SONAR (Symantec)

SONAR is the abbreviation for Symantec Online Network for Advanced Response. Unlike virus signatures, SONAR examines the behavior of applications to decide whether they are malicious. SONAR is built upon technology Symantec acquired in its late 2005 purchase of WholeSecurity,^[1] a developer of behavioral anti-malware and anti-phishing software solutions in the United States.^[2]

How it works

An algorithm is used to evaluate hundreds of attributes relating to software running on a computer. Various factors are considered before determining that a program is malicious, such as if the program adds a shortcut on the desktop or creates a Windows Add/Remove programs entry. Both of those factors would indicate the program is not malware.^[1] The main use of SONAR is to enhance detection of zero day threats. Symantec claims SONAR can also prevent attackers from leveraging unpatched software vulnerabilities.^[3]

Ed Kim, director of product management at Symantec, expressed confidence in SONAR, "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."^[4]

Background

Symantec already had a behavior analysis security tool for enterprises, known as Critical System Protection. On the other hand, SONAR is leveled towards the consumer antivirus market. It was available as an add-on for Norton AntiVirus 2007 and Norton Internet Security 2007. The Norton 2008 to 2012 line has had SONAR.^[3]

SONAR 2

SONAR 2 is part of Norton 2010 and Norton 360 v.4 antivirus software. According to the company, this version leverages data from more sources, including reputation data about a program. SONAR 2 is able to more accurately detect security risks than it was before.

SONAR 3

SONAR 3 came with Norton 2011 public beta. It is currently available for Norton 2010 customers with legitimate subscriptions through update, Norton 2011 customers and Norton 360 v.5 public beta users. SONAR 3 is fine-tuned to better detect fake antivirus software and it is better integrated with the network component. " In SONAR 3 we have further enhanced our integration with the network component in order to classify, convict, and remediate malware on the basis of its malicious network activity. With this feature in place, we will continue to block and remove many new variants of malware that leave their network footprint unchanged." According to Symantec it is now monitoring about 400 aspects of each application to determine whether it is safe or harmful.

SONAR 4

SONAR 4 was introduced with the 2012 BETA versions. Citation from Norton Protection blog "What's new in Norton 2012" located at

Norton Protection Blog: What's new in Norton 2012 ^[5]

"With 2012 we are introducing SONAR Policy Enforcement – We now have the ability to convict a suspicious process based on a behavioral “profile.” To create these profiles, an analyst looks at the 500+ attributes that SONAR tracks and make a series of associations. For example, let’s say a particular process tried to access the system folder and tried to call home, but does not have any running UI. Also, it downloaded more than 15 files the previous day. Any one of these things alone may not be “bad” but taken as a whole, the behavioral profile is bad. The analyst will therefore make a rule that says if we see this string of behaviors, then we should stop the process from executing. Doing all of this is a big deal--we aren’t just looking at what the process does on your computer, we are also looking at its communication characteristics!

Sonar 4.0 also introduces protection against Non Process Threats (NPTs). As the name suggests, these threats are not active processes by themselves, but they inject themselves into legitimate active processes. SONAR 4.0 technology is able to much more aggressively remove threats on pre-infected machines."

References

1 2 Harris, Janet. "Symantec Behaviour-based Security For Consumers", Security Watch, January 19, 2007, accessed July 10, 2009.
↑ Symantec To Acquire WholeSecurity
1 2 McMillan, Robert. "Symantec to use SONAR to find zero-day attacks", Computerworld, January 16, 2007, accessed July 10, 2009.
↑ Keizer, Gregg. "Symantec Adds Zero-Day Defense To Consumer Security Line", InformationWeek, January 17, 2007, accessed July 10, 2009.
↑ What's New in Norton Internet Security 2012 - Norton Community

Symantec Corporation

People	Gary Hendrix (founder) Gordon Eubanks (1990s CEO) Geraldine Laybourne (Chairman) Greg Clark (CEO)

Current products	Backup Exec Disaster Recovery Advisor Enterprise Vault NetBackup Norton ConnectSafe Norton Family Norton Insight Norton Security Norton LiveUpdate Norton Safe Web Norton Utilities pcAnywhere SONAR Symantec Endpoint Protection Veritas File System Veritas Storage Foundation Veritas Volume Manager

Discontinued	Drive Image Ghost GoBack GrandView MORE Norton 360 Norton AntiBot Norton AntiVirus Norton CleanSweep Norton Commander Norton Internet Security Norton PC Checkup Norton Personal Firewall Norton SystemWorks NUM Note-It PartitionMagic Q&A SQZ! SUM Symantec C++ THINK C THINK Reference Time Line Visual Café WinFax

Acquisitions and mergers	4FrontSecurity @stake Altiris Binary Research BindView Blue Coat Systems Breakthrough Software Brightmail Central Point Software Company-i Delrina Dynamic Microprocessor Associates Fast Track Fifth Generation Systems Leonard Development Group LIRIC Associates MessageLabs Mountain Wave Nexland ON Technology Peter Norton Computing Platform Logic PowerQuest Quarterdeck Quest Development Recourse Technologies Relicore Riptech SecurityFocus SLR Systems Sygate Technologies TurnTide Urlabs Veritas Software Whitewater Group WholeSecurity Zortech

Category Commons

This article is issued from Wikipedia - version of the 8/30/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.