Norton 2010 got me infected

Wishmaster said:

Perhaps Im missing something here, but isn't Nortons SONAR basically a form of HIPS?

I know its purpose is to identify and block new or unknown threats.

No, Sonar is conjunction of cloud-technology and behaviour blocker.
It acts differently from HIPS.
HIPS notifies users about almost all changes software is trying to make. And it is complete up to the user to decide what to do. So basically HIPS can be useless in hands of inexperienced user.

SONAR on the other hands, just examines the behaviour of the software over time (like what it does? what registry keys it creates? does it start in autorun? does it add itself in add/remove programs? was it downloaded from internet? Did download insight give positive feedback on it?) And after analysing this factors it will try to determine if software is malicious or not. And auto blocks it.
As SONAR heavily relies on online network, its detection rate is slightly lower on systems without active internet connection.

Both of them may seem similar, but they are completely different.
Each has its advantages and disadvantages...

Wishmaster said:

Im also curious about that test result. Was that with Nortons FW set at "Auto" and what Auto settings?

I've used Comodo before, and it is a quite effective FW. So Im not bashing it.
But I tend to think, and Firewall which is set to always notify, unless you have created a rule for that specific app, will be equally effective.

I mean, if you set the Firewall to block all incoming and outgoing activity unless specifically allowed, seems they will all perform the same.

The only difference is COMODO is set that way by default, where as many others are not. What if they are all tested setup the same?

It is common misunderstanding.
Matouse is NOT firewall test.
ok, it has some firewall tests.

But it mostly is Proactive Defence, which is the job of HIPS not Firewall!

If you look at it, you can see that HIPS programs are the only ones that pass it.

I am repeating myself, matousec shouldn't be used to benchmark pure firewalls..
It is HIPS test.

I'm surprised - I thought SONAR just looked at its behavior ONLY and not looking at other factors but it does make perfect sense! So that means then that if you're in an area where you aren't connected to the internet and insert a USB drive that has an unknown virus on it, SONAR may not pick it up?

Hi there
I do all my Internet surfing from a Virtual Machine which performs essentially the same function as your "Sandboxed" system.

Nothing gets moved to the REAL machine until it's been properly checked out.

Incidentally I also go through my OWN proxy to connect to the Internet so if anything untoward gets on to my system I have a decent log of addresses visited (or IP addresses -- better actually) and then I can ensure these sites get permanently blocked.

Cheers
jimbo

codyw said:

I'm surprised - I thought SONAR just looked at its behavior ONLY and not looking at other factors but it does make perfect sense! So that means then that if you're in an area where you aren't connected to the internet and insert a USB drive that has an unknown virus on it, SONAR may not pick it up?

ok, let me make my statement more clear.

In may last post when I mentioned "SONAR", I wanted to say "SONAR 2".
Obviously "SONAR 2" is new version of "SONAR" (all Norton products 2010 and above use SONAR 2, as far as I know)

Now, SONAR stands for "Symantec Online Network for Advanced Response".

When first introduced SONAR 1 was pure behaviour blocker as you said. It checked a lot of details and behaviour of the software and tried to decide if it is malicious or not.

When SONAR 2 was introduced, they added new functions such as reputation of the software on the Norton Cloud.

So as you can see "SONAR 2" is superior to "SONAR" due to cloud technologies.
It is not that "SONAR 2" is useless without Internet connection. It still contains improved version of Behaviour blocker from "SONAR".
The thing is that it will just lack its cloud data, which is really useful.

So that means then that if you're in an area where you aren't connected to the internet and insert a USB drive that has an unknown virus on it, SONAR may not pick it up?

Yes, of course.
There is a chance that it will not detect it.
But "SONAR 2" will probably detect it even without Internet connection if "SONAR" could detect it.
But there is a still a great chance that it will not detect everything.

On the other hand same can be said almost about everything.
I am totally sure that no blacklisting technology will detect everything. (unless if it actually detects everything as a virus that would be insane)

And I can say same to almost any other technology: behaviour-blocker, policy restriction, virtualisation or even white-listing.

All of them have their theoretical vulnerability, and all of the claim that they are Perfect if used Correctly.
Yes they are...
But there is no chance that average user can use them that way...


I will not go further in fear of starting flame war

As a Last word: Eventhough There is no Panace for computer malware, the situation is not as scary as media and security people try to make it.

If you think about it, we don't have so much security for ourselves as we do have for some heartless metal things

You are still crossing roads, regardless the fact that some driver can hit you with his car, aren't you?
So, life has the same level of dangers as internet. But we are more paranoic on Internet that in our lives.

PS: Just enjoy you life and don't worry too much

SONAR 3 is in the 2011 products and has been deployed to the 2010 products through LiveUpdate.

SONAR 3: A new level of behavioral security in Nor... - Norton Community