Norton Antivirus vs McAfee AntiVirus 2012: Head-to-Head Comparison

With a lot of the things we as consumers buy--especially things we buy rarely--we narrow the field down from a huge list of options to the two or three things we're most serious about buying.

And since most of us renew our antivirus software for somewhere between one and three years, it's no different. Easily the most common of these narrowed down head-to-head comparisons in the world of virus protection is Norton vs McAfee.

The two questions all of us ask at a time like when we're comparing two things are:

  1. What's better?
  2. If the more expensive is better, it worth it?

So, let's take a look at these two heavyweights and get this question answered!

Norton Antivirus 2012 vs.
Mcafee AntiVirus Plus 2012

Winner: Norton McAfee

Norton Antivirus 2012


McAfee AntiVirus 2012

Virus & Spyware Protection

Prevention / Real-time Protection
Consistently scores among the top programs in our tests at preventing new virus infections. Earned an "excellent" rating against "zero day" threats in each of our 2012 tests. Does quite well against most new viruses and earns a "very good" rating in this part of our tests; however, it comes at a huge performance cost that sometimes makes using the web painfully slow.

Manual Virus Scanning & Removal
Did nearly as well at detecting and removing viruses on our test PCs as it did at preventing them from getting there in the first place. Another "excellent" rating. Mysteriously, McAfee outright missed about 50% of the viruses we tested with, and some of those that it did find, it had a tough time removing.

Spyware Protection
Not as impressive against spyware/adware as it is against viruses, but it still earns a "Good" rating in our tests both for preventing infection and successful removal. Not good, not bad against spyware, truly "Average." It did, however, do better at stopping spyware from getting in than it did at removing it.
Verdict Category Winner: Norton
Installation, Usability & Tech Support

The best installer of 2012.

If we had a rating for "Outstanding," it would earn it. Instead, its 100% score earns it an "Excellent" rating in our scoring grid.
The complete opposite of Norton's installer. Account setup required, very large, slow installer has to be manually downloaded onto each PC you install the software onto.

Too many hoops to jump through. Really a terrible experience from start to finish. Rating: "Poor"

User Interface
Black interface takes some getting used to, but it's aesthetically pleasing and mostly easy to use. Some screens feel a bit bolted on. Overall it's fast and works well. At the risk of sounding overly harsh, this is a flawed interface by most any measure. Its tiny main window (and huge top label section) forces everything to be done in a window about 2" x 3".

Some features require multiple scroll bars to work. Needs a complete redesign.

Tech Support
While many help beyond basic installation and upgrades is a "Premium" service (i.e. they charge you for it), the Norton support (long complained about by consumers) has gotten much better. Just don't expect to talk to them for free if you need help. Like Norton, McAfee charges for most everything beyond help with basic installation and upgrades.

Overall, a "Good" experience; expect the basic techs to stick to a script, even if your needs aren't on their script.
Verdict Category Winner: Norton
Overall Value
Norton Antivirus 2012


McAfee AntiVirus 2012


Money Back Guarantee
60 Days (The longest available.)

30 Days (Industry average.)
Verdict Overall Winner: Norton


Move Over Tom Clancy...A Real World Thriller: Stuxnet


An incredible piece at Wired.com, "How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History", details the jaw-dropping, almost impossible to believe international tale of how researchers for Symantec (makers of Norton Antivirus and Norton Internet Security) tracked down and reverse engineered the Stuxnet worm.

It's a long piece that I thought I'd glance through at first, but that I found myself reading every word of.

Hat-tip to Kim Zetter for some incredible reporting and equally good story telling.
...the answer would come only after dozens of computer security researchers around the world would spend months deconstructing what would come to be known as the most complex malware ever written — a piece of software that would ultimately make history as the world’s first real cyberweapon.
Satellite image of the Natanz nuclear enrichment plant in Iran taken in 2002 when it was still under construction.

Image source: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/


Is That Your Hard Drive Failing? Nope, It's Probably Malware

If you've never experienced a real-life hard drive failure consider yourself lucky. And warned.

