• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos2

SONAR 3: A new level of behavioral security in Norton 2011

This year we have some innovative changes that build upon the successful, effective, and efficient SONAR 2 behavioral security engine. For those who are not familiar with SONAR technology, here is a link to an article that describes it. With SONAR 2, we have a proven track record of being able to convict malware and secure Norton users from malware designed to evade most other security features. In the last nine months alone we prevented upward of 4.2 million infections out of about 140 million incidents that we analyzed for Norton users. Most of these incidents were never-before-seen malware and infection scenarios, thus truly providing "zero-day" protection! The effectiveness of our technology was repeatedly confirmed by external 3rd-party tests  and reviews (specifically behavioral security tests and reviews), where we performed at or near 100% detection rates. Behavioral security is a critical security solution, especially in this era of server-side polymorphic malware where each and every infection can have a unique piece of malware file (unique from the file fingerprint perspective) downloaded on the victim's machine. We are very excited about our next SONAR 3 release outperforming SONAR 2!

What's next?

We believe that security is a journey and not a destination.  Over the last year, we have taken note of a couple of interesting trends in the malware world, such as a surge in the misleading application threat category and targeted, sophisticated attacks like Hydraq. It was gratifying to see that SONAR 2 detected Hydraq without any changes to our classifier. We have further fine-tuned the classifier to deal with these trends. We have also added about 60 new features to our classifier and have seen significant improvement in threat detection rates in our internal lab testing. This brings our set of features to about 400!

This large number of features give us the advantage that, with SONAR tracking and inspecting so many aspects about a file, a process, or its related activity for classification, it becomes that much harder for a malware variant to get past our classification engine or for a clean sample to be misclassified. Of course the challenge is in analyzing all this information almost instantaneously without impacting system performance, while making decisions automatically for the user. And SONAR 3 is proof of how all of this is possible.

Having analyzed more than 140 million incidents for millions of Norton users, in SONAR 3 we have added many more features and provisions for identifying clean samples so that we can specifically focus on suspicious scenarios. This is what enables us to continue to add to our feature set for an even more accurate classifier. The quicker we can ignore a sample and classify it as clean, better the user experience.

In addition to the changes we have made to add many more attributes, the SONAR team has been very busy adapting and creating new classifiers as the world of malware and clean software evolves. The team has been busy updating our classifiers and releasing seven definition updates in the last nine months since shipping SONAR 2. The SONAR team generated and evaluated over 200 different classifiers since we shipped SONAR last year, addressing the feedback we have gotten from our Norton users to convict more malware and reduce the infrequent false-positive incidents that have occurred.

One major threat category that we have focused on with SONAR 3 is misleading applications. This class of threat has gotten much attention and we are glad to be able to provide significant improvements for detecting it in SONAR 3.

We have also made further improvements in the area of behavioral signatures, where we can quickly react to new and upcoming threats by writing behavioral signatures that leverage specific features. While our classifier has been quite successful at detecting new and emerging threats and their variants, we believe in a layered security model. In some specific threat scenarios it is more effective and worthwhile to target the threat with its specific characteristics than to leave it to a classifier.

As has been detailed in the SONAR 2 posts,  SONAR aggregates and correlates information from a number of engines within the product like the Firewall, AV Engine, Intrusion Prevention Engine, etc. All this information is then used by the classifier to improve efficacy. We feel this is a big differentiator for Norton over other vendors. Most other security products simply don’t have this depth and breadth of information to make a good classifier. In SONAR 3 we have further enhanced our integration with the network component in order to classify, convict, and remediate malware on the basis of its malicious network activity. With this feature in place, we will continue to block and remove many new variants of malware that leave their network footprint unchanged.

With these and all the improvements we are continuing to work on, we believe we are taking behavioral security to a whole new level. We hope that these new improvements will prove to be invaluable in dealing with the fast-evolving threat landscape and in keeping you safe. We cannot wait to ship SONAR 3 out to millions of Norton users. All the Norton 2010 and N360v4 users will also benefit from these advances, thanks to the ability to use Live Update for SONAR enhancements that we adopted with SONAR 2.

So that’s what we are up to! Let us know what you think--the SONAR team values your feedback and we hope you see all the improvements in the public Beta. Your feedback helps us know where we need to improve and we take your comments and suggestions as our most important barometer of success!

Comments

Kudos0

I hope Sonar 3 will not be as aggressive in quarantining perfectly legitimate software, when, e.g. a new version of some app is downloaded. (one example today: latest version of SIW stand alone version, released today,

http://www.gtopala.com/siw-download.html

I know one can restore and exclude such files from further scans but it is a nuisance.

Kudos1

It is a source of great confidence to users to see the huge advances that have been made recently and this is another solid  indication of the commitment from Symantec  to provding world-class protection.

We look forward to the time when the Power of Love will replace the Love of Power. Then will our world know the blessings of peace. ~William Ewart Gladstone
Kudos0

Sonar3 is working very well in the 2011 products currently in Beta.

We look forward to the time when the Power of Love will replace the Love of Power. Then will our world know the blessings of peace. ~William Ewart Gladstone
Kudos0

hi, i have just bought a acer netbook with norton 360 version 4.0 and i have been trying to download the full version which i brought but i can only get a trail period of 30 days can anyone help me please :) .

Kudos0

@sourabhsatish

Sonar3 also detect now (atapi.sys) Rootkit Installations.

Kudos0

Great to see "s.O.N.A.R." being improved; however, I feel that it is still useful to have actual Virus Definitions as these say "this is a Threat, this is not a Threat", whereas Behavioural-based Detection seems to be some way in-between.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]