earlier tests with Norton Disabled, the KeyGens crippled the system with links to porn, fake AV engines, and enough popup windows to halt the system. Norton, once reactivated, was able to clean the system, but the process was slow and took several restarts to complete.

Malicious URL Detection

The malicious URL detection test consisted of five URLs, known to be malicious picked at random from a current list of rouge Web sites. These sites contain Drive-By-Downloads, or malicious software, each with a goal of infecting the user who visits them.

Each site was tested as follows; did Norton block the site outright (Firewall or Toolbar warning), or did Norton detect any malicious software after interacting with the site?

To pass this test, Norton had to do one of the two options. The idea is to either warn the user straight off, by using the Toolbar or Firewall; or if a user downloaded something, say fake Spyware tools, it has to detect the Malware and remove it.


Norton blocked these sites when they loaded, reporting a downloader and passive scanner. The sites were unable to do any damage to the system.

This site loaded normal. There was no warning at all from Norton. The site offers a fake Anti-Virus program that is free to download. Once downloaded, Microsoft warns the user that the setup.exe file is untrusted. Ignoring the warning, the file was installed.

The program, Antivirus Pro, instantly warns the user of several problems, and will gladly fix and remove these issues once registered. The nature of this URL, and the software downloaded, is a scam. The cost of $29.95 includes the offer of $9.95 for software updates, and $9.95 to get Anti-Spyware protection. Norton did not act once to warn of a Phishing or scam related site, nor did it warn about the software. When viewing the checkout section to place an order to remove all the “problems” Antivirus Pro detected, the page is SSL protected with a certificate signed by VeriSign, using a payment portal service by

Because Norton failed to detect the rogue software, and this scam site has been around in various incarnations in the past, it fails this test.

More information is here.

This site attempted to load Microsoft Data Access – Remote Data Services Active X control. Internet Explorer flagged this, and once loaded, Norton flagged the site by detecting “Bloodhound.Exploit.196” and prevented any harm to the system. Because Norton correctly flagged this site, it passes this test.

This site was attempting to load a fake codec. Norton flagged the site and blocked it completely.

Spam Detection and Filtering

Norton Internet Security 2009 contains the ability to monitor your email for trouble. The default protection watches email accounts for malicious attachments, such as Worms. However, the Spam protection is disabled by default. During the Spam testing, Norton (as well as all other vendors tested by The Tech Herald) needed a 95 percent detection rate to earn full marks.

[There are five points possible for this test, 95 percent or better earns the full five, but one point is removed for each percentage point, rounded up, below 95 percent. A detection rate of 90 percent or less will earn a zero on this test.]

Once enabled, the Spam filter add-on works with Outlook and Outlook Express only. There are several layers of controls, and the Bayesian technology used does a decent job checking email.

However, Norton only detected 94 percent (155 out of 165) of the samples sent to the email client, so the filter settings will need adjusted. The recommended setting of Medium was used in testing.

Instant Messenger Scanning

Another new feature to NIS 2009 is the ability to scan files that are downloaded from various IM programs. Testing of this option worked as expected. The IM applications covered account for the bulk of the clients used on line, they include; AOL Instant Messenger, Yahoo Messenger, MSN Live, and Trillian.


Overall, Norton Internet Security 2009 is a huge advancement over past Norton products. Symantec pulled out all the stops in this version, and made it leaner, faster, and smarter. However, while there were some issues, inconsistent scanning results or Spam detection disabled by default just to name two, the program delivers on the marketing surrounding it.

If this were to be used in a home, it would provide comprehensive coverage to the family. While Norton would need to be backed by a few other layers of protection on the computer, as a complementary measure to add to its protections, it would work well in that type of environment.

In business, NIS 2009 would serve work stations well, provided the office was small. If the business is more than fifty or so users, then corporate protections are better suited to that environment.

The final score for Norton Internet Security 2009 is 93.74 out of 100.

Testing Methodology

Norton Internet Security 2009 was installed on a Windows XP computer with Internet Explorer 7 and Service Pack 3. The Microsoft updates were current and all additional software updated. The system was an Intel Pentium D 3.4 GHz CPU (Dual Core) with 1024MB RAM.

The following is a breakdown of the lab testing with point values.

Installation (10 points total)

This test covers how fast the software installs, and rates the configuration options. How simple is it to install?

Norton earned 10 points.

Navigation and Controls (10 points total)

This test rates how easy the software is to navigate and use. Are all the menus and controls easy to locate? Are the various functions and controls easy to understand? Is there help for the options? If help is available, how easy is it to locate?

Norton earned 10 points.

Scanning (15 points total)

Scanning covers the scanning speed, the various scanning options, and control. One aspect that is important in the control measurement was how easy it was to halt a scan in progress.

Norton earned 15 points.

Detection (15 points total)

This test centered on signature updates and controls, as well as monitoring and detection. One of the focal points was how accurate the detection was when locating Malware.

Norton earned 14 points.

Resources (15 points total)

Does the software drain system resources? Can the software be completely disabled? If there are help files available, how complete are they? Are the help documents easy to follow and are they relevant?

Norton earned 15 points.

Software Options (10 points total)

Does the software bundle in other features that layer security? Are there other features that are added in that are non-security related? Are these features useful? Do they overlap one another or other features on the computer?

Norton earned 8 points.

Malware Testing (10 points total)

This test uses 39 samples of Malware, each worth .26 points (rounded up). The goal is to have each one discovered by the detection engine. The test is in two parts, where the samples are zipped in a password protected archive and scanned, and then placed in to an unprotected archive and scanned.

There is a loss of one point if there was no detection for password protected archives. This is because some engines will flag password protected files for inspection, which is a good protection point. As the bulk of the AV market allows exemptions for various files and file types, the legit password protected files could later be exempted.

Norton earned 8.74 points.

The KeyGen Test (5 points total)

The KeyGen test is a simple test to pass for any vendor. As the self extracting executable launches, the fist thing it does is write a temp file that links to a downloader. The downloader, as well as the various KeyGens in the archive, all link to Malware.

Norton earned 5 points.

Malicious URL Testing (5 points total)

The malicious URL test takes five random URLs, known to be malicious, and judges the software's reaction to what the user does. The software is judged based on its response to visiting the site and reaction to any software downloaded. The software must react in order to pass this test.

Norton earned 4 points.

Spam Blocking Test (5 points total)

This test rates the Spam blocking ability of the software. A full score means that software blocked 95 percent of the Spam samples sent.

Norton earned 4 points.



Like this article? Please share on Facebook and give The Tech Herald a Like too!