Symantec made the headlines in September when they released their 2010 line of Norton products. The reason for all the attention is the new revamp to the Insight engine named Quorum. This pro-active detection is the heart of the 2010 Norton line, and we’ve tested it to see how it stacks up to last year’s version.
Installing NIS 2010
We installed Norton Internet 2010 (NIS 2010) on an Intel Pentium D 3.4GHz (Dual Core) system, with 1024MB RAM, and Windows XP SP3. The operating system software, as well as all added software such as Adobe Flash and Reader, were all updated so that they were using the latest versions.
Installing NIS 2010 was quick and easy. There is no configuration to speak of, but you will be asked to join the Norton’s Community Watch. The Community Watch will forward anonymous information to Symantec to identify new threats. This is essentially one layer of the Norton Insight protection. When prompted, you should join. You’ll need to register the software as well as register an account for the Norton Community, after that, Norton’s ready to go.
Once you get past the installation, as mentioned, that’s all you need to do. Out of the box, Norton is designed to work immediately. With that said, you may notice that it is updating itself and afterwards will launch a system scan in the background. While it does this on its own, we launched Live Update, and launched a Quick Scan of the system on our own, Total time for the Quick Scan was 2 minutes 16 seconds. Live Update took four minutes overall, and this was the longest of the Live Update download times.
Using NIS 2010
For those upgrading to the 2010 version of NIS after using 2009, good news, things look almost the same. The CPU usage is in the same spot, but the giant status sphere has changed some. The three main sections are the same, but in NIS 2009 where it listed Identity, you now have Web-based security controls. In this section, in addition to the Card management and Log-in management, you have Parental Controls, the Download Intelligence controls, Safe Surfing controls and browser security. Likewise, the Internet section has changed some, adding vulnerability scanning and being re-titled to Web.
It should go without saying that each of the options should be left enabled when viewing the three main control areas. With that said, if you want granular control, the settings menu for each of the three control options is easy to follow and maintain. At the same time, most users will never need to alter things.
Note: While testing installation on a different computer, we noticed the Anti-Spam was not enabled. However, this option was enabled on the test system by default. This could be a random occurrence, but to be sure, check under the Network Settings menu and confirm Anti-Spam is turned on.
Another interesting thing to come with NIS 2010 is a link on the main control panel called Performance. Performance, once accessed, flips the screen like turning over a piece of paper lying on the desk, giving you a timeline-based overview of what NIS 2010 has been doing.
While it is eye candy, the overview shows you a breakdown of CPU usage and memory usage, as well as offers visual cues on detections and other related tasks. Moreover, the overview allows you to see installations, such as new applications or Microsoft updates.
When viewing the Performance overview, you can also link to Norton Tasks, which shows you a list of background jobs, when they were last performed and the ability to launch them directly. Also, there is a link to Insight Protection, which shows you an overview of the number of threats the Norton Community is protecting your system from.
Norton Insight is listed under Application Ratings on the main control panel. For our tests, Norton Insight was left at the default levels. Norton Insight is the reason scanning on NIS 2010 and the previous version NIS 2009 was so fast, as it scans your system and locates known trusted files, eliminating them from scanning.
Resource-wise, NIS 2010 stayed on the low end when sitting idle at about 15.7MB of Ram consumed. When running a scan however, either a Quick Scan on the system or a Full Scan, memory usage peaked at 140MB.
Overall, the usability for NIS 2010 is equal to that of NIS 2009. If you didn’t use NIS 2009 previously, and are new to NIS with the 2010 version, you’ll find the help options useful as well as each of the settings, designed for ease of use.
Scanning with NIS 2010
We noticed the same pattern when scanning with NIS 2010 that we did with 2009. That is, the first Full System Scan is always slower than any subsequent scans. When we tested NIS 2009, scanning was slower the first time out if we ran a Norton Insight. With NIS 2010, the first Full System Scan is slower each time you run a scan after a reboot.
The lab computer used to test scanning included 1.32GB of random files to add bulk to the contents available to scan. The files used included fonts, images and icons, PHP, HTML, and CSS files, as well as ZIP and RAR archives for a total amount of 21,806 files. It should be noted that none of these files were malicious. Overall, the lab system was using 7.08GB of hard drive space.