It's only a matter of time before yours goes south. In my case, being a geek both in my personal and business lives for many years now, I've had more hard drives fail than I can count.

Even if you've got good backup software (and you're sure the backups restore properly), the restoration process is always painful and more time consuming than you expect. If you don't have backups, well, well... you may just be screwed.

Sure, there's special hard drive recovery software that can often be brought in to save the day and there are hard drive recovery services, too, although these services can carry a staggeringly hefty price if you have a lot of data to recover, a complex RAID hard drive setup, and/or an especially tricky drive crash.

No matter what, no one, except those folks in the data recovery business like hard drive failures.

It's this fear of data loss that's motivating the latest malware writers to do their thing and create craptastic software no one needs--and certainly no one wants.

Our friends at Symantec, makers of Norton Antivirus Software have spotted something new: malware that fakes hard drive failure. How icky is that?

In this particular case, the malware, which Symantec is calling, "Trojan.Fakefrag" is they say, essentially a wrapper around UltraDefragger.

How do you know if you've been infected? Here's what Symantec says to look for:

  1. It moves all the files in the "All Users" folder to a temporary location and hides files in the "Current User" folder. This makes it look like you have lost all the files on your desktop.
  2. It stops you from changing your background image.
  3. It disables the Task Manager.
  4. It sets both the "HideIcons" and "Superhidden" registry entries to give the impression that more icons have been deleted.

Wow. Just about anyone experiencing these things would probably think their hard drive were failing, too.

What next? Again quoting the Symantec researchers,

It then "helpfully" displays a message recommending that you run a diagnostic utility on your computer, launches the Windows Recovery misleading application, and adds a link it on both your desktop and the start menu.

"The misleading application finishes the job, hoping that the victim will pull out their credit card for the $79.50 price tag.

So what's it look like?

Thankfully, they included a screenshot:

If you see this on your PC, and you're running antivirus software already, make sure your antivirus definitions are updated and run a full system scan immediately.

If you're not, now's a good time to take a look at getting some. It's cheaper than the malware's $79.50 price to "fix" your PC, and you'll actually be getting something for your money.


Japanese Earthquake Disaster Scams Exploit at Record Pace

It is astounding how far malware attackers will go to to victimize people by taking advantage of the misfortune of others.

Today, Noriyaki Hayashi reports from Trend Micro's blog that they've discovered a phishing site that poses as a donation site to help the victims of the recent Japanese earthquake. The site http://www.japan{BLOCKED}.com was found to be hosted within the U.S. and was still active as of the time of this writing.

Phishing site posing as donation site

Site shown after clicking 'join now'
Additionally, the same authors of this site abused the blog function to insert advertisement-look-alike posts, presumably to increase the search engine rankings.

Abused blog function on phishing site
Attacks  like this aren't uncommon. (Think back to Hurricane Katrina in 2005, Hurricane Gustav in 2008, the Chinese Sichuan earthquake in 2008, and the Haiti earthquake in 2010.)

Norman Ingal -- threat response engineer at Trend Micro -- also reported on March 11 that immediately after the news broke of the 8.9 Richter scale magnitude earthquake and subsequent tsunami in Japan, several websites popped up with keywords relating to the quake.

One of the sites with the keyword 'most recent earthquake in Japan' led to FAKEAV variants that were identified by Trend Micro as MalFakeAV-25 and later identified as TrojFakeAV.PB.

These blackhat SEO attacks that lead to rogue antivirus downloads continue to be very common.

Many new domains are being created and parked with keywords similar to earthquake and tsunami in Japan. Key words such as help, earthquake, japan, tsunami, relief, disaster, fund, and donations were used.

Perhaps the message here is to be careful when searching for media content by using known trusted media sites.

Facebook pages are being utilized as well.  One claims to contain video footage and lure the visitors to a site called hxxp://www.{BLOCKED}u.fr/view.php?vid=Le-plus-gros-Tsunami-du-Japon-depuis-20-an.

