• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

How likely are false positive SONAR results with file utilities?

I've been using a program at work called sha256deep.exe.  It's part of the MD5Deep project over at Sourceforge and is designed to generate sha256 hashes of files.   Well when I tried to use it at home, Norton's SONAR smacked it down really quicky as being a high risk.  This despite the fact that when looking at it's File insight originally, the file showed as good and still does so once it's removed from quaranteen.

So my question is how likely are SONAR false positives to occur?

Replies

Kudos1 Stats

Re: How likely are false positive SONAR results with file utilities?

I think you should first send Symantec the file to check (http://www.symantec.com/business/security_response/submitsamples.jsp).
Until they fix it in the virus defs add it to the exclusion list...
Windows 10 Hungarian, Norton Internet Security v22.9.0.71
Kudos0

Re: How likely are false positive SONAR results with file utilities?

Hi Morac,

SONAR2, as SONAR is called in NIS 2010, also uses the Quorum technology, which contributes to reducing false positives. No security program is immune to popping up the occasional false positive, however. You can read this article on the Quorum technology and its role for SONAR2:

http://community.norton.com/t5/Norton-Protection-Blog/The-New-Model-of-Consumer-Protection-Quorum/bc-p/153270

In the meantime, please do what PapauZ has suggested above :-)

Message Edited by Yaso_Kuuhl on 10-10-2009 04:47 PM
Your Norton Ladybug.
Kudos0

Re: How likely are false positive SONAR results with file utilities?

What version of NIS / NAV are you using? 

Since SONAR is a heuristic scan engine, FP are very likely on new files that have not been seen by Symantec.  That is, new files that display new combinations of behaviors that could be dangerous.

Since this is a file that generates sha256 HASH numbers and most security products use that to ID files scanned or other things, Norton would be real interested in this file running and generating HASH numbers.  It had not seen it before and found this a possible threat since it was generating the HASH outside of it's processes.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: How likely are false positive SONAR results with file utilities?

False postives are so extremely likely using many well-tested but 3rd party sortware utilities, that turning off SONAR seems to be the only solution if you want to keep using NIS 2010.

See:

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=75236&query.id=756932#M75236

Lester

Kudos0

Re: How likely are false positive SONAR results with file utilities?

Forgot to mention I'm running NIS 2010.

Well I simply excluded the file from SONAR2 since I know it's not dangerous.  What's weird is there are a bunch of hash functions included (MD5, SHA256, SHA1, etc) and the sha256deep.exe one throws up red flags, but the hash.exe function (which also does SHA256) does not.

After I excluded the file from SONAR (after applying the hotfix) things are good.  Norton even says the file has not performed any suspicious activity and is good.

BTW the link above for submitting files is for submitting files suspected to be viruses.  It's not for submitting false positives.  Even if it was, the file wasn't flag because of virus definitions, it was flaged by SONAR2 which is guessing that it may be a virus, despite the fact it doesn't do anything when run unless a filename paramter is passed in.

Message Edited by Morac on 10-10-2009 11:19 AM
Kudos1 Stats

Re: How likely are false positive SONAR results with file utilities?

To submit false positives, you can go over here:

https://submit.symantec.com/dispute/false_positive/

Your Norton Ladybug.
Kudos0

Re: How likely are false positive SONAR results with file utilities?

What's irritating about this isn't the false positives, per se, but that Norton takes control of my computer away from me during the false positive event. I was just trying to install a program that I had already checked out manually (i.e. CNet certified virus free, dozens of great reviews, etc.) that Sonar picked up as a high threat. The only reasons it gave for being a high threat is that the file is new (it's a new version, just released) and not enough users have used it. Sonar automatically deleted the file and would not allow me to exempt the file from scanning. (That is, I told it to exempt the file, but that did nothing to change the behavior.)

If you think about the logic of this for a moment, it makes no sense at all. If you absolutely will not let people override your warning and run the file, because less than 10 people have used the file, then you will never be able to declare the file safe because you will never have more than 10 people use the file because you won't let them. That's not security, that's just poor thinking.

I get it that there will be false positives. I also get it that part of what Sonar is doing is checking to see if others have safely used this file. I want it to warn me that it is concerned because of these things and that I should treat the file with suspicion. But in the end, it is my computer and my decision whether or not to run the file. I will not use a program that deletes my files without my permission. Sonar goes off right now.

Message Edited by Sellador on 10-10-2009 09:16 AMMessage Edited by Sellador on 10-10-2009 09:18 AM
Kudos0

Re: How likely are false positive SONAR results with file utilities?

There is no way to exclude a file from SONAR2 detection before it scans it.  The Scan exclusion and Auto-Protect exclusion lists do not affect SONAR2 scaning (or SONAR in 2009 products).  The only way to exclude the file from SONAR(2) scans is by adding the file to SONAR(2)'s exclusion database via the dialog on the restore from Quarantine. 
Win10 x64; Proud graduate of GeeksToGo

This thread is closed from further comment. Please visit the forum to start a new thread.