Those of you who have talked to me about Antivirus know that I usually don’t go out of my way to recommend one vendor over another. For the most part all of the major players are pretty good against known viruses, false positives are few and far between, and they continually leapfrog each other when detecting new, “zero-day” viruses.
For my own workstations I use a variety of programs, primarily so that I can be familiar with the differing interfaces and so that I compare results when dealing with suspicious files.
This weekend one of my Norton licenses was expiring, so I decided to switch the workstation over to a non-expiring license (I had a 5-seat multi-device license where I was only using a single seat)
It only took 4 hours to uninstall the old Norton 360 Premier and install the new one – I wasn’t impressed – but at least it didn’t crash the machine, and the scan it ran overnight after the upgrade was clean.
On another workstation where the license didn’t expire until next month I decided to be proactive and switch it ahead of time. Since the software on the machine itself was already current, all that should have taken was a change of license keys. That took longer than it should have, and multiple reboots, but it took – and I started a full scan and headed off to watch the fireworks with my family.
When I got back, Norton 360 claimed to have found HUNDREDS of infections. Closer examination revealed that they were not, however, real infections. Several files that come as part of HP’s support and feedback, Parts of Adobe PDF reader, parts of common programs such as NotePad++ (a great, free text editor), Putty and MobaXterm (which I use for supporting Linux systems), and a variety of open source and publicly available tools and components that I have been using for years without problems (ComboFix, Hijack This, WinMerge, Lame, etc.). It even picked up a couple of Microsoft components, such as the Visual C++ redistributables, and a couple of Windows DLL’s.
Not only did Norton falsely detect them as having “Suspicious.Cloud.9” and similar, most of them it automatically removed (including deleting them from installation packages) without first asking me what action I wanted to take.
Normally it wouldn’t be that big of a deal, after all, this is why we create backups. The files that were on DropBox were easily restored using DropBox’s version control. The others… well, one of the reasons why it detected hundreds of infections, instead of dozens, is that it also decided to walk through and corrupt the backups on the external USB drive.
That means that I have to do individual restores from quarantine for each of the files that I still want. Three pages of files, 100 per page… but you can’t select more than one file at a time. You have to pick a file (double-click on it to see what it is, since it only tell you the detection type and date), then click restore, make sure that the check box is selected to ignore the file on future scans, click ok, click close a few times…. and wait for Norton to redraw the entire list and put you back at the top. Total time per file: 1 to 2 minutes.
I did manage to submit a few of the files to Symantec using their false positive submission portal at https://submit.symantec.com/false_positive/standard/ but that was another exercise in frustration. It requires you to copy the detection details from the history report and upload the file — which should be simple enough — but once you restore the file from quarantine the details aren’t available anymore. So you have to select the file in the history report, copy the detection details to the clipboard, restore the file from quarantine, upload the restored file along with the detection details, contact information, etc. and of course answer the ubiquitous CAPTCHA image. However you can’t tell the difference between an “L” and an “I”, or a “O” or zero, and if you get it wrong you won’t know until after you have waited a few minutes for the file to upload – in which case you will have to reselect the file and re-upload it when you take your next guess at the ever-changing CAPTCHA. Many times it took 4 and 5 tries before I could get the file to be accepted.
This little debacle did allow me to familiarize myself with Norton’s new interface – and after using it I can give it a grade of a solid D. Not quite an F, as I did discover that even though the the GUI wouldn’t give you all of the necessary information, it would at least allow you to copy the report to the clipboard, which you could then paste into Notepad and get information on each of the detections. From there you can use the date and time to go into the Quarantine History to find the file so that you can restore it.
One caveat – if the quarantined file was inside of a .ZIP file you are pretty much screwed, because Norton won’t put it back when it restores it. You will have to restore it to another folder and manually put it back yourself. Of course this will change the SHA and MD5 hashes on the file so you might cause yourself other problems. In my case I could restore most of the original ZIP files using other means, such as from DropBox or re-downloading from the author’s website. You may not be so fortunate.
In summary, you can be assured that the current version of Norton 360 Premier (18.104.22.168) is not one that will be recommending to anyone anytime soon.