Symantec SONAR

Arin · May 5, 2007

Sonar, for Symantec Online Network for Advanced Response, is based on technology acquired in the 2005 purchase of WholeSecurity, a maker of anti-phishing and intrusion prevention software. "It's a new behavioral technology," says Ed Kim, director of product management in Symantec's consumer product group. "It's a zero-day defense that doesn't use signatures."

...

Signature-based defenses, however, operate in real-time to block exploits as they try to make their way onto a system. Symantec's Sonar, by comparison, is a scanner, similar to the one that sniffs for viruses and worms, that runs daily. "It's not part of the real-time defense," admits Kim. "Scans run on a daily basis, so this is an extra layer on daily [anti-virus] scans."

http://www.informationweek.com/story/showArticle.jhtml?articleID=196901549

Sjoeii · May 5, 2007

Sounds good. Sounds like the emulator in Kaspersky v7

tsilo · May 5, 2007

I already know about it, but how doas it works?

Arin · May 5, 2007

its already old news. I simply wanted to point out that it contradicts a lot of people who take it as an HTTP scanner or a real-time API call monitoring agent.

C.S.J · May 5, 2007

actually.... symantec themselves label it as an 'http scanner' as screenshots shown by BIGC prove.

NAMOR · May 5, 2007

tsilo said:

I already know about it, but how doas it works?
Click to expand...

I dunno if this really helps much.

SONAR is behavioral detection technology that protects against malicious code before standard virus and spyware detection definitions have been created. Such emerging and unknown malicious code can strike in the form of Trojan Horses, worms, mass-mailing viruses, spyware or downloaders. While many products use only a limited set of heuristics, SONAR draws from an extensive range of heterogeneous application behavior data which not only greatly enhances detection but also significantly minimizes false positives. For consumers, the result is zero-hour protection from a vast threat spectrum without being bothered with confusing decision-based prompts. SONAR technology provides protection against emerging threats in a way that does not compromise the user experience or require additional system resources. When detections are made through SONAR, no user interaction is required.
Click to expand...

http://www.symantec.com/about/news/release/article.jsp?prid=20070117_01

midway40 · May 5, 2007

From PC World's NAV review:

Symantec has incorporated the new SONAR behavioral analysis technology for proactive protection. The program scans both e-mail and Web traffic, covering the POP3, SMTP, and HTTP protocols. And it ties into the MSN, Yahoo, and AOL instant messaging programs (though it protects only MSN by default).
Click to expand...

SONAR in action:

http://www.symantec.com/home_homeoffice/blog/detail.jsp?blogid=sonar&profileid=laura_garcia-manrique

(thanks to whoever has this link in their sig, can't remember who right now)

lodore · May 5, 2007

i looked on that link and cant see it in action.
i assome by see it in action you mean a video of some kind and not some text to read.
lodore

Longboard · May 6, 2007

Well,
Who do we believe ??

Self publicising by Symantec (not that there is a reason to disbelieve them)
OR
some database of uncertain genealogy and bonafides
(which has never been shown to be wrong by anybody....)

The statistical results displayed are representative of the ability of each antivirus system's ability to deal with early (near 0-day) infection outbreaks. The performance by each antivirus system on early detections does not reflect the overall performance of an antivirus system for general system cleaning. Further, our testing methods specifically do not assess false positive rates. Others can provide those performance statistcs.
Click to expand...

http://winnow.oitc.com/avreadme.html

Disclaimer: I have NAV and Sonar: I hope it's working

NAMOR · May 6, 2007

Longboard said:

Well,
Who do we believe ??

Self publicising by Symantec (not that there is a reason to disbelieve them)
OR
some database of uncertain genealogy and bonafides
(which has never been shown to be wrong by anybody....)

http://winnow.oitc.com/avreadme.html

Disclaimer: I have NAV and Sonar: I hope it's working
Click to expand...

seen it... Link

C.S.J · May 7, 2007

ha, if you really believe norton to be the worst out of those 20 for engines/detection or whatever, you really need your head seeing to, i dont focus this message on any single person, but to EVERYONE.

i would put the current norton in my top 3 easily, but not telling where

lodore · May 7, 2007

that test above is BS
panda above kaspersky atm no way in helll.
panda's detection is improving but no way its better than kaspersky.
lodore

Longboard · May 7, 2007

I put this up before: from OITC:

