Who makes the best Windows security software? Surprise ...

Who makes the best Windows security software? Surprise ...

Summary: Does antivirus software work? Online criminals have beaten traditional security software that relies on signatures and scans. But there's an alternative: smarter software that turns the bad guys' own actions against them. I found some refreshing new ideas from one of the oldest brand names in personal computing.


Social engineering has become the preferred tool of online criminals. It’s at the core of every phishing scam, and lately it’s the preferred way of delivering malware.

Every social engineering attack can be reduced to a simple move: “Here,” says a web site or an e-mail message as it offers up a deceptive or malicious link. “Click this.” And it works. Even people with above-average IQs can fall for a Trojan.

How do you break that chain of social engineering? By making the software smarter and turning the bad guys’ own actions against them.

I’ve prepared a screenshot gallery that shows how modern browsers and security software can go beyond the limited and ineffective approach of traditional antivirus scans.

See "How browsers and security software can keep you safer online".

Over the past few months I’ve been looking at how the three most popular browsers for Windows respond to this sort of deliberate deception. I’ve also been looking at popular security suites to see which ones demonstrate creative thinking. And even I can't quite believe which one is my new favorite.

Traditional antivirus software just isn't cutting it anymore. if your security software relies primarily on antivirus signatures, you are always going to be vulnerable to new malware variants, sometimes for hours, sometimes for days.

So what's the alternative? Two techniques are promising. One involves disrupting the patterns of behavior that malware distributors use. The second involves looking carefully at the reputation of downloaded files to distinguish between good downloads and bad ones.

Microsoft has already built application reputation checks into Internet Explorer, starting with version 8 and improving the feature significantly in IE9. (I wrote about this technology previously, in IE9 versus Chrome: which one blocks malware better?) When you download a file that could contain malicious or deceptive code, Microsoft's web-based SmartScreen Filter looks at the details of the file (including its unique hash and digital signature) to decide whether it's trustworthy.

Files that are not digitally signed get the toughest scrutiny of all, as one group of Microsoft developers discovered the hard way. Known malware is completely blocked. Ironically, Microsoft fought its own little civil war earlier this week: the ads that were displayed next to Bing search results led to sites that were blocked by the SmartScreen Filter in Internet Explorer.

(The accompanying screenshot gallery offers a much more detailed look at the different ways that IE, Firefox, and Chrome handle potentially dangerous downloads.)

This app-reputation stuff is a good idea, but why limit those checks just to recent versions of Internet Explorer? That’s why I also looked at two popular high-end commercial security suites: Trend Micro Titanium Maximum Security and Symantec’s Norton Internet Security 2011.

A few months ago, I spoke with John Harrison, a group product manager for Symantec, whose consumer security software has been sold under the Norton brand name for more than 20 years. Harrison told me that his company was trying something different: a "defense in depth" approach to blocking malware that goes well beyond simple scanning:

We have network intrusion protection and browser protection technology to protect against drive-by downloads. We can detect things that an antivirus scan might have missed, noting obfuscated attacks and bots that are calling home for updates.

We're leveraging hundreds of millions of users who opt in to a system where they can give a thumbs up/down in Norton Community Watch. For downloads, we look at digital signatures. We evaluate the domain and the reputation of that domain. If a "name brand codec" is coming from a website with a poor reputation and has only been seen on two users' desktops, then we can easily classify it as malware.

I was skeptical. I stopped using Norton products years ago, mostly in frustration over poor performance. But in the interest of fairness I gave them another shot. Three months later, I'm still using Norton Internet Security. And I'm recommending it to others. Here's why.

After my recent negative experience with the latest version of McAfee’s security suite, I was expecting to grit my teeth and put up with a load of annoyances. To my great surprise, I found both programs acceptably light and unobtrusive, as well as effective. I was especially pleased with how well Norton Internet Security did at the tough job of sorting out good and bad websites and downloads.

