We develop software that is used for mission critical applications at our customers.  The number of installations is small compared to retail applications.  We continually update the software, i.e. there are incremental improvements, major rewrites, and as we are forced by MICROSOFT, etc. to use their latest proprietary technologies, the "signature" of the .exe and .dll's constantly change.  For example the new INTEL compilers and MICROSOFT Visual Studio produce .exe and .dll files that are very different from the Visual Studio 6 environment, yet from an end-user prospective are identical.

Assuming that end users can be intercepted immediately after installing NORTON software utilizing SONAR to adjust settings so as to minimize problems, there is still the problem that software updates will be mistaken by SONAR and treated as high risk.

NORTON is just one of many vendors of solutions to "protect" computers from malware.  The overhead to keep ahead of SONAR is too costly.  There is not enough benefit realized to justify the extra labor and delays inherent in such.  To update customers in a real time basis will involve having cutomers either grant remote administration priviledges (we never allow such in-house and don't expect most customers to allow such) or have customers at each computer speciifically make changes to SONAR's exclusion lists.

This product is too early in its development to have been integrated into a "retail product".  SONAR should have been made available as an ALPHA test to those willing to provide feedback to NORTON and be prepared to deal with problems such software can create.

I'm having a problem simply making a BIOS update disk.

I run the .exe to create a bootdisk, but SONAR quarantines it.  I go to the quarantine, restore, exclude and re-execute and SONAR completes the exact cycle again.

The only way to run it is by disabling the feature.  If this is what has to be done every time, why bother with it in the first place?

I was developing applications on PCs more than 20 years ago.  I have used MANY versions of Symantec/Norton products since then.  I took a "Norton break" for 2 years as I felt the products were getting too large, unwieldy, and unnecessarily over-zealous in terms of quarantining applications.

I have found NIS 2010's "SONAR" the most annoying feature that I've seen a product for a LONG time!!!  There are programs that I know that are safe --- SONAR will  NOT let me run them --- it insists on DELETING/QUARANTING these programs.  I have searched and searched in the software configuration, help files, Norton web site, the Norton Community web site, etc. but it seems like SONAR cannot be controlled.  Two weeks ago, I tried contacting Support but I got a guy that could not even understand the issue --- let alone make any suggestions as to how to fix them!

Shane (Symantec Employee) said "In the Settings pane under Exclusions/Scan Exclusions, you have the ability to enter path namesyou don't want the Real-time scan to scan. Currently, anything you put in this list will only be honored by the Real-time signature scanner AutoProtect, and not SONAR."  I CAN NOT believe that Symantec would release a product where SONAR cannot be overriden by a user that wants to override it.  I cannot tolerate antivirus software that will not allow me to make my own decisions.  If I don't find a way, or if Symantec doesn't fix SONAR soon, I'm going to be demanding a refund and I'll never use another Symantec/Norton product again.

You know, the way NIS 2010 is configured, I don't even know if it's "SONAR" that's deleting certain of my application files or not.  The files are DELETED and they do not appear in the Quarantine list; they do not appear in SONAR Activity; but they appear in the Resolved Security Risks list.  And, as I said, the files are gone.  NIS 2010 gives NO way to restore these files.

I don't think I'm going to be spending much more time on this issue...  NIS 2010 is going to removed very soon...

kalahari

Can I ask if you provided an example of a file that gets deleted to a guru or Symantec employee?

cgoldman,

Yes, two weeks ago, when I tried Support, I told them about MyDefrag-v4.2.x.exe on MyDefrag Download   SONAR always quarantines the installer program  -- I have to deactivate SONAR for 15 minutes to get it to run every time there a new version!  MyDefrag is a safe defragger program so I don't know why SONAR makes me jumps through those hoops every time there's a new version of the program!  And it's just the installer that SONAR dislikes -- it has no problem with the installed application.  I actually found a NIS 2010 Patch on this forum which I applied yesterday which now allows me to specify that SONAR should allow that installer to run but I'll have to do it every time a new version is released.

One example that I'm having now, and I have sent each applicable app to Symantec for evaluation, is the set of utilities from NirSoft Utilities I have done a lot of investigation and everything indicates that this set of utilities is safe (it's similar to MS's SysInternals).  SONAR (and it is SONAR -- I had cleared the log at some point) says that some of the utilties have Hacktool, ProduKey,or AsteriskLogger.  SONAR immediately deletes them.  I have tried putting the apps into directory for "Scan Exclusions" but, as covered already, that doesn't stop SONAR -- it ignores the "Scan Exclusions" directories.

kalahari,

Did you try submitting the files SONAR quarantines and which you regard as false positives to Symantec over here?

https://submit.symantec.com/dispute/false_positive/

Yaso_Kuuhl,

No, I had not submitted them to Symantec using that form.  I had submitted them to Symantec through the option in NIS 2010 that allows submission to Symantec.

That being said, I have just used this form https://submit.symantec.com/dispute/false_positive/  nine times to report all those (what I think are) false-positives again.  :)

So, as you can see, I do try to supply all the necessary info.

Gosh I love the way these posts bounce round and round getting foggier and foggier.

There is a whole lot of missdirection here and we will never get it fixed if we don't get the issue clear:

Sending a 'false positive file' is in some ways a red herring.  The SONAR issue we are trying to discuss is that:

• A file appears on the PC that is both New and Not often/ever found.   It can be saved to disk
• It does not have a virus signature match so it is not a false positive.  It passes normal quick/ autoscans etc
• It does however do something 'bad' when run  e.g Web browser that dares to contact the internet
• SONAR at least quarantines it without choice or discusssion  - also reported to Delete if it is even 'badder'
• Restoring the file and using the UI proposal to not scan it again restores but does not stop SONAR quarantining again next time

The issue therefore is that SONAR is doing what it was designed to do.  However its options to customise reactions or omit files in advance/subsequently are either absent or not currently working as expected.  I can't send you a file for copyright reasons but just believe that it is possible to compile and save to disk a safe file that does not match a virus signature but when run does look new, rare and web active.  The questions to Symantec :

1) how /are you going to allow people who make/use such files to create / use /work on them while enjoying NIS protection

2) how /are you going to allow other 'normal' people who want to receive / install /use such files to do so (manually or ideally as part of an installer script)

Hoping this is now clearer :-)