Norton Internet Security logo

Norton Insight

Apr 19, 2010

Norton Insight allows the smart scanning of files on your computer. It improves the performance of Norton Internet Security scans by letting you scan fewer files without compromising the security of your computer.

A Norton Internet Security scan can identify threats on your computer in the following ways:

The Blacklist technique At regular intervals, Norton Internet Security obtains definition updates from Symantec. These updates contain signatures of known threats. Each time when Norton Internet Security obtains the definition updates, it performs a scan of all of the files that are available on your computer. It compares the signature of the files against the known threat signatures to identify threats on your computer.
The Whitelist technique Norton Internet Security obtains specific information about the Files of Interest and submits the information to Symantec during idle time. The information includes such things as file name, file size, and hash key. Symantec analyzes the information of each File of Interest and its unique hash value and provides a confidence level to the file. The Symantec server stores the hash value and confidence level details of the Files of Interest. The server provides the details immediately after you open the Norton Insight - Application Ratings window. Even the slightest modification of the file causes a change in the hash value and the confidence level of the file. Typically, most Files of Interest belong to the operating system or known applications, and they never change. These files do not require repeated scanning or monitoring. For example, Excel.exe is a file that never changes but you always scan it during a normal security scan.
Symantec assigns the following confidence levels to Files of Interest:
Norton Trusted Symantec analyzes the file as trusted based on the file information that Norton Internet Security sends to Symantec.
Good Symantec analyzes the file as good based on the statistical evaluation done on the files that are available within the Norton Community.
Unknown Trust or Unproven Trust Symantec does not have enough information about the file to assign a trust level to the file.
Poor Trust Symantec has only a few indications that the file is not trusted.
Not Trusted Symantec has many indications that the file is not trusted.
Norton Internet Security also provides different profiles to configure your scan performance. When you use the Full Scan profile, Norton Internet Security follows the Blacklist technique to scan your computer. It scans all of the files on your computer against the signatures that it obtained during definition updates. When you use the Standard Trust or High Trust profile, Norton Internet Security follows the Whitelist technique to scan the files based on their confidence level. This way, Norton Internet Security significantly reduces the time that is required to scan your computer completely for security threats.

The Whitelist technique that Norton Insight uses also helps in heuristic detection of suspicious applications. Normally, the execution behavior of well-known applications appears identical to the execution behavior of unknown applications. Such behavior results in false identification of good applications as suspicious, and therefore, necessitates security applications to maintain a low heuristic detection threshold.

However, keeping a low detection threshold does not provide a complete heuristic protection against malicious applications. Norton Internet Security uses the Whitelist technique that helps maintain a high heuristic detection threshold. It excludes well-known applications from heuristic detection to prevent false detection of well-known applications and to ensure a high detection rate of malicious applications.

0 comments: (+add yours?)

Post a Comment