For testing, I looked in real time at several widespread recent malware attacks. One targeted Windows users through poisoned search results, mostly on Google. Another wave delivered Trojans disguised as legit e-mail messages from hotel chains that claimed to owe the recipient a refund for a recent oversharge. I also looked at a recent flurry of deceptive ads that appeared alongside search results from Microsoft’s Bing.

In every case, traditional antivirus scans were essentially useless. So how did alternative approaches fare? Turn to page 2 for a summary.

Page 2: Smarter security software -->

<-- Previous page

[This page contains a summary of my experience. For a much more detailed explanation, see the accompanying screenshot gallery, How browsers and security software can keep you safer online.]

I was initially put off by the overly dramatic name, but (deep breath) Trend Micro Titanium Maximum Protection (exhale) turned out to be a smooth performer. Its claim to fame is that it does more than just scanning. Maybe a little too much more, to be honest. I didn't really want or need the "system tuner" or online backup features. And I could have done without the constant harping over mostly benign browser cookies (a failing that Norton shares).

But the dialog box below was welcome, especially the option to "Block potentially dangerous websites," with a slider to set how aggressively this feature should work. For that wayward cousin who can't seem to steer clear of malware, the High setting (and a standard user account) might be appropriate.

In my testing, these extra checks were effective at blocking a high percentage of common web attacks. When a link tried to take me to a site that had been positively identified as a source of malware, I wound up at this page instead of the potentially dangerous one.

These features were interesting because they were accurate (no false positives) and invariably ahead of Trend Micro's signature-based scans.

Norton, as it turned out, was even more effective at the same job. I began testing Norton's products last May, and Norton Internet Security got my immediate attention because it was the only security product that reliably blocked the redirect scripts that were being triggered by those poisoned search results. Normally, clicking one of those links displayed a familiar wave of social engineering to convince me that my machine had been overrun with viruses. Norton just refused to execute those scripts, leaving this entry in the system logs:

I also found Norton's reputation-based scans to be exceptionally accurate. Norton Internet Security checks every executable file and program installer you download against its reputation database and gives immediate feedback in the notification area at the right side of the taskbar.

The two examples below both appeared on the same day, when I downloaded two programs that both appeared to be from legitimate sites. Google Chrome gave me identical warning dialog boxes for each file. Norton, however, had no trouble clearly distinguishing the legitimate copy of Photoshop Lightroom and blocking the malicious Skype download. I didn't need to make a trust decision; the algorithm did that, accurately, on my behalf.

This isn't just a "black box," either. In every case, I was able to drill down into the details for each file and determine why the system acted as it did. It's worth repeating that the file on the right—a counterfeit version of Skype that was actually a nasty Trojan—wasn't identified by a virus signature file. Its behavior gave it away.

The downside of both these security programs, of course, is that they're not free. With a little careful shopping I was able to pick up both programs for less than $50—a price tag that covers up to three PCs for one year. At the end of that year, I have to pay again.

Is it worth the price? An experienced Windows user might not need those extra layers of protection and could safely stick with the free, signature-based Microsoft Security Essentials. But paid software has its place: if I were supporting a client or a family member who routinely needed an hour or more of my time each year to clean up a malware infection, the more aggressive protection would be money well spent.

The bottom line? I'm keeping the Norton software installed on multiple PCs here, and I will have no hesitation recommending it for friends and clients who need that extra layer of protection from themselves. I'm also impressed enough with Trend Micro to put it on my recommended list for anyone who wants an alternative to Norton.

Topics: Security, Malware, IT Employment, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Surprising, indeed...

    I'm really surprised to see you recommend Norton again after years of them being beyond irritating. I still have issues with them, but I'd be interested in checking them out again for certain folks who just can't avoid malware on their own.

    I wonder if Microsoft is considering implementing SmartScreen and behavior-based scanning in the next major release of MSE... any thought on contacting them on the matter?
    • RE: Who makes the best Windows security software? Surprise ...


      I've been pretty happy with Norton... like Ed says it does tend to harp on a bit about cookies, but it sits down, shuts up, and does its job pretty well.

