|
PC Magazine, September 2007
Editors' Choice
Excellent: 4.5 out
of 5.0
Symantec continues to polish and enhance its
flagship Norton Internet Security suite. The 2008
edition adds full-scale password and identity
management, and its new BrowserDefender technology
offers even stronger defense against Web-based
attacks. Borrowing a page from Norton 360's
playbook, NIS 2008 now offers a built-in,
multilayered help system. For the multicomputer
home, it now includes a network map and optional
remote monitoring of other NIS 2008 installations.
Antispam and
parental controls
remain second-class citizens, present only if you
install the optional Add-On Pack.
Organizationally, the main screen is little
different from that of NIS 2007, though it has
traded its cheerful blue background for a
tougher-looking patterned black. You still get an
overview of all the security modules and a great big
icon that reflects overall status. If it's anything
but the green check mark that means fully protected,
just click Fix Now to set everything right.
Fabulous Firewall
The
suite's firewall puts all ports in stealth mode,
making them invisible to hackers—that almost goes
without saying with modern firewalls. The NIS 2008
firewall blocked all my Web-based tests; in several
cases it reported a port-scan attack and blocked the
"attacker" for half an hour. As in previous versions
of NIS, the latest firewall is armor-plated against
attack by malware. I couldn't find any way to
disable it programmatically (and believe me, I
tried). Panda's firewall was also pretty tough, but
it gave way to my last-resort attack using fake
mouse clicks—NIS resisted even that attack. And
BitDefender Total Security 2008?
Well, I showed that a malicious program could turn
off that suite's protection by disabling essential
services—it needs to get tough, like the other two!
Symantec was an early proponent of the rising trend
to put responsibility for security decisions where
it belongs—with the security software. Like Panda's
firewall, NIS 2008's never asks you whether this or
that program should be allowed access to the
Internet. If the firewall recognizes known bad
programs, it just removes or disables the threats;
there's no question of allowing them
Internet access.
The firewall graciously allows known good programs
to connect at will. Using its SONAR (Symantec Online
Network for Advanced Response) technology, NIS 2008
watches unknown programs for signs of malicious
behavior, and as long as they play nice it lets them
access the Net.
I
usually run a set of "leak test" utilities to check
whether the firewall can handle malware that tries
to evade normal program control. In the past, NIS
hasn't detected these because they have no malicious
payload—which is completely reasonable. This
version, however, did block all but two of a dozen
samples, identifying them with generic names such as
"Trojan Horse," "Hack Tool," and "Downloader." This
probably doesn't make users any more secure, but it
gives us security testers a warm, fuzzy feeling.
For
this review I added a new tool to my testing
arsenal: Core Impact. Among many other features,
this penetration tool automatically generates
exploits to probe a system's defenses. Working
across the virtual network I unleashed over a dozen
client-side exploits on the NIS-protected system.
This type of exploit gets into your system when you
click a link in an
e-mail message
or visit a hacked (or deliberately malicious) Web
site. In addition to a number of Internet Explorer
exploits, I managed to unleash one aimed at Firefox
and some that go straight for Windows itself through
various vulnerabilities. A few failed simply because
the test system's browser and operating system were
fully updated. NIS's Intrusion Prevention System
recognized and blocked all but one of those that got
past that initial hurdle. The one that wasn't
recognized still couldn't actually do anything
harmful because it was stopped by Norton's suite.
Going forward, I'll be challenging other security
suites and firewalls in the same way.
New Network Map
A
single NIS 2008 purchase includes three licenses for
the modern multicomputer home. New in this version,
the Network Map identifies all the computers and
other devices that it can "see" in the network and
flags those that have NIS 2008 installed. By going
through a fairly elaborate "discovery" procedure,
you can configure the suite to allow the NIS 2008
systems to remotely monitor each other. The only
information you get is the main status icon, though.
I wish it would offer a little more detail. Whether
it's a big problem, such as no firewall active, or a
small problem, like Windows Updates not set to
automatic, all you see is a simple red X icon. In
any case, there's no option to remotely fix the
problem.
