• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

SONAR False Positive for OmniForm EXE files

I have just upgraded an office full of computers to Norton 2010 and one client uses OmniForm by Nuance. They generate form files that have a .EXE extension but the file name varies from file to file. Every time the client opens a new form the SONAR quarantines it as a threat. We can remove that file from Quarantine and select to Exclude it in the future. The problem is that each new file that the program generates get quarantined and must be then remove and Excluded.

Is there a way to white list this type of file so it does not get falsely quarantined?

Regards,

Dennis Hill

DRH Network Consulting

Replies

Kudos0

Re: SONAR False Positive for OmniForm EXE files

I have just upgraded an office full of computers to Norton 2010 and one client uses OmniForm by Nuance. They generate form files that have a .EXE extension but the file name varies from file to file. Every time the client opens a new form the SONAR quarantines it as a threat. We can remove that file from Quarantine and select to Exclude it in the future. The problem is that each new file that the program generates get quarantined and must be then remove and Excluded.

Is there a way to white list this type of file so it does not get falsely quarantined?

Regards,

Dennis Hill

DRH Network Consulting

Kudos1 Stats

Re: SONAR False Positive for OmniForm EXE files

There is a hotfix for this issue in the following doc:

SONAR Protection quarantines files that are already excluded from future scans in your Norton 2010 product

 

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20090903182949EN

 
Kudos0

Re: SONAR False Positive for OmniForm EXE files

Hi RickY, I had already found this hotfix and installed it prior to posting my message. This only resolves the issue for the specific named file that was quarantined and then restored and excluded. It does nothing for files that get a new name each time they are generated and saved to the hard drive.

 

As I mentioned in my original post "We can remove that file from Quarantine and select to Exclude it in the future. The problem is that each new file that the program generates get quarantined and must be then remove and Excluded.". OmniForm generates these executable form files and the files are always named differnetly (with the EXE extension) so as to not over-write the previous file. I even tried excluding the directory where these files are saved to but Norton still quarantined each new file.

I saw in another post where someone was able to submit his file to Norton to have it "white listed". Is this what we need to do? If so we can do this but I would need some direction on how to do this.

Kudos0

Re: SONAR False Positive for OmniForm EXE files

It seems to me this is a big problem. You can of course turn off sonar. There is no way to specify a directory to exclude as far as I know. I also believe, unless someone can advise to the contrary, that once you have recovered a high risk, you cannot then remove it again so that it gets re-assessed by Sonar.

P.S.

In fact could you please turn off Sonar and see if the problem goes away. In that way we can establish clearly if the detection is treating these exe's as high or low risk/.

Message Edited by cgoldman on 10-02-2009 01:07 PM
Kudos0

Re: SONAR False Positive for OmniForm EXE files

cgoldman,

You're right, this can be a big problem. Anyone writing software will run up against it every time they compile. Sonar sees each new .exe file as a threat, and there doesn't appear to be any way to prevent it short of disabling Sonar. 

Kudos0

Re: SONAR False Positive for OmniForm EXE files

Thanks for the response cgoldman and brubaker,

I have had to disable SONAR, hopefully temporarily, until this is resolved. It seems to me Norton needs to make SONAR smarter, so it looks for high risk signatures in the executable files code. Not just assume all executables are a threat. That's why I am trying to get Norton to let me white list the OmniForm files.

Kudos1 Stats

Re: SONAR False Positive for OmniForm EXE files

And as soon as the hackers figure out that SONAR can whitelist EXE files, that is an area they will be sure to exploit.
~ How do I un-overwrite all my data? ~
Kudos1 Stats

Re: SONAR False Positive for OmniForm EXE files

Not quite. Turning off Sonar does not turn off Sonar. It turns off the advanced feature of Sonar which is to detect low-certaintly threats. Since you indicate that you have no issue when you disabled Sonar, we can conclude that NIS was treating your exe's as low-certaintly.

The only issue you might have is that with the "off" setting you are excluding from detection any other low-certaintly threats. Let me know if you remain unhappy and I can escalate the issue. 

Here is the definition of the sonar

SONAR uses heuristic technology to check suspicious characteristics of a file and categorize it as infected. SONAR categorizes the threats as high-certainty threats or low-certainty threats based on the degree of suspicious characteristics that it finds in a file. Norton Internet Security automatically removes the high-certainty threats. Norton Internet Security notifies you about the low-certainty threats that SONAR detects the first time. You can then allow or block the suspicious activities. When you allow an event, Norton Internet Security adds the event details in the list of approved events that the Advanced heuristic engine uses for threat detection. After Norton Internet Security includes the details of the event in the list, the Advanced heuristic engine ignores such event in the future. Norton Internet Security does not notify when SONAR detects the event the next time.

The SONAR Advanced Mode includes the following options:

  • Off

    Turns off Advanced Mode.

    SONAR detects only the high-certainty threats and removes them. It ignores low-certainty threats.

Kudos0

Re: SONAR False Positive for OmniForm EXE files

Just an update on this issue. It's not good. I have tried all the various settings in SONAR. The only setting that does not cause the OmniForm files to be quarantined is SONAR - OFF. This setting of coarse makse the tray icon indicate some problem exists with Norton.

Nuance, the manufacturer of OmniForms, is a large manufacturer with many widely used programs. It seems that there should be a way to resolve this without disabling this component. This is why I asked originally if there was a way to submit the files to Norton to check the signature.

I am no stranger to Norton products as I am an IT consultant with over 20 years of experience in fixing computer problems. I am also a Symantec Partner as well as a System Builder. The primary security product I have used and recommended to clients is Norton and Symantec. I would expect some response from a Norton Employee to resolve this problem.  

Kudos0

Re: SONAR False Positive for OmniForm EXE files


Nuance, the manufacturer of OmniForms, is a large manufacturer with many widely used programs. It seems that there should be a way to resolve this without disabling this component. This is why I asked originally if there was a way to submit the files to Norton to check the signature.


Hi SDPCTECH,

You can use the form below to submit a false positive to Symantec:

https://submit.symantec.com/dispute/false_positive/

Your Norton Ladybug.
Kudos0

Re: SONAR False Positive for OmniForm EXE files

Thanks Yaso_Kuuhl,

I will use that link this Friday when I return to the client site.

Kudos0

Re: SONAR False Positive for OmniForm EXE files


SDPCTECH wrote:

Thanks Yaso_Kuuhl,

I will use that link this Friday when I return to the client site.


You're welcome :-)

Your Norton Ladybug.

This thread is closed from further comment. Please visit the forum to start a new thread.