The facebook page is titled  “Japanese Tsunami RAW Tidal Wave Footage!" and a script auto-directs  visitors  to a fake video page where the video is actually a hyperlinked image. Users that click on this get led to a page asking for their cell phone number.

The script also implements a 'Like' and posts a link to the user's wall. Trend Micro Antivirus Software detects this script as HTML_FBJACK.A.

Spammed email messages are being exploited as well. They ask for personal information first with promises of instructions on how to send your donations once the user responds.

Readers should use long-established avenues such as the Red Cross (http://www.redcross.com) and Medical Teams International (http://medicalteams.org) if you wish to donate.

Symantec's Samir Patel (with thanks to Dylan Morss, Christopher Mendes, and Sujay Kulkarn) in a Symantec piece on Japan relief scams says over 50 new domain names have been registered that use the keywords 'Japan tsunami' or 'Japan earthquake'.

These sites are either parked, for sale, or linked to other earthquake websites.

Some example sites include:

  • 3-11-2011-[removed].com
  • 3-11[removed].com
  • earthquake-[removed].com
  • earthquaketsunami[removed].com
  • earthquakerelief[removed].com

Symantec has observed a a 419-type message that capitalizes on the disaster. It is a fake "next of kin" story that purports to settle millions of dollars owing to an earthquake and tsunami victim:

Japan scam message

Attachments and .zip files can be embedded in such emails so beware if the source is unknown.

Activities such as these underscore the importance of keeping antivirus software updated along with a healthy dose of caution when browsing the Internet.


Who's Behind the Adobe pdf Exploit?

Now that researchers at places like Symantec (makers of Norton Antivirus), have had a chance to delve into the exploit, some theories are starting to come out about who's behind it.

Karthik Selvara, a researcher for Symantec says, in a Symantec blog,

While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January....

Where it gets interesting is in the disection Karthik does.

He takes apart various parts of the email, the social engineering, and the exploit itself, and lo and behold, the techniques are eerily similar.

  The next quote is a little long, but given how concisely Symantec describes the exploit and attck, we'll let the Symantec blog speak for itself here,

If the above emails look familiar, it is because their style is very similar to the emails used in Hydraq (Aurora) attacks.

"In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation.

"Furthermore, we have seen a large number of detections of unique versions of the PDF--not yet seen elsewhere in the wild--coming from a single computer in the Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks. [Editor's Note: Emphasis mine.]

"All of these similarities could be coincidental, but these attacks appear to be from the same perpetrators.

"The PDFs inside all the above emails exploit the same Adobe zero-day vulnerability and each drop similar downloader components, but with different decoy PDFs. Some had different URLs to download additional malware.

Huh. Attacks based in China. Who would have guessed?

Frequent readers may recall a list we shared not long ago of the Top 10 Riskiest Domains by Extensions, where China placed third in this notorious list.

All-in-all, aside from the excellent analysis by Symantec's researchers, we'd also like to echo their equally excellent suggestions about pdfs.

  1. keep your antivirus software up to date
  2. exercise caution when dealing with PDF files
  3. disable javascript in your pdf reader (i.e. Acrobat/Reader)

One last note, all the major antivirus vendors are detecting this attack, with Norton snaring it as, "Bloodhound.PDF!gen1" and as Bloodhound.Exploit.357.


Vulnerabilities Discovered in Internet Explorer

In a recent post to its security blog Symantec, makers of Norton antivirus revealed, a new exploit targeting Internet Explorer was published to the BugTraq mailing list yesterday. Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7 as well.

The announcement of the Internet Explorer exploit was surprising to many because of how it targets Cascading Style Sheets, something that hasn't typically been used in these types of attacks.

The exploit got notoriety when a security researcher has published code that could allow an attacker to take over an unsuspecting user's Internet Explorer and install code on the person's computer and then when Symantec took notice and began doing research of their own.

There has always been--and likely always will be--a large degree of controversy around so-called "full-disclosure" security like this because one group of people believe that it's most responsible for the researchers to first notify the manufacturers about the vulnerability so that things can be kept quiet 'til patches are ready.