The
network map does have a few other tricks. By
default, other computers on your local network are
assigned the Default "trust level," which means file
and
printer
sharing is allowed but other network traffic will be
limited by the firewall. Change the trust level to
Restricted and you block all access to your PC from
the specified device. You can also choose Full
Trust, which allows all network traffic except for
known attacks and infections. However, Symantec
advises against using this mode unless the default
mode causes connection problems.
NIS
2008 can distinguish wired from
wireless
networking, and it can tell when your wireless
network has encryption enabled. If you're so
devil-may-care as to omit encryption, the suite
warns you that your network isn't secure. It
doesn't, however, report new computers on the
network as possible intruders, as
Panda Internet Security 2008
does. And on my wired/wireless office network it
never did detect that my wireless notebook had
joined the network. I do like the network map, but I
think it has some growing to do.
Thorough Malware Cleaning
While the 2008 edition hasn't been through
independent lab testing yet, Norton AntiVirus
2007 got top marks from all the labs. Both ICSA
Labs and West Coast Labs certified it for virus
detection and cleaning; West Coast Labs also
gave it Checkmark certification for detecting
spyware and Trojan horses. And you have to go
back to 1999 to find any occasion when a
Symantec product did not receive the
VB100% award from Virus Bulletin. In addition, a
very recent test by AV-Comparatives rated
Symantec's technology Advanced+, the highest
rating.
The combined antivirus/antispyware scans files
on access, on demand, and on schedule. You can
set up a full or custom scan at daily, weekly,
or monthly intervals, or configure scans to run
at start-up, at log-on, or when the system is
idle. The suite scans incoming and outgoing
e-mail for malware and also watches outbound
e-mail traffic for signs that a worm is sending
e-mail using your computer. NIS 2008 scans files
received through popular IM programs (Yahoo!,
AOL, MSN, and Trillian) as well. It also finds
known malicious programs by matching their
signatures and catches unknown ones using its
SONAR behavior-based tracking. In addition, the
suite specifically looks for keylogger and
rootkit activity.
By default, NIS 2008 runs a preinstall scan
during the installation process, and you'll
definitely want to accept that default. When I
installed it on my infested test systems, the
pre-install scan detected and at least partially
disabled almost three-quarters of the malware
samples, including adware, spyware, Trojans,
rootkits, and rogue antispyware programs. After
a full scan almost every single one of the
samples was gone—NIS 2008 scored 9.3 out of a
possible 10 points. In the same test
Spy Sweeper and
Spyware Doctor
scored 9.0 and 9.1, respectively; BitDefender
rated 8.6 points
Panda Internet Security 2008 recently aced this
test, scoring 10 out of 10, but there's an
interesting distinction to be made. In most
cases Panda wiped out only the essential
executable files, leaving behind dozens of data
files and Registry items. NIS, on the other
hand, wiped out every single trace of about
two-thirds of the samples and cleaned up the
rest more thoroughly than most products. My
Panda contact noted that without the malware
executables, the other traces are harmless. That
may be true, but surely it's better to avoid
clogging the Registry and file system with
useless junk. I did find, however, that a full
scan on my standard clean test system took
nearly an hour with NIS 2008, almost twice as
long as that of NIS 2007. I guess that thorough
cleaning takes a bit of extra time. It's worth
the wait, in my opinion.
I
always run a separate test using commercial
keyloggers in place of malware. I don't give
this test as much weight, since a typical
commercial keylogger has to be installed by
someone who has physical access to your
computer. But NIS 2008 deserves credit for
wiping out every single one of the samples in
this test for a perfect 10 of 10. (Panda bombed
with 2.1 points in this same test. BitDefender
did better, scoring 7.1.)
One of my test systems frequently goes into a
blue-screen death spiral when security software
does an incomplete cleanup job. NIS 2008 had no
trouble with that one. I like the fact that
Norton's new suite cleans up high-risk items the
moment it finds them, rather than asking the
user. It asks your permission only when the item
is seriously low-risk. A malware sample on
another system tries to protect itself from
security software by interfering with the
Windows Installer. NIS 2007 installed despite
this chicanery, but NIS 2008 hit a wall, which
was a bit disappointing. Still, on Symantec's
advice I ran a Web-based scan and then booted
into Safe Mode to delete the files identified by
the scan. After that I was able to install the
product and complete the cleanup process.
As usual, I attempted to install all the same
threats on a clean system protected by NIS 2008.
