What is Symantec's SONAR?

Discussion in 'other anti-virus software' started by solcroft, Oct 4, 2007.

Thread Status:
Not open for further replies.
  1. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    ... and how is it different from AntiBot?

    Searching on both Google and Symantec's website only turned some pages describing the technology in very layman's terms. Anyone know the answer to this one?
     
  2. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    That is a good question. I have been researching this myself and, like you, only finding generalized (and kind of vague) explanations on the technologies. The only thing I am sure of that SONAR was the result of the acquisition of Whole Security (which offered anti-phishing and behavioral detection) and AntiBot of course is based on Sana Security's PRSC.

    A article on AntiBot from PC World does give a clue, though it raises more questions than it reveals:

    http://www.pcworld.com/article/id,132706-c,securitysoftware/article.html


    My take on SONAR is that it is the network that collects info from what Bloodhound finds on NAV protected computers across the globe. If a lot of computers are reporting back to Symantec about a new unknown malicious file Bloodhound is detecting, then it is added to the definitions shortly after.

    The above is what I have gathered from this Symantec article on the Storm Worm. Without technical details, all you can do is conjecture. Maybe Symantec has a reason for doing this.

    But the question still is valid about the differences between Bloodhound/SONAR and AntiBot. I have AntiBot as well but so far it has been silent and I wonder if I really need it if BH/SONAR does the same thing.
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Same here. At first sight, I thought that SONAR was a web scanner. Then, I thought that it's similar to ESET's ThreatSense.NET. At this time, I'm not sure of what to think about it o_O
    Obviously, SONAR and Antibot (blacklist-based HIPS) are different technologies.
     
  4. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    To add to the confusion, you get this option in NAV08.

    nav.PNG

    While I have no idea if this option is SONAR or not, it's attached to the real-time monitor.

    Sometimes I guess being TOO idiot-proof can also be a bad thing...
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Agreed.
    I'm beginning to think that SONAR does watch a limited subset of bad behaviours and then it compares the behaviours observed with data from the firewall (limited IDS) and the scanning engine (score obtained in heuristic analysis?)
     
  6. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    SONAR is constantly monitor program behavior, whether good or bad, it record a suspicous, but did not alarm if it did not reach a certain level, if you turn advanced mode on, you may get a little more chance to interate with the program. It can really find and stop some obvious actions just like Norton anti-bot, but it may only deny access, if it is not detected base on signature. Norton Anti-bot is based on a serias actions and decide whether to quanrante, it has the ability to restore the system,I think SONAR did not have the evaluation and grade system complicated as NAB, it only based on the definition build on feedback data, symantec can get something if they analyse the data SONAR send back, NAB only send the suspicous file that triger alarm, rule definition update is less frequent than SONAR. Also SONAR can help to find malware that did not triger NAB, for it is based on human analysis
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    So it's like AntiBot, only with a less aggressive ruleset?
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    it is the hueristic side of the AV.
     
  9. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    If I understand all of this correctly, then I am ok with my setup. I got AntiBot to augment NIS's internal heuristics.

    I believe SONAR is more of a tool for Symantec to help identify zero-day attacks.
     
  10. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    If you turn on advanced mode of NIS suspicous activity monitor, it will notify you the low risk activity, as the picture showed, NAB will not take any actions, nor did NIS, but you have option to remove it. NIS will gather such behavior data.
     

    Attached Files:

  11. midway40

    midway40 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    1,257
    Location:
    SW MS, USA
    Thanks for the info, Ink :). I get those all the time especially from the notorious qttask.exe, lol.
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    It seems so.
    Nope. Bloodhound (PDF) is the brand-name of Symantec's heuristics.
     
  13. tsilo

    tsilo Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    376
    If AB and Sonar are different technologys why not integrate them to NIS ?
    I mean will be good to integrate AB in NIS and we will see one product but more effective. What do you think about it?
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  15. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    From InformationWeek-
    "Symantec's Sonar, by comparison, is a scanner, similar to the one that sniffs for viruses and worms, that runs daily. "It's not part of the real-time defense," admits Kim. "Scans run on a daily basis, so this is an extra layer on daily [anti-virus] scans."

    "We're very bullish about the technology," says Kim. "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."

    http://www.informationweek.com/story/showArticle.jhtml?articleID=196901549
     
Loading...
Thread Status:
Not open for further replies.