Norman Security Suite 10 Pro review

Norman Security Suite 10 Pro has an attractive new user interface that's easy to navigate along with the best spam filtering I've seen in a suite. Unfortunately, the effectiveness of the other components varies quite a bit.
Photo of Norman Security Suite 10 Pro

While their interface styles and implementations differ widely, all security suites have the same core purpose. They’re designed to keep your computer, your data, and your privacy safe from all kinds of attack. Some offer a wealth of configuration settings so you can tune your own protection; others aim to do the job with a minimum of user interaction. Norman Security Suite 10 Pro ($75.95/year direct for three licenses) falls squarely in the second camp. Its designers worked hard to eliminate any unnecessary complexity, and its components come pre-configured for maximum security. That said, some of them do a better job than others.

The suite’s main window looks exactly like that of Norman’s standalone antivirus product. Big buttons launch important tasks like checking for updates and launching a malware scan, and a history panel lists recent security events. You only see the difference when you switch to the settings page, where all of the suite-specific features are now enabled.

On that settings page you can turn entire components on or off. Note, though, that turning off a component literally uninstalls it, which can take a little while. Turning it back on similarly reinstalls the component, and this, too, can take time. From here you can also dig in for more detailed configuration, but even this second level of configuration emphasizes big, simple controls.

Shared Antivirus Protection
The antivirus protection offered by this suite is the same as what you get with Norman Antivirus 10. You’ll want to read that article for full details. I’ll summarize my findings here.

The independent labs that test Norman’s antivirus technology give it generally good marks. ICSA Labs certifies it for virus detection and removal, and Virus Bulletin has awarded it VB100 certification in 80 percent of recent tests. To earn certification from AV-Test, a product needs at least 10 of 18 possible points; Norman got 13 points in the latest test. The chart below summarizes recent lab tests. For more information about the labs, please see How We Interpret Antivirus Lab Tests.

Norman Security Suite 10 Pro lab tests chart

Norman tech support managed to deduce the unlock code for ransomware that initially prevented installation on one test system. Nobody else has managed that! On another system, malware damaged the installation. Uninstalling and reinstalling fixed that one.

During the install process, Norman offers to run a preinstall scan. This scan did some serious damage to one test system, quarantining or deleting many important Windows files. The product’s designers plan to modify the preinstall scan so it logs exactly what it did. This collateral damage was repairable, but it took quite a while.

Norman detected 75 percent of the malware samples, the same as avast! Premier 8. Because avast! did a better job cleaning up what it detected, it earned 5.8 points for malware cleaning, beating Norman’s 5.6. The top score among products tested with the current malware collection is 6.0, earned by Kaspersky PURE 3.0 Total Security. For full details on how I run this test, see How We Test Malware Removal.

Norman Security Suite 10 Pro malware removal chart

Installed on a clean system, Norman detected and eliminated over 80 percent of my malware samples as soon as I opened the containing folder. I launched those that survived and noted the product’s behavior. One rootkit that it did detect managed to fully install despite Norman’s efforts. Norman detected 89 percent of the samples and scored 8.6. Ad-Aware Pro Security 10.5 and TrustPort Total Protection 2013 detected 94 percent of these samples. With 9.4 points, Ad-Aware has the best malware blocking score of products tested with my current sample set. For more about how I run the malware blocking test, see How We Test Malware Blocking.

Norman Security Suite 10 Pro malware blocking chart

The full Norman suite blocks access to known malware-hosting websites, a layer of protection not found in the standalone antivirus. When I tried to re-download my malware collection, the antivirus blocked 71 percent of those still available during the download process. The suite blocked 55 percent at the URL level and another 36 percent during download, for a total of 91 percent blocked. Only Ad-Aware blocked more of these samples, 92 percent of them.