The moment I opened the folders containing the
samples, though, NIS started eliminating them.
Within a minute or two it had wiped out all but
a handful of the malware samples and all but one
of the commercial keyloggers. I tried again
using samples that I had modified myself. Even
though I renamed them, tweaked some
nonexecutable bytes, and changed their file
size, it wiped them out just the same. Of the
handful of remaining threats, most got caught
early in the install process. Overall NIS 2008
scored 9 of 10 points against the malware
samples and blocked every single commercial
keylogger for another perfect 10. Spy Sweeper
rated 8.1 at blocking malware installation,
while Spyware Doctor racked up 9.8 points. Panda
scored 10 against the malware samples, but was
much less effective at blocking commercial
keyloggers—scoring a mere 3.6. And BitDefender
lags the pack slightly, with 8.8 points against
malware and 4.3 against keyloggers.
Keep Your Identity Safe
This
version introduces Identity Safe, which replaces and
totally surpasses the old Privacy Control module.
(Privacy Control is still present in the Add-On
Pack, but it's obsolete). Identity Safe can store
one or more password-protected "cards" containing
personal data, contact information, and a default
credit card. When you connect to a non-fraudulent
Web
site, you can fill in the appropriate form fields
just by invoking the card. You can also use Identity
Safe as password-protected storage for important
private information that doesn't fit the
identity-card model.
Identity Safe also manages username and password
information for Web-site log-ins much the way
Roboform (PC Magazine's favorite password
manager) does. When you log in to a site for the
first time, it offers to remember the credentials
you used, with an option to never ask again for this
particular site. If you choose this option, the next
time you visit the same site, Identity Safe
automatically fills in the username and password
fields—all you need to do is click the button to
submit your credentials.
Of
course, Identity Safe doesn't know who's sitting at
the computer. It will supply those credentials just
as nicely to your shopping-mad teenager. To plug
that security hole, the log-in data is password
protected. Identity Safe will always ask for the
password the first time it takes action during a
given browser session, and you can configure it to
ask again if the PC has been inactive for 15, 30, or
45 minutes. For total security, set it to require
the master password at every automatic log-in. Of
course, you can manually log out if you step away
from the computer, too.
If
you change your password for a particular site (it's
a good idea to change passwords once in a while),
you can edit the log-in to reflect that change, or
configure a specific log-in to always require the
master password. And the Manage Log-Ins dialog rates
your passwords as Strong, Medium, or Poor. RoboForm
doesn't do that, but it does include an option to
generate a strong password based on user-defined
rules—I'd like to see a similar password generator
in Identity Safe. Another feature not found in
RoboForm is the use of site-specific icons known as
favicons (the icons that appear next to the URL in
your browser's Address Bar), when available. I did
notice that if Identity Safe failed to pick up the
icon on the first try (which it did, frequently)
there's no way to make it try again.
Like
Roboform, Identity Safe lets you use your saved
log-ins as "smart favorites." When you select one
from the pull-down menu, it navigates to the
specified site and logs in right away. I love that
feature! Norton isn't quite as flexible as Roboform,
though. You can't organize your log-ins into
folders, and it won't handle some types of log-ins,
such as those where the username and password are
both displayed as dots. Still, NIS 2008 has a very
effective password manager.
Symantec points out that using Identity Safe balks
even hardware-based keyloggers—the keys you don't
type can't be logged. And the product's built-in
phishing protection ensures that you won't be giving
that information to a fraudulent site. Since its
introduction, NIS's phishing protection has been the
one to beat. When I test other products, I compare
their protection with what's offered by NIS, by
Internet Explorer 7, and by Firefox 2. I use current
phishing sites culled from real-world e-mail and
from phish-tracking wWeb sites, discarding any that
vanish before I can test using all the products and
any that aren't flagged as fraudulent by any
product. In my latest test NIS blocked 94 percent of
the phishing sites, IE blocked 83 percent , and
Firefox blocked 77 percent . Unlike many such
products, NIS is actually better than the
phishing filter built into the browsers. And NIS's
antiphishing now integrates with Firefox as well as
IE. BitDefender, by comparison, scored 40 percent ;
Panda tanked at 0 percent.