We are a small consulting company and we have no agenda other than to see
> if the statistics support something that most people know but don't want
> to admit to and maybe to learn some other things in the process.
>
> I am amazed at some of the postings on the links you sent. The funniest
> ones are the "conspiracy theorists." What's funny is that there is no
> "test" per se. This is a display of the statistics coming from an
> accumulation of a real-time set of samples. We are using it to try to
> understand the real world effectiveness of perimeter defenses when
> employing these engines.
>
> We contacted each engine company and asked them how their engines were
> configured at Virus Total and what their "output names" actually meant.
> Not all answered but most did. We then reprocessed the older data based
> upon feedback from the vendors in February to be able to maintain the
> cumulative running stats back to the beginning of Dec (or whenever an AV
> system was added to VirusTotal). This is the basis of the statistics
> displayed.
>
> Its interesting that from a number of comments show that some posters seem
> to have never looked at the explanation of the methodology
> (http://winnow.oitc.com/avreadme.html) or that they did not check the
> underlying data. An example is the comments about Webwasher which has only
> been running at VirusTotal since 3/21 and has amassed a total of 161
> samples in comparison to almost 2000 samples for most of the other engines
> (http://winnow.oitc.com/avmalwarestats.php). Personally, I would wait a
> while before assessing Webwasher's real world performance.
>
> The graph displays exactly what it says it does. There is no bogus nor
> bias. Click and look at each engine's statistics. All the warts, if any,
> are there for all to see.
>
> We are not interested from a home user perspective (which some posters
> seem to be because of comments about manual interaction or not being
> worried because they can always roll back), and we are not interested in
> how the engines perform in the lab against huge databases of
> viruses/malware that have been collected nor are we interested in how well
> they can "cleanup a mess."
>
> We are trying, however, to see if we can characterize their real world
> performance in detecting early outbreaks of malware at the enterprise
> perimeter. To do this, we have started collecting statistics using fresh
> malware only, running it through the various engines( configured for hands
> off, non ultra paranoid mode) and collecting statistics until a majority
> of engines detect the malware. Then, we stop collection of statistics on
> that "outbreak." This is our way of estimating the time for "early
> outbreaks" determining that this exemplified the average real world time
> it takes to for something to be released, captured, analyzed, dat files
> updated and dat files distributed to users. This is how the data is
> collected and is then compiled into the statistics displayed.
>
> Shortly, we will be adding a new set of tracking statistics that looks at
> the performance one could expect by combined engines at the perimeter.
>
> Hopefully, we will all learn more as the sample size grows.
>
> I am amazed at the "surprise." No one should be surprised at these stats
> (even though there seems to be be a lot of chatter on those two links you
> sent me). Well, maybe the ranking but not the fact of poor performance as
> near zero day outbreaks are problematic which shows that one need defense
> in depth and strict enterprise policies.
>
> I hope this answered your questions.
Click to expand...

EliteKiller · May 7, 2007

The graph displays exactly what it says it does. There is no bogus nor bias. Click and look at each engine's statistics. All the warts, if any, are there for all to see.
Click to expand...

Pfffffffffffffffffft

Arin · May 7, 2007

@C.S.J

Yeah I've seen the screenshot which I assume was from PC World website not Symantec manual or something. Of course I might be wrong but its simply the same thing which was written there in PC World.

Even if it was from Symantec manual or something then also there is a conflict. If Ed Kim is right (or properly quoted) then how come SONAR is not a part of the real-time defense? Is that a technical possibility?

Littlemutt · May 8, 2007

AMRX said:

@C.S.J

Even if it was from Symantec manual or something then also there is a conflict. If Ed Kim is right (or properly quoted) then how come SONAR is not a part of the real-time defense? Is that a technical possibility?
Click to expand...

From the 'Help' section of NAV 2007:
Turn on SONAR (Symantec Online Network for Advanced Response)
Turn on proactive detection to stop security risks before they reach your computer.

I would say this pretty much means 'Real-time' protection.

ink · May 8, 2007

It is behavior analyser, it can stop threat in real time, but usually it only report and stop evident activity by rule, so there is little chance to see warnning message from sonar, but also it record and sent feeback to symantec all the activities, so they change the rule and the definition to combat the malware.
So, zero-day protection for sonar means some activities violate the rule and the packed file recognized by definition file contribute to sonar data statistic

ink · May 8, 2007

By the way, the rule is not like kaspersky PDM, one rule will trigger stop or ask action. Usually a serials of action will trigger sonar. It is not sandbox, not hips, I think we can call it activity stactis reaction component

Arin · May 9, 2007

So probably Ed Kim was misquoted or he was not properly informed

Log in or Sign up

Symantec SONAR

Arin Registered Member

Sjoeii Registered Member

tsilo Registered Member

Arin Registered Member

C.S.J Massive Poster

NAMOR Registered Member

midway40 Registered Member

lodore Registered Member

Longboard Registered Member

Attached Files:

Capture.jpg

NAMOR Registered Member

C.S.J Massive Poster

lodore Registered Member

Longboard Registered Member

EliteKiller Registered Member

Arin Registered Member

Littlemutt Guest

ink Registered Member

ink Registered Member

Arin Registered Member

Log in or Sign up

Symantec SONAR

Arin Registered Member

Sjoeii Registered Member

tsilo Registered Member

Arin Registered Member

C.S.J Massive Poster

NAMOR Registered Member

midway40 Registered Member

lodore Registered Member

Longboard Registered Member

Attached Files:

Capture.jpg

NAMOR Registered Member

C.S.J Massive Poster

lodore Registered Member

Longboard Registered Member

EliteKiller Registered Member

Arin Registered Member

Littlemutt Guest

ink Registered Member

ink Registered Member

Arin Registered Member

Useful Searches