What is Symantec's SONAR?

... and how is it different from AntiBot?

Searching on both Google and Symantec's website only turned some pages describing the technology in very layman's terms. Anyone know the answer to this one?

 

That is a good question. I have been researching this myself and, like you, only finding generalized (and kind of vague) explanations on the technologies. The only thing I am sure of that SONAR was the result of the acquisition of Whole Security (which offered anti-phishing and behavioral detection) and AntiBot of course is based on Sana Security's PRSC.

A article on AntiBot from PC World does give a clue, though it raises more questions than it reveals:

http://www.pcworld.com/article/id,132706-c,securitysoftware/article.html


My take on SONAR is that it is the network that collects info from what Bloodhound finds on NAV protected computers across the globe. If a lot of computers are reporting back to Symantec about a new unknown malicious file Bloodhound is detecting, then it is added to the definitions shortly after.

The above is what I have gathered from this Symantec article on the Storm Worm. Without technical details, all you can do is conjecture. Maybe Symantec has a reason for doing this.

But the question still is valid about the differences between Bloodhound/SONAR and AntiBot. I have AntiBot as well but so far it has been silent and I wonder if I really need it if BH/SONAR does the same thing.

 

Same here. At first sight, I thought that SONAR was a web scanner. Then, I thought that it's similar to ESET's ThreatSense.NET. At this time, I'm not sure of what to think about it
Obviously, SONAR and Antibot (blacklist-based HIPS) are different technologies.

 

To add to the confusion, you get this option in NAV08.



While I have no idea if this option is SONAR or not, it's attached to the real-time monitor.

Sometimes I guess being TOO idiot-proof can also be a bad thing...

 

Agreed.
I'm beginning to think that SONAR does watch a limited subset of bad behaviours and then it compares the behaviours observed with data from the firewall (limited IDS) and the scanning engine (score obtained in heuristic analysis?)

 

SONAR is constantly monitor program behavior, whether good or bad, it record a suspicous, but did not alarm if it did not reach a certain level, if you turn advanced mode on, you may get a little more chance to interate with the program. It can really find and stop some obvious actions just like Norton anti-bot, but it may only deny access, if it is not detected base on signature. Norton Anti-bot is based on a serias actions and decide whether to quanrante, it has the ability to restore the system,I think SONAR did not have the evaluation and grade system complicated as NAB, it only based on the definition build on feedback data, symantec can get something if they analyse the data SONAR send back, NAB only send the suspicous file that triger alarm, rule definition update is less frequent than SONAR. Also SONAR can help to find malware that did not triger NAB, for it is based on human analysis

 

So it's like AntiBot, only with a less aggressive ruleset?

 

it is the hueristic side of the AV.

 

If I understand all of this correctly, then I am ok with my setup. I got AntiBot to augment NIS's internal heuristics.

I believe SONAR is more of a tool for Symantec to help identify zero-day attacks.

 

If you turn on advanced mode of NIS suspicous activity monitor, it will notify you the low risk activity, as the picture showed, NAB will not take any actions, nor did NIS, but you have option to remove it. NIS will gather such behavior data.

 

Thanks for the info, Ink . I get those all the time especially from the notorious qttask.exe, lol.

 

It seems so.

Nope. Bloodhound (PDF) is the brand-name of Symantec's heuristics.

 

If AB and Sonar are different technologys why not integrate them to NIS ?
I mean will be good to integrate AB in NIS and we will see one product but more effective. What do you think about it?

 

SONAR is Symantec's technology. Antibot is a rebrand of Sana Security's Primary Response SafeConnect.

 

From InformationWeek-
"Symantec's Sonar, by comparison, is a scanner, similar to the one that sniffs for viruses and worms, that runs daily. "It's not part of the real-time defense," admits Kim. "Scans run on a daily basis, so this is an extra layer on daily [anti-virus] scans."

"We're very bullish about the technology," says Kim. "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."

http://www.informationweek.com/story/showArticle.jhtml?articleID=196901549