The other group believes that it's most responsible for the researchers to first notify the community about the vulnerability so that users can take steps to protect themselves against attack.

The debate is though that on one hand if you're only disclosing to the manufacturers and don't notify the community, there could very well be active exploits in the world that other hackers are already using. So, if you don't notify the community, you're being irresponsible by holding back information that may users to protect themselves.

In contrast, if you don't first notify the manufacturers and immediately post the exploit, you're allowing hackers to get information on how to take over your computer without giving any chance for the manufacturers to develop patches.

There are definitely valid points to both sides of the debate, regardless, though in this case the exploit was released to the community first and not to the manufacturer, in this case Microsoft, so there's a new attack on Internet Explorer for which there's no patch available yet.

The good news is that it appears that the best antivirus software is already able to protect against this exploit. Symantec for instance on their Security Blog says,

"Symantec currently detects the exploit with the Bloodhound.Exploit.129 antivirus signature and is working on new signatures now.

"Symantec IPS protection also currently detects this exploit with signatures HTTP Microsoft IE Generic Heap Spray BO and HTTP Malicious Javascript Heap Spray BO.

"A new IPS signature, HTTP IE Style Heap Spray BO, has also been created for this specific exploit.

"To minimize the chances of being affected by this issue, Internet Explorer users should ensure their antivirus definitions are up to date, disable JavaScript and only visit Web sites they trust until fixes are available from Microsoft." [emphasis ours]

As of the writing of this post, there's still no patch; however, by following the steps recommended by Symantec users should be reasonably well protected against this exploit.


Conficker Sill Active

Back in March 2009 the worm Conficker gained notoriety for its countdown-to-activation.

We covered Conficker and removing Conficker quite extensively before and after the launch date, and now about six months later, it unfortunately comes as no surprise that systems are still being infected by it.

In fact, Kaspersky Antivirus, who publishes a list of the top malware stats every month in September 2009 still has Conficker in its various forms (called 'Net-Worm.Win32.Kido' by Kaspersky) occupying three of the top 20 malware spots.

The folks at Viruslist.com, who (along with a ton of other things) report on Kaspersky's malware statistics, go on to point out that, Kido (Conficker) remains active. Kido.ih, the leader of this Top Twenty for the last six months, has been joined by another variant, Kido.ir, which is a newcomer to the rankings

Removing Conficker isn't easy and many antivirus software vendors had a tough time getting a handle on how to remove the worm from infected PCs, but as far as we know every major antivirus program today is now capable of stopping and removing Conficker/Kido.

This is part of the reason, no doubt, why the authors of Conficker continue to write new versions: to try to thwart the A/V programs from stopping and removing their worm.

Regardless of whether or not your PC has been infected, make no mistake: just because it has been six months since Conficker's activation date, it's still a real threat, and if your PC is unpatched, all you have to do is be connected to a network (or the Internet) where there are other infected machines for yours to be at risk of infection, too.

This threat is all but eliminated if you're running any of the best firewall antivirus software or Internet security suites.

Lastly, as a reminder, do make sure your PC is has the latest patches. It typically takes just a few minutes to apply the patches and after a reboot (sometimes two!) you're in business.

Prior coverage of Conficker


Antivirus Software: What's Real? What's Fake?

One of the growing concerns for many security and antivirus professionals is the dramatic growth of fake antivirus software.

The idea behind fake A/V software is to trick unsuspecting consumers into downloading and installing their fake software in an effort to get trojans, viruses, spyware, and other malware installed onto PCs in the process.

There's nothing real about the fake software, except the threat it poses.

The process works like this:

  1. Trick consumer with a real looking, real sounding ad on an (often unsuspecting) legitimate website
  2. Get consumer to install the phony (but very real looking) antivirus application
  3. Stuff any number of trojans, keyloggers, spyware, and other evil applications into the fake antivirus program
  4. Use the newly infected computer to do their bidding, including (among other things):
    1. identity theft
    2. credit card fraud
    3. bank theft
    4. infecting other computers
    5. spamming

Solution to the Fake Antivirus Software Problem

Word is filtering out today about a way to tell fake antivirus software from legitimate ones.