While only the top five scans were counted for the total average, we ran several scans to confirm the slowdown between the first scan and other subsequent scans. Below you can see the results of a system reboot after scan number three.
Full System Scan (Norton Internet Security 2010)
Scan One: 00:59:57
Scan Two: 00:15:55
Scan Thee: 00:11:50
Scan Four: 00:14:46
Scan Five: 00:12:08
Average Scan Time: 0:00:22:55.2
(AST NIS 2009: 0:00:11:85.2 reviewed 10-02-2008)
We noticed that the scan time for individual scans went up in NIS 2010 when compared to NIS 2009. As a result, the average scan time almost doubled. While the average scan time recorded for NIS 2010 is still great, we were unable to determine why there was such an increase.
As we mentioned in the review for NIS 2009, the oddity in subsequent scanning times doesn’t discount the scanning engine as a whole. At the same time, the increase in scan time might set some people off.
For comparison, here are scans six through eight. The sixth and eighth scans took place after a system reboot.
Scan Six: 00:14:51
Scan Seven: 00:12:05
Scan Eight: 00:14:37
Malware detection testing for NIS 2010 included 400 samples, which are worth 0.125 points each, for 50 points in the test overall. The Malware samples included a mix of Trojans, keyloggers, rootkits, Adware, and Spyware.
During the test, NIS 2010 did rather well, only missing eight samples overall. While eight samples is still eight too many, there were some interesting detection notes as well for this test. The interesting notes center on samples missed during scanning. The first sample, a variant of the Rustock family of Malware, was missed completely during the scan test.
We executed the sample, with the intention of infecting the system, and it appeared to run with no problems. Naturally, this disturbed us, so we were ready to note it as a miss, and move on. However, about four minutes later, SONAR, the heuristic detection layer used by Symantec, kicked in, blocking the Rustock variant and removing it entirely.
The second sample, a malicious PDF file, was missed during scanning as well. However, once opened, the temp file that is download (a Trojan that will open a direct path to your system), was flagged instantly.
The following are the samples missed by NIS 2010 during scanning.
Bofra.B [VT Link]
Oddly, it caught and removed the two other versions of Feebs during the test.
MyDoom.A [VT Link]
We were surprised with this missed sample. There were several other variants of MyDoom tested, and each of them were caught.
MaliciousPDF [VT Link]
This PDF file was the second malicious PDF in the test. While the first one was caught, this one was allowed to run.
Rbot (ForBot) [VT Link]
Malicious URL Detection
Norton Internet Security 2010 uses a layered approach to Internet protection. Downloads are checked against Norton Insight, Norton’s IPS (Intrusion Prevention) defenses monitor traffic in and out of the system, and will match this traffic to any running executable. Those defenses are in addition to the normal scanning that Norton takes against any file.
In this test, we visited ten URLs, each known to be malicious. Do not attempt to visit them yourself, as they could still be harmful.
For each of the URLs, Norton’s Download Insight prevented the malicious files from downloading and executing. As a side note, Internet Explorer 8 warned against the offered files, and we had to use manual processes to prevent IE 8 from stopping their delivery.
As you can see in the image above, Download Insight warned against running this file as fewer than 100 Norton Community users have seen it, and it is less than a week old. After executing it, Norton flagged it as malicious and removed it. Again, IE 8 attempted to prevent this file from being downloaded and had to be bypassed.
Once this page loaded, Norton’s IPS system kicked in and blocked the malicious PDF file.
Norton scanned the file after it was downloaded. File Insight detected and removed it based on Heuristic Virus detection (Packed.Generic.255). The file itself, for the record, was a Zeus variant.
File Insight flagged this download as Suspicious.MH690.A based on Heuristic Virus detection.
As before, since there were so few users, and it was less than a week old, Download Insight warned against running this file. We ran it anyway, and Norton's SONAR flagged it as malicious and removed it.