Improved Phishing Detection
The same technology that blocks malware-hosting sites serves to steer users away from phishing sites, fraudulent sites that attempt to steal your login credentials by masquerading as your bank’s website or other sensitive sites. The previous edition of Norman’s suite earned a dismal score in my antiphishing test, with a detection rate 87 percent lower than Norton’s and 42 percent lower than Internet Explorer’s built-in SmartScreen Filter.

This time around, Norman pulled up its scores a bit. Its detection rate still lagged 50 percentage points behind Norton’s, but it actually beat Internet Explorer by 2 percentage points. (Yes, that does mean that IE had a bad week for phishing detection).

I test using the very newest phishing websites, typically sites that have been reported as fraudulent but not yet verified. These are the most dangerous, since any antiphishing solution that relies on consulting a list of known frauds won’t catch them. I did observe that Norman’s detection rate was substantially better against phishing sites a few days old. 

The article How We Test Antiphishing explains how I find and verify fresh phishing sites.

Norman Security Suite 10 Pro antiphishing chart

Excellent Antispam
Norman’s antivirus may be just average, but its antispam component outperforms almost all the competition. Where many spam filters handle only POP3 email accounts, Norman can filter IPAM, Exchange, or any type of account that’s compatible with Outlook, Windows Mail, or Outlook Express. It manages this feat by thorough integration with those three email clients. That does also mean you can’t use it with an unsupported email client.

Configuration is dead simple. You can set the filter to low, medium, or high strictness, but considering how well it did at the default medium level I wouldn’t change that. I also wouldn’t change the interval for downloading new spam definitions from the default five minutes to daily or weekly.

Norman is going to delete your spam messages eventually—after ten days, by default. You can change that to do it every day or every month. You can also set it to delete the oldest messages when the total number of spam messages reaches 500 or 1,500. For testing, I set it to retain unlimited messages.

Downloading 1,000 messages with the spam filter working took 25 percent longer than with no filter; that’s not a slowdown you’d ever notice. When it finished downloading all the mail from my real-world spam-infested test account, I sorted the Inbox into valid personal mail, valid bulk mail (newsletters and such), and undeniable spam, discarding any that didn’t clearly fit one of these three categories. I did the same for the spam folder, and then ran the numbers.

Throwing away valid mail is bad behavior on a spam filter’s part. Norman only discarded 0.6 percent of valid personal mail and didn’t misfile any valid bulk mail at all. In a real-world situation I could have remedied even that tiny set of false positives by whitelisting a few email addresses. Only 4.3 percent of undeniable spam made its way into the Inbox. The only recent suite with better accuracy is AVG Internet Security 2013, with 0.2 percent valid mail tossed and 3.4 percent spam missed.

Intrusion Guard
The set of features that Norman calls Intrusion Guard work to prevent a variety of potentially malicious system modifications. Or rather, they would if they were turned on.

The ability to block malicious websites appears on the Network page, and by default this feature is turned on. If a process attempts to modify the HOSTS file, you’ll get a prompt and a chance to prevent it. But by default Norman doesn’t do anything when an application installs a plug-in for Internet Explorer or inserts a Layered Service Provider into the network.

The Processes page describes how Norman can detect applications that install to launch automatically at startup, or that install services. By default, it doesn’t block these activities or prompt you for what to do, most likely because it would wind up warning you about many valid programs. There’s also an option (not blocked) to prevent process hijacking on 32-bit systems.

The Intrusion Guard does block programs that attempt direct physical access to memory or that try to force loading of a system driver. These actions, possible only on 32-bit systems, are almost invariably malicious. On the other hand, plenty of valid programs use the normal Windows mechanisms to install drivers, so this action is allowed by default.

By leaving most of the Intrusion Guard monitors disabled, Norman avoids bombarding the user with popup warnings about both good and bad programs. I’d be happier with a behavior-based system that analyzes all of a process’s activities and only flags those that show a pattern truly suggesting malware.

Multi-Layered Firewall Settings
On the firewall’s very simple settings page you can choose between Silent Mode (no popups), Normal Mode (popup prompts for unknown traffic), and Advanced Mode. The floating explanatory text for Advanced Mode explains that its Deep Packet Inspection enhances security but may impact performance. I left it set to the default Normal Mode.

