Review: Norton Internet Security 2011

Symantec has kept the progression moving, improving both the proactive and reactive protections in its security suite. The Tech Herald spent some time digging into Symantecís latest 2011 unified offering and, with the exception of a few items, found it to be just as impressive as previous versions.

Norton Internet Security 2011 (NIS 2011) has plenty in common with previous versions. This isnít a bad thing. For 2011, what Symantec has done with the Internet Security version of Norton is improve the technology proven to work, while adding coverage to the latest vectors of attack that seem to have gained plenty of traction over the last year or so.

Symantec has added reputation-based defenses to NIS 2011, thanks to the growing Norton Community Watch and its more than 50 million members. This feature checks for the presence of unknown or untrusted files, even going as far as to examine uncommon files. It ties hand-in-hand with the new versions of System Insight and Download Insight.

For the Insight and Web protection, browser coverage includes Firefox and Internet Explorer, as well as Opera, Safari, and AOL. In addition, NIS 2011 uses these proactive detections to protect against malicious links seen in Outlook, AIM, Windows Live, and Yahoo Messenger. There is even a Facebook application that will monitor links posted to walls on the world's leading social network.

Signature protections aside - as those are just a given for security software - SONAR 3, the behavioral engine for NIS 2011, has been tuned to be less obtrusive and faster. It will focus more on what something does and compare it to its reputation, only in the event it doesn't immediately discover any potential malicious actions by a given process. SONAR 3 is no sandbox, but it did its job when needed, and offered no false positives in our tests.

We had a few concerns, of the cosmetic variety, and there were some detection hiccups, but overall NIS 2011 didnít fail to live up to expectations or the hype.


Installing NIS 2011 was just as easy as the previous version. Installation takes about 90 seconds, and the only real interaction needed is the EULA agreement and the Norton Community membership. Given that the community program ties directly into the full scope of coverage, and the information collected is anonymous, we allowed the test system to join the community network.

After the installation process is complete, the final steps include the creation of a Norton Account. This will enable the ability to use Norton Online Family, and Online Backup. You could also run Live Update, downloading the latest detections and definitions, but this is optional really. Live Update ran for us within four minutes of installation. At the time of the initial installation, Live Update was 42 days old, but this will vary from user to user.


Using NIS 2011 will be quite simple for most. However, the dark skin on the control panel gave us pause. One of the reasons being the contrast of yellow, black, and white (with a touch of gold) seems to blend the entire interface.

While the actual controls are laid out in blocks and can be accessed with a click for finer control, several of the people we asked to look at the screen had to squint. Perhaps this is being too picky, weíll freely admit this, but we were hoping for a bit of a change in the graphical user interface (GUI) department.

Nagging aside, one great addition to the NIS 2011 interface itself, is how it can act like a master control for the other Symantec Services. As seen below, itís nothing more than a simple matter of point-and-click to access Online Family options, Online Backup options, or Safe Web reputation and search options. The map itself represents real-time threat monitoring around the globe by Symantec sensors.

The ability to control all of a vendorís offerings in a single setting is a great one. Symantec earns some points for this, but, at the same time, the granular controls over the application itself could cause confusion for some. Clicking settings alone from the main panel will offer a section split into five parts, each with different switches and granular settings.

Symantec has included a noticeable help icon next to each section, and that opens the HLP file shipped with the product. The help documentation is full of pertinent information, but it isnít for the faint of heart. When in doubt, if the HLP file isnít cutting it, use the Help section link from the main panel, which includes links to one-click support and online tutorials.

Aside from the dark interface, and the risk of too much control, using NIS 2011 offered us no problems that prevented the software from working or hindered system operation in any way.


Since 2009, Symantec has adopted the stance that a good file shouldnít be scanned more than once, unless something has changed it. The reputation checks, combined with the community aspect of the detection engine, are what allow NIS 2011 the ability to perform deep system scans without much of a system drain and taking ages to complete.

Below are the results of the scan tests.

Full System Scan (Norton Internet Security 2011):

Scan One: 0:00:22:18
Scan Two: 0:00:05:02
Scan Three: 0:00:03:37
Scan Four: 0:00:03:43
Scan Five: 0:00:04:53

Average Scan Time: 0:00:07:54.6
(AST NIS 2009: 0:00:11:85.2 reviewed 10-02-2008)
(AST NIS 2010: 0:00:22:55.2 reviewed 10-19-2009)

In each of the tests, a full system scan was performed, using the base defaults offered by NIS 2011. The scanned system uses 12.3 GBs of space total.

