Saturday, November 28, 2009

NAV2010 comes in 2nd on PCWorld's Standalone AV Test

Right off the bat I'd like to say that I disagre with the methodology of this test even though Norton came in 2nd (which is a pretty good place). It is your traditional on-demand retrospective test, which is to say, dump a bunch of malware in a directory and run the on-demand scanner against it. This type of test does not test your URL blocking capabilities (called SafeWeb in Norton), your vulnerability or drive-by download protection (called IPS and Browser Protection) in Norton, and your behavioral capabilities (called SONAR2 in Norton). Also reputation as well (called Quorum in Norton). Ok, so they tested 1 out of 10 features thereby relegating this test to the ever increasing dump heap of shitty tests. But what really irked me about this test was when PC World commented on G-Data's win and I quote "GData.. but using it means having to make more decisions than you do with other apps."

Hello! PC World are you forgetting you are a home user magazine. Home users dont want to make decisions ! They dont know how to make decisions. How in the world did you give GData the crown if they have a product that keeps forcing the user to make a decisions.

Is it just me or are these magazine tests getting worse by the year even though they were useless to begin with.

You can read all about the test here

Saturday, November 14, 2009

Immunet - Better than the best ?

I think not.

I did some testing with exes found at The results were as expected very dissapointing. Here is a screenshot of the results on an unpatched XP SP2 box. Can you spot the Rogue Antivirus. Lol! Anyway, the screenshot shows that even with 3 fakeAvs running, Immunet doesn't have a clue... not a peep.

Immunet - Parasitic Products

This blog is about a new startup based out of Calgary called Immunet. How is this related to Norton you might ask. Well, a few of the top executives (that shall remain unnamed) are ex-Symantec employees. Hmm.. I am always suspicious when I see a defection from well-known brand to an upstart company that lo and behold happens to be working on something identical. See this thread for names and places

They have also been busy astro-turfing, flooding the internet with good news about their crappy product. See

Their idea is nothing new, signatures in the cloud, correlation across other users, collective intelligence, same ol, same ol. This area has probably been patented to death.

This product is whats called a PARASITIC product. They monitor detections of other products that may be running on the machine, and claim those very same detections as their own. Nasty!!

The implications of this are interesting to say the least.

1. Immunet can never detect anything that is not detected by at least one other product. That is, it doesn't bring anything new to the table. So why would you need it ?

2. Because it in essence siphons of detections from other product, it always runs the risk of not seeing the detections if it can't hook into the events that a product like Norton generates when it detects a threat. In fact, I hope Symantec, McAfee, Kaspersky, AVIRA and others see this posting and lock down their event/alert interfaces so they can't be read by Immunet. Lets get rid of the parasite.

I predict that in about 3 years at most, Immunet will be relegated to the ever increasing pile of failed security-wannabe startups... that is, unless they get bought out by some clueless company like IBM with deep pockets. I have a feeling that Symantec will not be one of contenders for a buyout :-)

There is an interesting blurb at the very bottom of their website site and it reads

" Dont wait for other vendors to re-architect their products when you can use Immunet Protect today. "

Wow, if there is one skill startups have, its FUD. I suspect that comment is targeted at Symantec given the pedigree of the company. However, I am sure that by now the defectors know that Norton has successfully ships their "re-architected" products with Quorum technology to millions of customers. No need to wait, get the best, get Norton.

Saturday, November 7, 2009

Something smells funny

After posting the last blog I started thinking about the 100% detection test results by Norton on the Dennis Labs test. While I agree they are unbelievable, they are not impossible specially when you consider that only 40 samples were tested.

But whats impossible is the test results from Av-Comparatives, one of the two premier testing houses in the world. In there most recent test in August 2009, with 1.56 million samples ( , the top two spots were

GData - 99.8% detection
Avira - 99.4% detection

Seriously, 99.8% detection on such a large sample set. Thats what I call Impossible. Something smells funny. Specially considering that every day there are 30,000 new pieces of malware how in the world is GData and Avira able to detect such a high percentage.

I think this whole arrangement between AV-Test, Av-Comparatives and these AV Companies needs to be investigated. I for one do not trust them.

Friday, November 6, 2009

Andreas&Andreas Vs. the Devil

I am sure you are wondering what that title means. Let me explain: Andreas Marx and Andreas Clementi are two guys that well known in the Anti-Virus world as independent 3rd party testers that test the effectiveness of antivirus products. They work at two different companies in Germany: Av-Test and Av-Comparatives respectively. And between these two companies all the worlds anti-virus testing is done.. seriously! The magazine you bought off the newstand that claims they "evaluated" every security suite in the world in some kind of shoot out, didn't actually do it themselves. They paid the Andreas', obtained the results and then "interpreted" them and decided a winner. So far so good. But there is one BIG problem. The kinds of tests done by A&A (Andreas and Andreas) is not real world. They will dump a couple of million files in some random folder and scan the files. No real user would ever do something like this. This is not how real users come into contact with threats. Instead, the typical user will get infected by
1. Not patching and getting compromised by a drive-by download when they visit an infected site
2. Open an email attachment
3. Run a fake keygen, crack, rogue AV, Fake Codec or some other socially engineered malware
4. Open a malicious PDF

They dont scan a million files!!

Companies like Symantec have gotten tired with such test methods since they do not test 90% of what products like Norton have to offer. Norton products have probably the most layered security of any other product. They have:
a) Local Antivirus
b) Cloud Antivirus
c) Reputation with Quorum
d) Behavioral detection with SONAR 2
e) Intrusion Protection
f) Browser Protection
g) Website Reputation with SafeWeb

A&A tests just a). Bletch!!