Another page of advanced settings goes deep, with on/off sliders for four dozen firewall behaviors. The sheer number of choices is a bit overwhelming. I did observe on this page that by default Norman automatically creates rules for known applications and automatically trusts programs with a valid digital signature.

Despite its many options, the advanced settings page still carries over Norman’s emphasis on big, simple controls. If you take the next step, to the Expert Tools page, you’ll see that new interface vanish. The Rules Editor, Real-time Log Utility, and Advanced Ports Viewer look quite different. Unless you’re really, truly an expert, you should leave these alone.

In testing, the firewall correctly stealthed all ports, making the test system invisible to outside attack. It was less successful against leak test utilities, blocking just one in four of those. The rest managed to connect with the Internet undetected by the firewall’s program control. An old-school firewall like this, one that relies on user input for program control, really should handle leak tests. Advanced firewalls like what’s found in Norton or Kaspersky make their own decisions and can get away with ignoring innocuous leak tests.

When I attacked the test system using exploits generated by the Core IMPACT penetration tool, the firewall didn’t step in to prevent the attacks. The antivirus component did quarantine files dropped by some of the exploits, but it only got 20 percent of them. None of the exploits actually breached security, because the test system is fully patched. Still, I want my firewall to notice when it’s under attack.

Next I looked at possible methods for a malware coder to programmatically disable Norman. I found that the suite has a huge attack surface—I counted 19 processes and 15 Windows services. I managed to shut down all but six processes and all but six services. It seems strange to protect just those but leave the rest exposed to termination by a hostile program.

Minimal Parental Control
Norman’s parental control system is designed to work both for families whose children each have a separate Windows user account and those that all share one account. It defines three profiles for Web content filtering: Child, Teenager, and Adult. Under the Child profile, all Internet access is banned except for websites on a whitelist that parents must create manually. The Teenage profile allows Internet access but blocks sites that fall into as many as two dozen categories. Naturally the Adult category allows unfettered access.

During initial configuration you must choose either the Child or Teenager profile as the default profile that will take effect when no user is logged in to the parental control system. You can also associate a particular profile with each Windows user account. However, each user must separately log in to the parental control system.

The content filter seemed effective enough; I didn’t find any clearly inappropriate websites slipping through it the way they did with TrustPort. And a simple three-word network command that disabled parental control in G Data TotalSecurity 2014 had no effect on Norman.

However, even when I set it to block every defined category, the content filter allowed me to access several anonymizing proxy websites. I didn’t even have to search for a secure HTTPS proxy. A smart teen who locates one of these proxy websites will be able to roam the Internet unfettered and unmonitored by Norman.

For each user a simple grid lets you define a weekly schedule for when Internet access is permitted. However, if you’ve given any of your children Administrator access, they can easily get around this limitation by changing the system date/time. Norman does log all blocked websites, flagging each with the username and time. These entries appear in the general-purpose history list, mixed with firewall events, antivirus actions, and so on.

That’s the extent of parental control in this suite; others offer quite a bit more. Kaspersky and Bitdefender Total Security 2013 can control and monitor instant messaging, for example, and block access to specific programs. Bitdefender offers remote management and remote notification of abuses. If you actually need parental control, don’t rely on Norman to do the job.

Simple Scheduled Tasks
As with the standalone antivirus, you can schedule a regular virus scan on a daily, weekly, or monthly basis, and you can enable a special screensaver that scans in the background when the system is idle. The suite adds two more tasks named Clear program history and System check.

System check watches for malicious behavior by processes that somehow slipped past the other layers of protection. I would certainly set it to run hourly, not daily, weekly, or monthly. When it finds nothing wrong, it quietly logs that fact in the history list.

