Subject: Review of Norton Antivirus (PC) From: p1@arkham.wimsey.bc.ca (Rob Slade) Date: Fri, 15 Mar 91 16:54:13 PST Comparison Review Company and product: Symantec/Peter Norton 10201 Torre Avenue Cupertino, CA 95014 USA 408-253-9600 800-343-4714 800-441-7234 408-252-3570 416-923-1033 Norton AntiVirus Summary: Manual and TSR virus scanning, as well as change detection. Cost $130 US Rating (1-4, 1 = poor, 4 = very good) "Friendliness" Installation 3 Ease of use 2 Help systems 2 Compatibility 3 Company Stability 3 Support 3 Documentation 2 Hardware required 4 Performance 3 Availability 4 Local Support 1 General Description: The NAV.EXE program has the ability to scan memory, boot sectors and files for the presence of known viral programs, and to "inoculate" programs against change. It can also recover some damage to programs and boot sectors. The NAV_.SYS program provides TSR checking of files, although it does not detect viral programs in memory, or deal effectively with boot sector viri. Comparison of features and specifications User Friendliness Installation The program is shipped on "read only" disks, therefore cannot be infected at the user's site without active intervention. It is absolutely essential to read the on disk READ.ME file, as the documentation is incorrect in many places including installation. The printed documentation fails to mention the NAV.DEF virus definition file and the program will not function without it. Installation can be done from any drive to any drive, including floppy drives. If old versions of Norton Antivirus are found they can be overwritten or backed up at the user's discretion. The installation program is clear and simple to use, and gives clear instructions and explanations of the various options. (With some exceptions. For example, the program assumes that old copies of NAV are to be found in C:\NAV, and states that there is no old version if nothing is found there. If this is not the path for the files, and the proper path is specified, the request to choose between backing up and overwriting old versions comes shortly after the announcement that there are no old versions.) A "completion bar" shows the progress of most lengthy operations (throughout the program.) The installation is quite intelligent and useful in dealing with the necessary changes to system files. An editing screen is presented for the insertion of the command line in CONFIG.SYS. The default placement is explained clearly enough to give novices confidence, but will allow more advanced users the ability to select optimum positioning. Backup files are created for the original AUTOEXEC.BAT and CONFIG.SYS. The installation program is not very intelligent in dealing with configuration options. Upon invocation of the installation program, it asks about the type of monitor used. Upon completion, however, the configuration of the NAV program defaults to "CGA" monitor type, which does not allow some options or "command keys" to be seen on monochrome screens. Also upon completion, if "Quit" is chosen instead of "Reboot", the "target" drive and directory becomes default. Ease of use The program is "menu driven", but use without a mouse is not necessarily intuitive, nor do all menus work consistently. (For example, all options on the main menu are accessed by initial letter except "Exit" which is only accessible by pressing the "X" or "ESC" keys.) Ten pages of the manual are devoted to the use of the interface. The menus are, however, generally clear and readable. (Unless, as mentioned above, the monitor type is not consistent with "highlights" generated in CGA mode.) The "Advanced scan" and "Auto-inoculate" features of the system are simply variations on checksumming and change detection, but are set up and explained in a manner which appears to be unnecessarily confusing. The options available in the "Options/Configuration" menu allow for a considerable degree of customization, but reasons for choosing certain options are not clear in the initial installation section of the manual. The monitor "box" in the menu is not accessible in any way, nor is it explained in either the manual or the help text. Some options do not appear to work: I did not chose to "Disable scan Cancel *b*utton" (*b* being the letter used to access this option), but the "cancel scan" option was disabled on my program anyway. If a virus is detected in memory at the beginning of a scan, the program will refuse to scan further. This is an advantage in that it prevents infection by viri which infect each file as it is open, but there is no "discretion" on this feature, and it activates even when boot sector viri are found. The program does not terminate, but will not perform (in terms of scanning). No help is given at this point: the user is referred to a section of the manual. Help systems The program contains an extensive help file. Personally, I did not find the onscreen help to be very useful, generally having to go to the reference section of the manual if I could not figure out the operation from the menus. Compatibility Norton Antivirus is stated to be compatible with Windows. However, careful examination of the disk READ.ME file indicates that this compatibility is true only in that the TSR scanner can continue to alert users through the "siren" if the "alert boxes" are turned off while Windows is in operation. NAV is not compatible with Desqview, and has difficulty with a number of other TSRs and related utilities. Careful reading of the READ.ME file is suggested on systems with extensive use of TSR programs. The program shipped as of December 7, 1990 identifies a significant proportion of the viral programs identified by the Brunnstein, Hoffman, McAfee and Skulason lists. The company has also provided a means of regular updates of "signature" information. The "change detection" information is not added to the file to be checked, so it does not interfere with "internal" self checks. However, the information is not stored in a single outside file, but in a "hidden, system" file created for each program to be checked. As the READ.ME file indicates, this may take up considerable space on a hard disk, and may be difficult to recover even after programs are removed. Company Stability Symantec and Peter Norton have both been solid companies in their respective environments. Company Support The company provides both a technical support line and a "Virus Newsline" for update information on new viral signatures. There is provision for access to information through "voice mail", fax and commercial information services. Suggestions from the company indicate that this is seen as valuable primarily to corporate customers, who can take advantage of economies of scale in distributing the information internally and recovering the cost of obtaining the information. It should be noted that although the program was promised to the reviewer in November, that it required eleven return phone calls to five different offices to finally have it delivered over three months later. Documentation The documentation is extensive, but the layout would not be simple for a novice to follow. While the information is all there, even after a thorough reading it is hard to remember where a specific item is. The "Quick Start" section does provide an acceptable installation, if default values are all valid in the user's system. The "clean start" provisions of both the "Quick Start" and installation sections should prevent installation on an infected system *if followed rigorously*. However, even here the directions may be confusing to a novice. The "About Viruses" section is of little use. As mentioned before, many corrections and omissions from the manual are pointed out in the READ.ME file on disk, and the documentation should not be considered complete without it. Hardware Requirements No special hardware is required. Performance As mentioned, the NAV program identifies a larger number of viral signatures than does any commercial product reviewed to date, with provisions for constant updating of the signature files. The scanning is also very fast, approaching the speed of TBSCAN and VPCSCAN. The TSR scanner, NAV_.SYS, is invoked from CONFIG.SYS (cf F-DRIVER.SYS in the FPROT package.) While it cannot prevent infection of the system from a "boot sector" infected diskette, it does not detect the presence of such a virus in memory, and it neither prevents infection of diskettes, nor alerts the user to the use of an infected diskette or the operation of infecting. Repair of viral programs appeared to be affective. Local Support Although local sales offices of Symantec/Peter Norton are widely available, support is only provided through the central technical support and "Virus Newsline" numbers. Support Requirements In its current form, the product is suitable for novice users, but installation and actions when a virus is found may require more expert support. General Notes The provision of access to update information gives this product a significant advantage. There are, however, some weaknesses to be dealt with, and a general improvement is needed in the documentation and ease of use before it is suitable for all users. copyright Robert M. Slade 1991 PCNRTNAV.RVW 910315 ============= Vancouver p1@arkham.wimsey.bc.ca | You realize, of Institute for Robert_Slade@mtsg.sfu.ca | course, that these Research into (SUZY) INtegrity | new facts do not User Canada V7K 2G6 | coincide with my Security | preconceived ideas