A new site from security and SSL vendor Comodo of a project they're backing called, "Common Computing Security Standards Forum," aims to help consumers figure out what's real and what's not.

In their list of all known legitimate antivirus software vendors, they hope to help put an end to the dummy antivirus programs out there and to help consumers stay clear of the crap.

In addition to thanking them for their efforts, here is a complete list of current antivirus vendors known to Comodo to be the real deal:

Legitimate Antivirus Software Vendors
  • AhnLab
  • Aladdin
  • Antiy
  • Authentium
  • AVG Technologies
  • Avira GmBH
  • BitDefender (BitDefender Antivirus & Internet Security)
  • BullGuard
  • CA Inc (CA Anti-Virus)
  • Checkpoint
  • Cisco
  • ClamAV
  • Comodo
  • CSIS Security Group
  • Drive Sentry
  • Dr.Web
  • Emsi software
  • ESET
  • F-Secure
  • Fortinet
  • Frisk Software
  • G Data Software
  • GFI/Sunbelt Software (VIPRE Antivirus & Internet Security)
  • Ikarus Software
  • Intego
  • iolo
  • IObit.com
  • Kaspersky Lab (Kaspersky Anti-Virus & Internet Security)
  • Kingsoft
  • Malwarebytes
  • McAfee McAfee VirusScan Plus & Internet Security)
  • Norman
  • Panda (Panda Antivirus Pro & Internet Security)
  • PC Tools
  • Prevx
  • Rising
  • Sophos
  • SuperAntispyware
  • Symantec (Norton AntiVirus & Internet Security)
  • Trend Micro (Trend Micro AntiVirus & Internet Security)

  • You'll note, every one of the programs (reviews linked above) are included in our antivirus reviews since day one of our site are included on the list.

    If you know of other legitimate A/V software not on the list, please contact us so that we can share your insight with the folks at Comodo.


    Worms in Samsung Digital Picture Frames??

    Contrary to some reports that some Samsung 8-inch digital photo frames had worms, the frames themselves don't have worms but the installer discs do. (How's that for an unwanted Christmas present?)

    As far as consumers are concerned, there's no difference.

    A virus is a virus, and this is an unfortunate black eye for Samsung with their vast electronics / computer empire.

    Trend Micro discusses this digital picture frame virus at their blog, and what we've learned now is that the Samsung's SPF-85H 8-Inch digital photo frame disc was infected with the W32.Sality.AE / Sality worm straight from the factory.

    The bad news isn't that it's just infected with the worm, but that it's infected with a particularly nasty variant that includes a keylogger according to the folks at Sophos antivirus.

    From what we've learned so far, this looks like, while definitely a nasty virus, it's one that all the best antivirus software already detects, so just make sure your definitions are up-to-date and that your software is running, and that should keep your computer safe.

    Samsung has posted a clean version here: Samsung SPF-85H drivers.

    If you purchased this frame (or got it as a gift), you can find more details here: Amazon Samsung picture frame advisory.


    Symantec / Norton 60-day intro on Gateway & eMachines

    A little bit of news in the anti virus arena showed up today at CNNMoney. Looks like Symantec has struck a deal with Gateway / eMachines for a Symantec / Norton 360 trial on Gateway & eMachines PCs. [Editor's note: since the page on CNNMoney is no longer available, the inactive link has been pulled, too.

    All-in-all, we're always glad to see any coverage on a new computer, we're just disappointed it was a chintzy 2-month trial. Given the number of new PCs that will no doubt end up under Ye Olde Christmas trees this year, that will mean a lot of computers start going unprotected towards the end of February 2009 as no doubt some people ignore the update nags and opt to go without antivirus protection.

    We have a great deal of respect--a great deal--for Symantec as a company, but we think a 60-day trial is a little lean.

    If someone opts for antivirus subscription renewal, that's great; if they decide to give something else a try, just so happens we know where they can look at and compare antivirus software. ;-)