Clear program history is less straightforward. You can schedule it to run from every ten minutes to once a week; that part is clear enough. You should be able to turn it on or off for each user, but my own username did not appear in the list, just the pretend child usernames I use for parental control testing.

There’s a page to choose which programs will have their history cleared: Chrome, Firefox, Internet Explorer, Opera, Safari, Windows, and Windows Media Player. Exactly what’s to be cleared isn’t spelled out, so I thought I’d check empirically. I launched an immediate cleanup and then checked several logical spots. Norman didn’t clear the history list in Firefox or Internet Explorer, didn’t wipe the My Recent Documents list from the Start menu, and didn’t clear the list of used programs from the Run dialog.

G Data’s much more advanced system tuner utility presents you with a list of the items it proposes to clean up and lets you de-select any you wish. It logs what it did, and includes the option to undo the result of any action. Norman doesn’t offer a clue as to what it did, and when I went looking I couldn’t prove that it cleaned up anything.

Performance Surprise
I always time the process of installing a suite, and I also measure its size by checking the free space on disk before and after installation. In most cases I don’t comment on these measurements, but Norman stands out in both areas. Getting all of the components installed and updated took 30 minutes, including the preinstall scan for malware. Many suites install in less than ten minutes and few go over 20. In addition, Norman’s footprint on disk proved to be over 1.3 GB, the biggest I’ve measured.

With its sheer size and the large number of processes and services active, I wouldn’t have been too surprised if Norman slowed down my real-world performance tests. However, in most of the tests its impact wasn’t unusual. One test times how long it takes to load 100 websites of various types. Repeating it multiple times with Norman installed and with no suite, I calculated that this test took 19 percent longer under Norman. As the current suite average for this test is 18 percent, that’s not bad.

A script that zips and unzips a huge collection of huge files took 23 percent longer due to Norman’s monitoring, a little more than the current average of 17 percent. However, another script that move and copies that same collection of files between drives took just 13 percent longer with Norman watching, quite a bit less than the current average of 23 percent.

I ran my boot-time test 100 times with no suite and 100 times with Norman installed, averaging each set of results. With no suite installed, this test system takes an average of 62 seconds to boot. Norman boosted that time to 216 seconds. That’s almost 3.5 times as long, a phenomenal impact. Until now, the worst boot time drag came from Panda Internet Security 2013, which didn’t quite double the time required to boot the system.

You probably only boot up once a day, perhaps even less. Still, a slowdown of this magnitude is worrisome. For full details on how I measure security suite performance see How We Test Security Suites for Performance.

Norman Security Suite 10 Pro performance chart

Uneven Component Quality
Norman’s spam filter is the best I’ve seen in a suite, as long as you use one of the supported email clients, and its antivirus is decent, if not stellar. The new emphasis on simplicity results in an attractive user interface that’s easy to navigate.

On the other hand, a smart teen could easily evade the rudimentary parental control system, and I couldn’t verify that the program history cleaner tool actually did anything. The old-school firewall didn’t stand up to leak tests or exploits, and most of the more than 30 processes and Windows services that make up this suite aren’t protected against hostile termination.

If you need spam filtering and parental control, you’d be better off choosing Norton Internet Security (2013) or Norton 360 (2013). If those features aren’t required, consider Webroot SecureAnywhere Complete 2013 or Comodo Internet Security Complete 2013. All four have been named Editors’ Choice by PCMag.

Sub-ratings:
Firewall:
Virus removal:
Virus blocking:
Performance:
Antispam:
Privacy:
Parental Control:

Specifications
Tech Support Local language tech support via mail of phone.
OS Compatibility Windows Vista, Windows XP, Windows 7, Windows 8
Type Business, Personal, Professional

Verdict
Norman Security Suite 10 Pro has an attractive new user interface that's easy to navigate along with the best spam filtering I've seen in a suite. Unfortunately, the effectiveness of the other components varies quite a bit.
Published under license from Ziff Davis, Inc., New York, All rights reserved.
Copyright © 2012 Ziff Davis, Inc