      In the three years I've been using it, it's let one infection in: having said that not even Malwarebytes could find it... I ended up using Hitman Pro to find it and nuke it quite dead.
      • RE: Who makes the best Windows security software? Surprise ...

        Windows is like swiss cheese, always has been and always will be. Why you guys put up with this abuse is beyond me.

        [i]"I?m still using Norton Internet Security"[/i]
        If he had said "Microsoft security essentials" then I'd stayed amused for a couple of days, at least.

        What you all should do:
        1. Buy a real computer, something with Mac OS X or Linux installed.
        2. Stop reading the articles here, you'll never get any real or trustworthy information anyway.

        Good luck.
      • RE: Who makes the best Windows security software? Surprise ...

        @Mikael_z, get goddamned real here. The fact is that ALL operating systems are 'swiss chesse' and have holes in them called THE ABILITY TO RUN DOWNLOADED PROGRAMS!

        Oh wait.... that isn't a hole, it's actually EXPECTED behavior. You are just a troll who has too much time on his hands and not enough brains.
    • RE: Who makes the best Windows security software? Surprise ...


      Good question. I'd like to see that as well.
      The one and only, Cylon Centurion
      • RE: Who makes the best Windows security software? Surprise ...

        Signed software is no guarantee of safety, the sign can be cracked. Just like almost evbeyr math problem can be solved.
        Teh question is, has it been done?
      • RE: Who makes the best Windows security software? Surprise ...

        @rockachu2 - first you assert that digital signatures can be "Cracked" and then ask if it's ever been done. Do you actually have a clue?

        Digital signatures are a means of checking to see whether a given piece of data has been tampered with.

        You sign something by hashing some data and then encrypting the hash with your private key.

        You can then validate whether the data has been tampered by re-hashing a set of signed data (using the same algorithm) and comparing the re-hash with the decrypted original hash accompanying the data.

        If the two match, nothing has been tampered with. If they don't, then the data has been tampered with and can no longer be trusted. <a href="http://en.wikipedia.org/wiki/File:Digital_Signature_diagram.svg">See this for more info</a>.

        Therefore, if the hash accompanying a signed app differs from the hash of the app's content, then it's been tampered with. IE9+ can thus determine whether or not the app has been tampered with and whether it was signed by the owner of that app.

        It's a very powerful technique that can really help eliminate vast quantities of malware.
      • RE: Who makes the best Windows security software? Surprise ...

        @rockachu2 It's not that the digital signature can be "cracked" as much as it's that people can get hold of the digital certificates... Stuxnet anyone? They got hold of verified digital certificates, and used those to fool people who downloaded (and installed) the virus.
    • RE: Who makes the best Windows security software? Surprise ...

      @GoodThings2Life I used to use NOD32, but as MSE is free and has scored quite well compared to a good number of pay AV products, I'd really love to see it get consistently better--while continuing to chug along invisibly in the background with no noticeable performance hit.
      • RE: Who makes the best Windows security software? Surprise ...

        @SenorAlejandro That's the one major downside to MSE - it's a resource hog. I'd love to see them address the performance as they create the next version.
      • RE: Who makes the best Windows security software? Surprise ...

        @ejhonda - I think you misread what Senor Alejandro wrote. He does *not* have performance problems with MSE. If you are having performance problems with MSE running, perhaps it's in your configuration? Just a thought.
      • RE: Who makes the best Windows security software? Surprise ...

        What about the other way?
        By watching everything and catching processes that step out of line?

        Like, blocking clicks? -> freeze app and tell user
        Changing hosts file? -> freeze app and tell user
        Run code that doesn't compute (buffer overflow)? -> catch, undo, warn user.
        Of course, this is performance hog freindly, but then one could only run it on unsigned software.
      • MSE 4 Life!

        I concur, System Idle Process = 99
        MSE has caught quite a few nasties I've hoped were legit.
        It's the best IMNSHO
    • RE: Who makes the best Windows security software? Surprise ...

