Title: Thank you, Symantec Post by: Makou on 2007-07-25, 09:15 The board is labeled "Rants and Randomness," so here's a rant for you.
I purchased Norton SystemWorks 2004 back in August of 2004, within a week of purchasing the machine that I still use to this day. This was actually on Phoenix's recommendation at the time, and I was happy with it. The suite did some things that I was thrilled about, such as removing unnecessary registry entries and shortcuts, on top of what seemed like top-notch virus protection. I've been unable to afford an upgrade to a newer version of the program, but I've kept it as up-to-date as possible. My only gripe with it is that it would take quite a while to do a full system scan, though it did like to rifle through compressed/ZIP'd folders during that process, so that wasn't really an issue. But, as Phoenix has noted before, virus definitions are only part of the battle. Having the program itself as current as possible is also necessary, as some of these things like to find ways around detection with older software. Other programs exist that serve the same registry/shortcut cleanup functions as SystemWorks, and I've had some good experiences with a free antivirus program (AVG) on other machines in the last year, so earlier this morning, I uninstalled SystemWorks and replaced it with a combination of AVG Antivirus (http://free.grisoft.com/) and CCleaner (http://www.ccleaner.com/). I've not yet run CCleaner, but AVG has been allowed to do a full scan. It found a trojan. That was planted three years ago. About a month after I'd installed SystemWorks. For the claims Symantec makes about its virus protection, even if the trojan didn't seem to be doing anything, that is inexcusable. So thank you, Symantec, for creating a program, that I paid good money for, that allows malicious files to slip by initial detection and then exist on a system for three years, even with numerous updates to said program. Perhaps I should have learned my lesson when a version of Norton Antivirus produced in 1997 completely destroyed the only stable installation of Windows 95 I've ever personally had experience with. I will not be using Symantec software again. Title: Re: Thank you, Symantec Post by: Lopson on 2007-07-25, 10:00 Ouch. I personally have no complains. I'm running Sym's AV Corporate Edition along with Sym's Client Firewall. But I understand your reation, since I'd most likely react the same way to such degree of incompetence.
Title: Re: Thank you, Symantec Post by: Tabun on 2007-07-25, 13:13 Well, I haven't come across any virusscanner that was able to catch everything (same goes for spam-detectors, cookie-cleaners and malware sniffers). I learnt that lesson pretty much the same way Makou did, back in the day when McAfee was still going strong. The hard part is to find a good combination of software that allows you to have on-access scanning and various non-interfering stand-alone scanners. So far, Symantec as the active scanner and AVG / Kaspersky as stand-alone scanners works fine for me. I just take some extra effort to scan suspicious shit.
Then there's the following problem: some problem is detected by tool A's experimental heuristics to be "Virus-like" or "Trojan-like", but may actually just be a proper DDE enabled program or a harmless hacking tool. For instance, quite a few virus scanners detect my mIRC copy as a "malicious trojan" or give it the title "IRC Zombie" (so .. are they calling me a zombie? :)). Tool B's scans take such known false positives into account and don't report it. To the ignorant, then, it looks like tool A is doing a better job than B, while the latter is arguably more up to date. Not saying that's the case with Makou, obviously, but it does happen and it makes finding proper/trustworthy reviews of AV packages hard to get. Title: Re: Thank you, Symantec Post by: Phoenix on 2007-07-25, 17:44 Unfortunately false-positives do occur. I've had programs detect my old sound card's software as a trojan when I know it wasn't because I could identify - bit for bit - the program against the one on the distribution CD and if it were a known infection from a "tainted disk" from the manufacturer there would have been a record of it.
