SONAR (Symantec)

Last updated April 30, 2024

SONAR is the abbreviation for Symantec Online Network for Advanced Response. Unlike virus signatures, SONAR examines the behavior of applications to decide whether they are malicious. SONAR is built upon technology Symantec acquired in its late 2005 purchase of WholeSecurity,^[1] a developer of behavioral anti-malware and anti-phishing software solutions in the United States.^[2]

How it works

An algorithm is used to evaluate hundreds of attributes relating to software running on a computer. Various factors are considered before determining that a program is malicious, such as if the program adds a shortcut on the desktop or creates a Windows Add/Remove programs entry. Both of those factors would indicate the program is not malware.^[1] The main use of SONAR is to enhance detection of zero day threats. Symantec claims SONAR can also prevent attackers from leveraging unpatched software vulnerabilities.^[3]

Ed Kim, director of product management at Symantec, expressed confidence in SONAR, "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."^[4]

History

Symantec already had a behavior analysis security tool for enterprises, known as Critical System Protection. SONAR was introduced to serve the consumer antivirus market.

SONAR 1

SONAR was first offered as an add-on for Norton AntiVirus 2007 and Norton Internet Security 2007; subsequent annual editions of the Norton line have had SONAR, as well.^[3]

SONAR 2

SONAR 2 is part of Norton 2010 and Norton 360 v.4 antivirus software. According to the company, this version leverages data from more sources, including reputation data about a program. Therefore, SONAR 2 is able to more accurately detect security risks than it was before.^{[ citation needed ]}

SONAR 3

SONAR 3 came with the Norton 2011 public beta. It is available for Norton 2010 customers with legitimate subscriptions through updates, Norton 2011 customers, and Norton 360 v.5 public beta users. According to the company, SONAR 3 is fine-tuned to better detect fake antivirus software and is better integrated with the network component. They advise: "In SONAR 3 we have further enhanced our integration with the network component in order to classify, convict, and remediate malware on the basis of its malicious network activity. With this feature in place, we will continue to block and remove many new variants of malware that leave their network footprint unchanged." According to Symantec it is now monitoring about 400 aspects of each application to determine whether it is safe or harmful.^{[ citation needed ]}

SONAR 4

SONAR 4 was introduced with the 2012 BETA versions. According to a Norton Protection Blog post in the Norton Community, titled "What's new in Norton Internet Security 2012":^[5]

"With 2012 we are introducing SONAR Policy Enforcement – We now have the ability to convict a suspicious process based on a behavioral “profile.” To create these profiles, an analyst looks at the 500+ attributes that SONAR tracks and make a series of associations. For example, let’s say a particular process tried to access the system folder and tried to call home, but does not have any running UI. Also, it downloaded more than 15 files the previous day. Any one of these things alone may not be “bad” but taken as a whole, the behavioral profile is bad. The analyst will therefore make a rule that says if we see this string of behaviors, then we should stop the process from executing. Doing all of this is a big deal—we aren’t just looking at what the process does on your computer, we are also looking at its communication characteristics! Sonar 4.0 also introduces protection against Non Process Threats (NPTs). As the name suggests, these threats are not active processes by themselves, but they inject themselves into legitimate active processes. SONAR 4.0 technology is able to much more aggressively remove threats on pre-infected machines."

Related Research Articles

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

Security and Maintenance is a component of the Windows NT family of operating systems that monitors the security and maintenance status of the computer. Its monitoring criteria includes optimal operation of antivirus software, personal firewall, as well as the working status of Backup and Restore, Network Access Protection (NAP), User Account Control (UAC), Windows Error Reporting (WER), and Windows Update. It notifies the user of any problem with the monitored criteria, such as when an antivirus program is not up-to-date or is offline.

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1.

PC Tools, formerly known as WinGuides.com, was a software company acquired by Symantec in 2008; the new owner eventually discontinued the PC Tools name. Company headquarters were in Australia, with offices in Luxembourg, the United States, United Kingdom, Ireland and Ukraine. The company had previously developed and distributed security and optimization software for the Mac OS X and Microsoft Windows platforms.

Norton AntiBot, developed by Symantec, monitored applications for damaging behavior. The application was designed to prevent computers from being hijacked and controlled by hackers. According to Symantec, over 6 million computers have been hijacked, and the majority of users are unaware of their computers being hacked.

A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers. It has the largest market-share of any product for endpoint security.

<span class="mw-page-title-main">DriveSentry</span>

DriveSentry was an antivirus program, developed by DriveSentry Inc, to protect Microsoft Windows users from malware. It is available free for personal use, though with restricted functionality.

Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

Trend Micro Internet Security is an antivirus and online security program developed by Trend Micro for the consumer market. According to NSS Lab comparative analysis of software products for this market in 2014, Trend Micro Internet Security was fastest in responding to new internet threats.

Norton, formerly known as Norton by Symantec, is a brand of Gen Digital co-headquartered in Tempe, Arizona and Prague, Czech Republic. Norton originally provided utility software for DOS, and currently offers a variety of products and services related to digital security, identity protection, and online privacy and utilities.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow a definite level of compliance to standards.

Norton 360 was an "all-in-one" security suite for the consumer market developed by Symantec. Originally released in 2006, it was discontinued in 2014; its features were carried over to its successor, Norton Security. However, in 2019, Symantec released a "NEW Norton 360", as a product replacement for Norton Security.

References

1 2 Harris, Janet (January 19, 2007). "Symantec Behaviour-based Security For Consumers". Security Watch. UK. Retrieved July 10, 2009.
↑ "Press Release: Symantec To Acquire WholeSecurity". Symantec. 2005. Archived from the original on November 27, 2005.
1 2 McMillan, Robert (January 16, 2007). "Symantec to use SONAR to find zero-day attacks". Computerworld . Retrieved July 10, 2009.
↑ Keizer, Gregg (January 17, 2007). "Symantec Adds Zero-Day Defense To Consumer Security Line". InformationWeek . Retrieved July 10, 2009.
↑ "What's New in Norton Internet Security 2012 – Norton Community". Norton Protection Blog.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[sonar-1] 1 2 Harris, Janet (January 19, 2007). "Symantec Behaviour-based Security For Consumers". Security Watch. UK. Retrieved July 10, 2009.

[2] "Press Release: Symantec To Acquire WholeSecurity". Symantec. 2005. Archived from the original on November 27, 2005.

[sonar2-3] 1 2 McMillan, Robert (January 16, 2007). "Symantec to use SONAR to find zero-day attacks". Computerworld . Retrieved July 10, 2009.

[4] Keizer, Gregg (January 17, 2007). "Symantec Adds Zero-Day Defense To Consumer Security Line". InformationWeek . Retrieved July 10, 2009.

[5] "What's New in Norton Internet Security 2012 – Norton Community". Norton Protection Blog.

[1]

[2]

[3]

[4]

[5]