Sonar 2 refuses to work without internet connection

I made a few tests with and without internet connection. While sonar preformed well connected to the Norton community database, it didn't respond at all without the connection (tested 10 files which were detected with the connection by sonar, and weren't detected without connection).

I thought Sonar could catch malware without Insight/Norton community, but it seems they depend on each other.

I find it quite wierd though. Symantec claims Sonar 2 analyzes behaviour of files...can't understand why internet connection is a must

 

Maybe the word "behaviour" is the key. A file that is not executed doesn't have any behaviour that can be analyzed.

 

Eplose, it’s true that SONAR2 utilizes information from the in-the-cloud Norton Community database when assessing the trustworthiness of a file, which allows the tool to be more aggressive without generating too many false positives. However, to the best of my knowledge, SONAR2 will operate properly and assess an executable when launched -- even in the absence of an Internet connection.

How exactly did you perform your test?

 

Way too many people can't make difference between SONAR and Insight.

Additionally , as they are connected , it will make no sense for SONAR not to interfere because Insight will simply have no information which makes the file more suspicious (so to say). One more thing , while Insight may have wrong rating for a bad file (a.k.a Good) , SONAR will kill the file upon execution if it is malicious - this is what I have seen.

It would really be interesting to see an example of what you see. I'll also make an experiment with some malicious files (with or without internet connection) and will post the results.

 

I downloaded some files on while norton wasn't active (no active protection at all- insight/sonar/intrusion etc), added them to an archive.

First, tried excuting the files with no internet connection- Sonar didn't detect them as suspicious (testing the task manager, i recognized the trojans were active- created startup enteries, moved files..)

Later, connected to the internet, tried to excute the files once again and found out sonar was blocking everything.

I'd like to add that few of the files that weren't detected by sonar without connection and were still active when i started the connection, were detected by sonar later on.

 

You should post your questions/findings over here. I'm sure you'll get a response from some of the Symantec people.

 

Interesting . Could you re-image your system (best) or just uninstall Norton 2010 and test with Norton 2011 - the same way ?

 

Very curious, indeed -- not the expected behavior. How did you disable the Internet connection during the test? Are you absolutely sure that Norton was indeed active when you “tried executing the files with no Internet connection”? Are you using Norton Internet Security 2010?