      @GoodThings2Life While MSE does use scanning as the first line of defence, it does use behavioural scanning on all software running and blocks software from doing things it shouldn't be doing. I have one piece of software that needs to call home quite often, before it can MSE pops up and informs me that one of the modules is trying to call out before getting the users permission to do so. Contacted the creators of the software and they informed me a line of code had been dropped in the final version and corrected it and sent an update. I have machines that have Norton and McAfee and those machines did not react to this behaviour. In the year I have been using MSE it has been chugging along in the background doing its job. I know it is working properly because my email has become a lot safer and on my system its resource usage is almost nil as I regularly use between 650 and 900 Mb for RAM and that is with about 10 programs working in the background.
    • RE: Who makes the best Windows security software? Surprise ...

      @GoodThings2Life From the article:
      "if your security software relies primarily on antivirus signatures, you are always going to be vulnerable to new malware variants, sometimes for hours, sometimes for days."
      "... including its unique hash and digital signature)"
      In other words, it relies on anti-virus signatures. I realize that IE9 goes beyond that, but seriously, Ed needs to stop repeating press releases and start thinking about what he's writing.
      • No, you don't get it


        These are two different things. An antivirus signature is created by an analyst at a security company. It is a way of trying to identify a file based on some characteristic of that file.

        A hash is a mathematical computation of a file based on its contents. It is done programmatically, not by a human. The hash is unique and identifies a file reliably.

        Likewise, a digital signature is attached to a file by its creator and verified by a certifying authority.

        So, download the latest version of Skype and check its file hash to confirm that it matches the file Skype has on its server. Use the digital signature as more evidence that the file is exactly what it's supposed to be.

        Now download a piece of malware that claims to be Skype's client. The hash doesn't match. It's never been seen before, and it is not digitally signed. Malware? Yes, almost certainly.

        This is not a press release, this is well-established science.
        Ed Bott
      • Where would one do that?

        Ed: Where would one be at risk of downloading a fake version of Skype? You'd have to try really hard to get a copy from somewhere other than Skype.com.
      • RE: Who makes the best Windows security software? Surprise ...


        <i>"Ed: Where would one be at risk of downloading a fake version of Skype? You'd have to try really hard to get a copy from somewhere other than Skype.com."</i>

        You're missing the point - Ed is only using Skype as an EXAMPLE, he's not saying that there are actually fake versions of it all over the net.
      • RE: Who makes the best Windows security software? Surprise ...

        @daengbo the 'signature' in "digital signature" and in "anti-sirus signatures" are NOT the same thing. So Bott has not contradicted himself.
    • Why I quit Norton...

      @GoodThings2Life <br>It went beyond the simple fact that just a few years ago Norton was way to system resource intensive, it was typically the case that if anything penetrated my machine when Norton was on guard, it would cripple Norton to some degree and as a result crippled my machine. Fixing it usually required booting into safe mode and trying to uninstall Norton and that was a crazy experience that required going into the registry and picking out its overly invasive remnants piece by methodical piece, not something the feint of heart or unsavvy should attempt as the risk of permanent damage becomes a huge issue. Then it was often another AV/anti Trojan system that would pick out the nasty pieces of the infection.<br><br>What a horrible fate. The last time I went through that stupid scenario was many years ago, and coincides exactly when I quite Norton.<br><br>If they have fixed that kind of issue, that might make Norton viable again. Bottom line is there is no use to having a lock on the door where if the first time someone tampers with it they screw the lock itself completely and the only way you can get back into your own house is to meticulously butcher the door knob and lock and door frame and finally pry your door open with the risk of having the whole house collapse in the process.<br><br>Thats why just about every person I know who quit Norton did quit Norton. To this day I cant even fathom why they would create a system that would do that.<br><br>I myself have used AVG free for years now, and despite the fact that some may say it is very far from perfection I have since never had anything remotely like the kind of issue I had to deal with in Norton about 5 years ago, in fact I seem to keep on truckin' endlessly without interruption.