Norton Security Scan woes

LeRat · June 12, 2007, 7:07pm

I can’t find any reference to this in forum posts, maybe I’ve missed it, maybe it’s new - in any case I would like some advice please.

As an added security measure I downloaded Norton Security Scan standalone virus scanner. Unfortunately since installing CAVS 2.0.14.47 this application will not launch while CAVS is running. Close CAVS down or place the Norton Security Scan folder in the excluded list for HIPS and it runs. I’ve checked through the apps I’ve included in the HIPS list and NSS doesn’t appear at all. The only way to launch this independent scanner is to close down CAVS (not an option!) or include it in the excluded list. Is there a known conflict with NSS? Or is there a way of manually including NSS files in my HIPS list?

Sorry if I’m repeating a previously discussed topic but I couldn’t find anything relating to this in posts. So any and all help appreciated.

I’m using a Windows XP SP2, Athlon 64 with 1Gb RAM. CAVS version is 2.0.14.47, virus database version is 2.0.0.190, Safelist DB version is 2.0.11.43 and program updates version is 2.0.14.50.

Many thanks in anticipation.
LeRat

Little_Mac · June 12, 2007, 8:26pm

Your computer is a 64-bit processor, correct? (Athlon 64)

LM

LeRat · June 12, 2007, 8:35pm

Athlon 64-bit, that’s correct

Little_Mac · June 12, 2007, 8:45pm

Then your problem is most likely related to that, as CAVS currently only officially supports 32-bit versions of XP, W2K and W2K3. 64-bit, and Vista (of either flavor) are not yet supported.

From what I’ve seen, if you have CAVS running, you’re doing great! (Perhaps because it’s AMD instead of Intel?)

If CAVS is/was working properly, you should be able to Exclude NSS in HIPS - go to Settings/HIPS/General, and find the line, “What items to exclude from HIPS application control.” Click the Select button, and browse through to the appropriate file (you cannot type in pathname; you have to browse). Select it and OK.

The line right above that one is “Manage Allow/Block List.” You might look in there to see if there’s a block on it. Otherwise, you should be getting an alert from the HIPS. Oh, you know what, you might look at the HIPS Advanced tab, and make sure that “Notify me when an application is blocked” is set, rather than “Notify me… Allowed.”

Just a couple questions… is NSS an on-demand only, or is it on-access as well? Also, what led you to pick that as an alternative/extra scanner?

LM

LeRat · June 12, 2007, 9:37pm

Thanks LM

I’ve now managed to get NSS to work and it is included in the managed list (don’t ask me how I did it, a combination of luck and ignorance I think).

I chose NSS as a second line of defence as it received good reviews. It’s an on-demand only. It can only be downloaded as part of the Google Pack as far as I know, but you can choose what’s downloaded and what isn’t.

Comodo has an excellent rep too, which is why I opted to go with the beta rather than wait for the gold version. After reading posts from Lusher, annoyance or not, my confidence is wavering. I understand the principle of HIPS but where is Comodo currently at as regards detection performance?

Thanks again for responding so quickly.
LeRat

Little_Mac · June 12, 2007, 9:58pm

Cool, I’m glad that’s working.

Lusher, as I’m sure you are aware, is/was not a big fan of Comodo’s idea of prevention being the first line of defense; thus he was very harsh concerning Comodo’s lack of what he considered a decent signature database. That database at present contains more than 200,000 signatures, which I don’t personally consider shabby for an AV built from the ground up, in the time they’ve been working on it.

Granted, this is still not on the level of some companies that have been around much longer, purchased other companies virus databases, and whatnot. Part of the thing to consider is that while some have larger signature bases, that is due partly because their sigs are old (and in some cases way out of date); this doesn’t mean they don’t have current sig files, just that they also have obsolete sig files that are still included. A lot of so-called “new” malware isn’t really new; it’s only packaged in new ways to help it escape detection by (guess what) traditional (blacklist) file scanners. Thus, antiquated definitions often serve little purpose (but they make your signature count a lot higher…).

Also, with the purchase of BOClean, Comodo now has its 10+ years of research and definitions, which will be/are being integrated into CAVS, along with some of its detection mechanisms. The next version of CAVS will probably have this integrated.

It’s not a problem to have a backup (on-demand) scanner; I do as well. But with HIPS running, it should catch anything before the scanner triggers. You’ve got to realize, too, by the time the on-access scanner triggers, the malware has already run. This is part of the problem with traditional file scanners (only a part; the rest of the problem is that malware is always ahead of the definitions curve, and causes the AV to be reactive instead of proactive). HIPS, on the other hand, is more proactive, because it’s not based on a definition, it’s based on a type of action being generated which will cause CPU time to be accessed. Alert, Deny, and the malware is effectively castrated. Ouch!

In the end, though, it boils down to what the user is comfortable with, and trusts. If you don’t trust your security software, there’s really not much point in having it…

LM

LeRat · June 12, 2007, 10:04pm

Cheers for the Comodo 101 LM (:WIN)

I also have BOCLEAN running so hopefully am OK at the moment. I originally switched from AVG as it kept crashing out on me (worrying) after updating. Not every time, but often enough to cause concern. Out of interest, which backup on demand scanner are you using or would that be giving too much away?!?

thanks again
LeRat

Little_Mac · June 13, 2007, 2:32pm

I use BitDefender Free. It’s a decent scanner, and hello! It’s free (this is very important…) ;D It plugs in easily to the download scanning add-on for my browser, so I can automatically scan anything I download. It has an automatic updater, and can be scheduled to run its on-demand scan. There is no real-time or on-access feature to it. Not too bad on resources, either. I haven’t had any conflicts or suspicious behavior out of it so far. It has an annoying “news” feature, but I turned that off (the freebies seem to do this, so they can advertise their non-free versions…).

LM