The
antiphishing toolbar used to be a bit overwhelming—a
huge green or red bar across almost the whole width
of the browser. In this version, Norton's
antiphishing is just as effective but not nearly as
large. It indicates whether the current site is a
known phishing site, a suspected fraud, or a valid
site. For a few hundred significant financial sites,
Symantec goes a step further and displays a "Norton
Authenticated" banner and logo. You can feel
extra-confident auto-filling forms at a site that
has this logo.
The Awful Add-Ons
While
the suite as a whole has been streamlined and
improved, the optional add-on pack seems to have
been gathering dust on a shelf somewhere. I couldn't
find any visible change in the antispam,
parental control,
and privacy control features since NIS 2007.
As
mentioned above, the new Identity Safe renders
privacy control obsolete. Parental control is just
category-based
Web
filtering, with an option to specify exceptions.
BitDefender's parental-control system ties settings
to Windows user accounts, and Panda's lets you
define separate accounts, but Norton's filtering
applies to all user accounts. There's no option to
have it on for the kids but off for Mom and Dad. And
there are no advanced features like time-scheduling
(included in BitDefender's parental control),
notification alerts, or remote management.
Fortunately, not everyone needs parental control. If
you do, get a real parental-control product such as
Safe Eyes. I gave NIS
2008 four stars in the Privacy/Parental
category—wholly based on the excellent Identity
Safe, not on its parental control.
The
antispam module integrates nicely with Outlook and
Outlook Express.
It's smart enough to import your address book into
its whitelist, so messages from your existing
correspondents will never be blocked. It can also
automatically whitelist any address to which you
send mail and whitelist the sender when you mark a
message as not spam. And believe me, you'll need a
fully populated whitelist to protect your valid mail
from the spam filter's depredations. Panda erred in
the opposite direction, blocking hardly any valid
mail but letting more than half the undeniable spam
into the Inbox. BitDefender hit the sweet spot—it
blocked no valid mail from individuals, blocked
almost new newsletters, and diverted 80 percent of
the spam into its Spam folder.
When
I tested NIS's spam filter with several thousand
real-world messages, its performance was
significantly worse than last year's. After it
processed all the mail, I manually separated the
Inbox messages into undeniable valid mail,
undeniable spam, newsletters (valid but not
personal), and "other." I keep the newsletters
separate because some products (including this one)
have trouble distinguishing them from spam. NIS 2008
marked over 40 percent of the valid messages as
spam—that's terrible! Even if I omitted valid
personal messages from organizations and counted
only those from individuals, the suite still
mismarked 25 percent. And newsletters? Over 80
percent of those were marked as spam! It did manage
to filter out about 90 percent of the undeniable
spam, but so what?—that just means you'll have a
harder time finding the important messages it threw
out.
HELP!
In
the past, Symantec has gotten a lot of grief about
its tech support. PC Magazine readers
frequently write me with gripes about waiting for
hours, getting bad advice, or giving up on
technicians due to language problems. NIS 2008's
One-Click Support (originally introduced with Norton
360) aims to turn this perception around.
To
start a support session, you invoke the built-in
AutoFix feature. In some cases AutoFix will identify
a problem and either fix it or direct you to the
appropriate instructions. But if it doesn't you can
get help via e-mail, telephone, or live chat. A
handy screen shows the expected wait for each type
of help. The live chat feature includes an option to
let the Symantec analyst take charge and
remote-control your computer to identify and fix the
problem. And all of this happens within the NIS 2008
user interface.
I put the system to the test and it worked fine. Of
course, if you can't get on the Internet or your
system is locked in a reboot death spiral, you'll
still have to use direct phone support. Whether
there's been any improvement in phone support
remains to be seen. When I checked during testing,
Symantec was estimating 12 minutes hold time for
phone support, versus 2 minutes for live chat.
Norton Internet Security 2008 remains PC Magazine's
Editors' Choice security suite. The unobtrusive
firewall is tough as nails, and it actively
identifies and blocks exploits and other intrusions.
NIS 2008 did a super job of cleaning up malware in
testing, and its cleanup is significantly more
thorough than most. The new Identity Safe manages
your passwords and personal information effectively.
And if you have a problem, help is built right in.
Now if Symantec would do something about the
embarrassingly antiquated spam-filtering and
parental-control modules.
|
