• All Community
    • All Community
    • Forums
    • Blogs

Not what you are looking for? Ask the experts!

This forum thread needs a solution.

SONAR.Heuristic.120 deleting product files without even a quarantine

We are a ISV (in business since 1997) with software products.  Our customers who have Norton are notifying support because our product stops working.  When we investigate, file(s) have been DELETED from their installation.  SONAR.Heuristic.120  They were not asked, it just happened; they typically didn't even notice the small notification from SONAR.   The files that were deleted, sometimes without quarantine so they can't be restored, perform some network activity integral to the operation of the client/server product(s).  In some cases,  In some cases these files are the programs for windows services on a server that allow clients to access the program from other machines on the LAN.  In other cases, it sends email notification to us using one of our pop accounts (for example there is a Help... Email support feature that sends us log files with the support request).  We can find no way to fix other than turning off SONAR to fix this which customers are reluctant to do.  Yes, we are submitting the files as false positives, and one by one they are being whitelisted, but this takes time and is a nightmare (and will apparently need to be repeated for every file with every release which is a manual process of filling out a web form for every file) and is hurting our reputation as a vendor (not counting the support hours to deal with this).  How can we avoid this from our end.  Our customers are NOT technically savy and typically do not have a technical support person, so configuring any security software will have to be a cookie cutter recipe for them.  We need to find a way to stop this.  I am technical and can't find a way to tell SONAR to leave files alone so I can't write the recipe.  It used to be easy to configure filewalls to ignore specific programs and ports and we document how to do this, but I don't see how to do this with the current version, so how can I tell my customer?  Right now we're having to recommend our customers switch to MS Essentials instead since (so far) they leave our products alone.

Labels: SONAR



Re: SONAR.Heuristic.120 deleting product files without even a quarantine

Hello 2ab

Welcome to the Norton Forum

In Norton Security and Norton Security with Backup, please have your customers to follow this: Settings>Antivirus>Scans and Risks>Exclusions/Low Risks>Items to Exclude from Scans>Configure= List files or folders or both--click on OK,Continue to line below that one. Items to Exclude from Auto-Protect, SONAR, and Download Intelligence>Configure= Can add files, folders click OK

The 2014 products like NIS and N360 should have similar settings under Antivirus I think. I am on Norton Security now, so don't have the older programs in front of me. I can't give you the exact path to follow.

Sorry, I don't know about whitelisting actually. I don't know if it can be done by folders or program or if it has to be done just by file at a time.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit 2004 N 360 Chrome latest version.

Re: SONAR.Heuristic.120 deleting product files without even a quarantine

Thanks... I just tested and that and it does indeed save my files from being deleted.  I was expecting it under the SONAR settings which only lets you turn on/off and set notification (which I think should default to "ask me", but doesn't.  Anyway, I am still hoping for something "simple" (vs submitting for whitelisting all my files every release manually) that I could do as an ISV to stop this.  I will document how my customers can configure SONAR, but would prefer to stop the calls/emails before they happen.  Nobody likes to be dead in the water until they can get a support person and then have to uninstall download and re-install (because the files were deleted without quarantine).  We can remote access and drop the files, but that takes time we'd prefer to use otherwise.

This thread is closed from further comment. Please visit the forum to start a new thread.