So they hired Dennis Labs to do a real world test. The challenge (as outlined in the Dennis Labs results document is to expose a machine to malware like a real user would - browse to an infected website, open attachments etc.

The results were spectacular. Norton Internet Security 2010 got a 100% detection rate. Unbelievable ? Maybe.

Not surprisingly there has been a huge backlash from companies (even CEOs like Avast) claiming that the test is bogus, the results are bogus etc. Avast has not a contender in my book but after their CEO's pathetic clearly clueless reaction (Google it), they have reached a new low.

Everyone is focused on the result.. the fact that NIS had a 100% detection rate. That fact is irrelevant. What is important is that one company has taken a stand and challenged the status quo to come up with a better testing methodology that will benefit all customers, not just Norton's.

No doubt the backlash will continue to come from all the shills and ghost posters from other companies that only have a lame static file scanning engine. Avira and GData at the very top of that list.

VirusTotal is smoking da krak!

If you are reading this post, you have probably heard of and most likely even used VirusTotal the online scanning website that will scan a submitted sample using a host of security vendors' scanners. Over the last few years, VirusTotal has emerged as the defacto go-to site if you want to compare the effectiveness of various products. Sounds reasonable, right ? Wrong!!

VirusTotal is about the worst place to test the effectiveness of any security scanner. There are couple of good reasons for this:

1) vendors give VirusTotal crippled versions of the scanners they use in their real product. You will always run into many cases where a file is not detected by VT but it is detected by your product. This problem tends to affect Norton more than other vendors.

Here is a VT scan for a file:

A minute later I scanned the same file with my copy or NIS2010, and voila.. a detection

2) The second problem is that virusTotal uses just one of the scanners a typical security product has nowadays. Security products have a plethora of engines, intrusion prevention engines, HIPS, NIPS, FIPS (ok I made that one up), Behavioral Engines, sandbox etc. and none of these engines are tested by VirusTotal.

So when choosing an AV product be wise, don't decide based on results from VirusTotal

Norton 360's new user-interface - Stolen

Norton 360 the new product from Symantec was released early in 2007 and was position as a fire and forget security suite that include Backup. Symantec came up with a totally different user interface, much simpler than its also simplistic NIS/NAV user-interface, to meet the needs of its target customer.

Ofcourse nothing, and I do mean "nothing" go unnoticed by Norton's friends in Romania, home of Nadia Comaneci and BitDefender. Ofcourse I shouldn't be even mentioning them in the same sentence, because BitDefender is in a league of its own.. the plagiarizing league that is.

See their product that released the following year. Notice any similarities ?

GData rips off the CPU Meter from Norton

Norton's laser-sharp focus on high perfomance is no surprise to anyone at this point. Their 2009 and 2010 products have been leading the pack in terms of perfomance and as part of their never ending attempt to demonstrate their high performance they introduced the CPU/Norton meter in their 2009 product line. This meter shown on the left of the screenshot below is mean to indicate who is using your CPU, Norton ? or some other program. See below

A year later GData releases their TotalCare product. See anything you recognize ?

Norton invents the "Fix It" Button

Realizing the need to have a quick way for users to fix configuration problems and get the software back up and running in maximum protection mode, Norton added the FIX NOW button that worked nicely in tandem with the Green / Yellow and Red moniker from the previous year.
Norton's competitors got very good at follow-the-leader. Here are a few examples in the hall of shame showing screenshots of their versions before and after the Norton FIX NOW change.

Trend Micro - The Before

Trend Micro - The After

Norton invents the Green/Yellow/Red moniker

Prior to 2004, all Internet Security products had a fairly static user-interface which never changed colors. Norton realized that customers were doing crazy things like disabling the real-time scanner, letting their subscription run out, disabling the firewall or the Intrusion Prevention System which were causing them to get infected. This required some attention, and what better way to get the user's attention than to change the color of the main screen from Green (Normal) to Yellow or even Red as required.

Also notice the System Status area saying "OK" that gives the user the assurance that all systems are GO

Needless to say, competitors followed suite, and the very next year, everybody had the Green/Red and Yellow.

Sometimes I wonder if other companies employ anyone that specializes in user-interface design ? or do they just ape Norton. You decide.

Did your Antivirus invent a "verb".

Certain companies, products, brands have become so iconic, they have become part of the English language..

"Google It"

"Fedex It"
"Xerox It"

This is a very rarified club of companies inducted into hall of famous verb. Among them is one of the original examples of how the Internet was used to solve a classic business problem.

"LiveUpdate It"

Yes. We are talking about Norton Liveupdate which Symantec introduced early in in the 1990s and was used to distribute definition updates over the internet.

Ofcourse, as is so often the case, through some twist of fate, the US Patent office screwed things up and McAfee was granted a patent for the process, even though prior art was present at every turn. Needless to say, CrapAfee will never be able to enforce that patent.

Who really invented the "Internet Security" product Moniker for consumer products

With the huge array of internet security array today, one forgets who was the real pioneer in this industry. Who were the trend-setters, who were the original innovators, who saw a threat before anyone else did.

Well, you guessed it.. Norton. Waaaayyy back in 1999 when Symantec released Norton Internet Security 2000 and Norton Internet Security 2000 Family Edition.

Here is a boxshot as proof.
At that time, upstarts like Kaspersky, AVIRA, Avast, GData, AWIL, Rising were not even an egg, let alone being born. The better known players like McAfee, Trend, Panda didn't even have internet security products.

It all started with Norton..