This URL displays a page that launches a fake scan to detect Spyware. During the scan, various pornographic images are shown, as well as a listing of random porn related URLs. The scan finishes with a popup box (see image inset) prompting you to erase the infections. Once the "erase" option was selected, you'll download and install setup.exe.
Once setup.exe was downloaded and installed, Norton's SONAR kicked in and blocked the Rogue anti-Spyware from installing. As soon as the malicious file was removed, we needed to restart the system.
Download Insight once again prompted that the file from this site (pc_protect.exe) be avoided due to the lack of users in the Norton Community and the file's age. In addition, Internet Explorer 8 warned against this file. Ignoring the warings, the file was installed.
The file installed Windows Police Pro, a rather new Rogue anti-Virus. On the desktop, it placed an application shortcut as well as the DLL files. At no time did Norton prevent the installation or application process from running.
Once the Rogue anti-Virus started to run and "scan" the system, Norton's SONAR detected a malicious process (svohost.exe) and prompted for a system restart before it could be removed.
While this was happening, the Rogue anti-Virus was processing a scan, launching toolbar alerts with security warnings, and opening a new window showing the "Windows Security Center" that prompted us to purchase the Rogue anti-Virus. Moreover, several process errors displayed, linked to legitimate Windows system files, which offered a fix option. This fix launched the Rogue anti-Virus scan, and caused more alerts and infection notices.
We rebooted the system as prompted by Norton. After the restart, the DLL files as well as the Rogue anti-Virus itself remained on the test system. Attempting to launch EXE files, such as Malwarebytes AntiMalware, Windows Power Shell, and Outlook Express, failed with a non-valid “Win32 application” error. However, Internet Explorer 8 worked. At the same time, while the Rogue anti-Virus wouldn’t launch from the desktop due to the same error, its warnings and registration notices blocked surfing on IE 8. In short the system was hosed. A reimage was used to restore the system since at this point testing was concluded.
The Spam detection offered by Norton Internet Security 2010 worked as promised, delivering a 97.3-percent detection rate. During testing, there were 854 emails downloaded. Two were correctly marked as legitimate email, while 21 Spam samples were missed completely. After that, the remaining 831 emails were all correctly blocked as Spam.
Based on the final score alone, Norton Internet Security 2010 delivered. However, while there was strong Malware removal and detection, there were also some things that gave us pause.
For example, scanning was a little slower in the 2010 version when compared to the 2009 version. Download Insight, while flagging all but one malicious download, would sometimes cause a bit of a delay in accessing the file. Another issue with Download Insight and File Insight is the initial protection. Essentially, if the file has a low number of community users, or the file is rather new, the first line of protection is to ask if you really want to run it all things considered.
When you look at what happened when we ignored that “are you sure?” warning and installed Windows Police Pro, which crippled the system, its effectiveness is only assured if the SONAR, signature, or other Heuristic-based protections, kick in.
Norton Internet Security 2010 is full of little things that make it a solid security application. There are monthly reports on protection, and the easy navigation and help menus, each helping to round out the usefulness of the program when coupled with the actual protection. The Parental Controls worked great too, which is a plus when you have kids on the computer.
On the flip side to these little things that make it a wonderful security application, are the things that will annoy some users. One thing that springs to mind is the Spam detection. Whenever Spam was detected that contained a malicious attachment, the notification for such detections would steal focus from the active window. When you leave Outlook open all day and work on the system, this will interrupt you each time it happens.
While Norton Internet Security 2010 is a great application on its own, we couldn’t help but think we were expecting too much from the hyped advancements. As we said, based on the score alone, this program delivered on everything. We just expected more “wow” from it. When reviewing the 2009 version over 2008, the “wow” was clearly there. Comparing the 2009 version to 2010, the “wow” is there, but not as pronounced. We liked the 2010 version. It’s just that at the end of the day, we liked the 2009 version better.
If there is one note to make about the layered scheme that the 2010 version uses, our opinions aside, you can expect to see this sort of protection coming from all the other vendors soon. It makes sense to balance the protections using the methods Symantec has designed, and it is highly likely that pro-active will soon replace reactive for good.
Final Score: 96 out of 100