As is the case with all reviews, only the top-five scans were counted for the total average. However, to confirm the findings from the 2009 and 2010 tests, we ran several scans to confirm the slowdown between the first scan and other subsequent scans. The pattern remains in NIS 2011. There was a reboot after scan one, which was a scan performed after a cold start of the system, and another reboot after scan four.

Even with the anomaly of longer scans after rebooting, and the larger scanning area, the times speak for themselves. NIS 2011 dramatically shaved its scan time performance compared to prior versions.

Malware Detection:

When it came to the actual Malware samples, NIS 2011 missed nothing.

If it wasnít detected on a passive scan, the moment the Malware was executed it was flagged and removed. However, as mentioned in our recent Comodo test, Norton did leave a trace behind and missed out on a point for overall detection.

We collect new samples for each security review and the previously used samples are submitted to Virus Total, where they are shared with each of the security vendors. Given that we had already tested NIS 2011 with live samples during the comparison with Comodo, we did not run a second live sample test.

To test Symantec again, even with different samples, seemed unfair. After all, Symantec would have had advanced notice for the majority of the samples its platform was to be tested against. No other vendor gets that consideration, as each of them has only one chance to take the live Malware test, so we felt it wouldnít be right to change processes for a single review.

Symantec did fine on the live test, earning 50 points out of a possible 50 for sample detection and removal, and four out of five points for overall detection.

Malicious URL Detection:

Unlike the Malware test, where we did not test Symantec a second time, we did run the URL test more than once.

Malicious URL detection is different from Malware testing. There are thousands of malicious URLs created each day to spread Malware or steal information. Detecting Web-based threats is something a security suite has to do on the fly, with near real-time results. Most of the Malware a user will see while online comes from the Web, nearly all of it in fact.

For this reason, we gave Symantec's latest offering 10 more domains. Each of them, at the time of testing, was less then 24 hours old. As was the case before, NIS 2011 didnít miss a beat, no matter what threat was delivered. If reputation didnít flag the problem, Download Insight or the intrusion prevention did.********.exe

For each of the previous six domains, NIS 2011 prevented the page from loading by displaying a Safe Web alert. There is no mistaking the bright yellow screen and giant red 'X', and, unless you click the small text to bypass the warning, you get no access at all.

This domain attempts to use the Eleonore exploit kit to infect the system by exploiting Java. The attack was blocked using the intrusion detection offered by the NIS 2011 firewall.

These domains attempt to push Rogue anti-Virus platforms. The fake security software was flagged and removed with Nortonís Insight the moment it was downloaded. At no point was the software allowed to run.

This domain redirects to an entire host of Malware and exploit attempts. Once the redirection started, NIS 2011 flagged the domain and prevented communication with the controlling site. The attempted payload was blocked as well.


Spam filtering in NIS 2011 worked remarkably well. We were impressed with the scanning and removal of malicious attachments.

When the email-based Malware arrived in a Zip file, the file remained, but the payload itself was gone or rendered useless. Likewise, HTML file attachments were replaced with a friendly .txt document informing us that the malicious content had been deleted.

We tested a total of 2,137 messages. They were a mix of opt-in news letters and marketing materials, unsolicited marketing (drug spam, dating spam), normal legitimate email, and malicious email (i.e. LinkedIn scams, Xerox scams, UPS shipments, HTML attachments, and CVs or Resumes).

Norton missed only 26 messages, earning it a detection rate of 98.78 percent.


NIS 2011 is consistent when it comes to protection. It uses all of the layers available to make a solid attempt to defend a system, no matter the threat. It wonít stop everything, no security software can, but we can honestly see the effort here.

Layered defense aside, there were some other add-on features we took note of that are worth mentioning. We liked the introduction of the Facebook application in NIS 2011, part of Safe Web, where wall links are scanned for threats. The thing we didnít like about it was the fact it is an application and it needs permissions.

Another cool addition to the Norton line is Power Eraser. When you run a scan or if there is a detection made, there is an option to select if you feel there is still a problem. This option is a link to the Power Eraser tool.

What it does is blast away infections that are hard to get via normal means, but it should be treated as a last resort, as it is aggressive and could flag important system files. If this happens, the problem could be compounded if they are removed.

This yearís version of Norton Internet Security is the first to incorporate several Norton services in one setting. This is a sign of things to come for security software, where quick access and ease of use will be all that matter to the consumer.

Overall, Symantec has done a great job improving momentum by sticking with what already works and adding new tools and a single point of control for several related products. Earlier nitpicks aside, NIS 2011 is well worth trying out, not least because its free 30-day trial is fully featured. The purchase cost for Norton Internet Security 2011 is $69.99 USD for a license covering three PCs.

Final Score: 99 out of 100

Like this article? Please share on Facebook and give The Tech Herald a Like too!