18 November 2007

Norton Security Scan - False Positives

Technorati tags: , , ,

The Norton Security Scan utility is free, and bundled with the Google Pack.  It's an on-demand scanner that looks for malware and risks.

Unfortunately, it detects protective settings applied by Spyware Blaster and similar tools, as being the malware these tools are protecting against. This is a generic type of bug that often arises when tools assume anything other than default is a hostile change, or when overly-loose detection cues are in effect.

Specifically, settings within HKCU's P3P\History that block unwanted cookies, are detected as evidence of malware.  In the case I'm currently working on, only around 5 of over 100 protective entries were detected in this way.

The tool then claims it is unable to fix these problems, which is just as well, as doing so would actually weaken system safety.  The end result is similar to Winfixer et al, i.e. false-positive (actually, reverse-positive) detections plus referral to feeware products if these are to be "fixed" - so one hopes Symantec will fix this sooner rather than later.

The case I'm working on is interesting, as it was brought in because it was slowing down, with malware as the suspected cause.  Formal scanning finds no active malware, and one wonders if the slowdown was the result of installing Google desktop etc., with the false-positive from Norton Security Scan as the red herring.

I'd like to try Norton Security Scan within mOS contexts such as Bart or WinPE CDR boot, but it appears as if the product is available only via Google Pack.  There are no references to it at Symantec's site, and the FAQ doesn't seem to consider "so where can I download this thing?" to be "frequently asked".


Dan Weiser said...

This blog seems to show us that Norton continues to become more unreliable as the years roll by.

Chris Quirke said...

The behaviour appears to have been fixed, in that after re-asserting the settings and updating Norton Security Scan (from around 11 November 2007 that was previously in effect), the scan now finds nothing.

There are two generic lessons here:

1) Scanners are risky code

A scanner may be small, but as it is updated in real time (often on an urgent basis), the cumulative amount of code that passes through it every year may form quite a large surface.

Because it changes continuously in real-time, driven by external demands, the chance of errors arising at *any* time are quite high.

2) Paradoxical logic

The mere presence of a reference to malware isn't enough to act on, as this may in fact be a protective facility. For example, if a malware has known filespec, and is "dof", you might block it by creating an arbitrary file of the same filespec with read-only etc. attributes. If, then etc.

The other paradox is assumptions of risk, e.g. that My Computer Zone should allow more to happen than Internet Zone, or that .JPG is a safer file type than .DOC, etc. Things can change when exploits throw "by design" safety assumptions out the window.

Anonymous said...

It seems that they are trying to force me to use it. I removed this program close to three times, and even physically went in and removed all the files and cookies related to it, and all three times the program magically reinstalled itself the next time I turned on the computer.

Anonymous said...

Norton security scan only comes on when I'm on Alex Jones' Prison Planet website. Since the gov't hates this site I feel I'm being "reported" every time I'm there...