I've had various other false positives and "hack tool" detections as well. One is for memmax.exe which is a freeware memory manager that CounterSpy likes to try to label as a piece of spyware. Another was for a harmless file that was part of a game mod Warden and I had been working on. Don't be so quick to give Symmantec products the boot just because of one detection. As you said, the program version was old and there's always the chance of a false positive from the newer software. Symmantec's corporate antivirus program is actually pretty damned good, and I've used version 10 to get some spyware off one machine that nothing else managed to find. One fellow in the Marines I know had a network of several computers. One of them had Symmantec's antivirus, the other machines had MacAffee. All the MacAffee machines had multiple virus infections, and only the Symmantec machine was clean. I've killed viruses off more machines with MacAffee than anything else to be honest. The point is, no product is foolproof, and while someone might be able to recommend product "A" over product "B" at some point for some specific purpose, there are no guarantees. There's only what they call in the security industry "managed risks". It's up to the user to know those risks and how to manage them. For example, say you only surf the net for news and a little online shopping, and always visit the same sites. Your risks will be different from someone surfing the net looking for hardcore porn of every conceivable perversion and nosing around looking for warez and happy hacker script-kiddie software. Someone with a dozen relatives that are computer illiterate that forward joke after joke, chainletter after chainletter is more likely to get a virus in the email than someone who has few email contacts that are security conscious. If anything, the fact that you had only one trojan, and probably an inactive one, means you're doing a lot more right than you're doing wrong. I've been fortunate to date that I've had no active virus infections on any of my equipment. It's not because I have some magical foolproof virus scanner, but because I'm paranoid and take a pro-active security stance. I pretty much lock out everything and maintain 100% control over my system. I don't have to "share" a computer with a family as I'm sure many people do either - another serious problem when it comes to security. I don't email people who forward stupid jokes and chainletters, and I don't let but a few VERY trusted websites run scripts, and I'm absolutely paranoid when it comes to email - I view source code on messages without actually opening them, especially if it has an attachment. Javascript is the most serious security risk when dealing with the internet, period. I cannot stress this enough - use NoScript and Adblock with Firefox. Every malicious website will need javascript enabled in order to drop malware on your system, and if the scripts are blocked it can't happen. Only run scripts on sites you trust and know are legit. If it's not that important a site is it really worth the risk? Consider the circumstances of your "trojan" on your system as well. Was it just one file? Was it inactive and just sitting on the hard drive? If so then odds are you did not have a compromised system, either just a false positive or a file that was downloaded but never executed. I've repaired virus and spyware-laden machines before, and in every case there was never just a single trojan if there was an active infection going on. Trojan's exist to behave like the proverbial Trojan Horse - that's to open the gate and let the soldiers in. They're there to take down your system's defenses so something else can take control over the machine. If that wasn't going on, and you had nothing bad in your system directories and especially tied to the boot sector or system registry, then your system was alright. Even if it was in a system folder it would have to be loaded into memory through a boot process, otherwise it was just worthless data. Consider the context of the trojan's presense - that's what determines if it was really a threat or not. All that being said, if you find software that better suits your needs, by all means use it. I always tell people to do their own research and find what works best for them. Not everyone uses the internet the same way, so what works best for one person might not work so well for another. Just beware of running multiple active protection software at once. It's a bad idea unless they're known to get along. Some antispyware and antivirus work fine together, but usually more than one antivirus active protection is a bad idea. Title: Re: Thank you, Symantec Post by: Makou on 2007-07-25, 18:15 I made sure to note it was a rant for good reason, of course. :)
I know false positives occur, and I know no software is perfect. I was mostly spouting off because I needed somewhere to air it. I have, however, had enough issues with Symantec's software in the past that I don't think I'll be using it again. At least, I won't pay as much for it as I did this time around. I've also since discovered that the program was seriously bogging down my system. Things have been running much more smoothly since the uninstall, and AVG does seem to have the same "real time" protection that Norton did. Unless something notably better for my purposes, and still affordable, comes along, I think I have a winner. And I do use NoScript and Adblock with Firefox. I've had far fewer hits in both Adaware and Spybot since I started using them, and the vast majority of those hits (99% is probably not an exaggeration) are actually harmless. For the record, my most recent experiences with these things seem to indicate that a friend's mantra of "the best software is free" may not be accurate 100% of the time, but it sure is quite a bit. |