Kudos0

SONAR should display detailed information on detections

al corriente: 12-Mayo-2010 | 2:14PM · 13 Respuestas · · Translation:

I would really like for Norton products to show detailed information on SONAR detections. As it is now we only get information about that a file was blocked by SONAR but nothing about why.

It would be a killer feature to see more details like what triggered the detection (reading a file, opening a TCP connection, accessing a specific URI resource etc). Showing more information would also help users to make a qualified guess if the SONAR detection is correct or not; ex users might have a better idea of what their programs are supposed do than SONAR, especially advanced users.

As reference/example one could consider ThreatExpert which displays detailed information on what a program is doing.

Best regards,

Labels: SONAR

Respuestas

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 12-Mayo-2010 | 2:14PM · Enlace permanente

I would really like for Norton products to show detailed information on SONAR detections. As it is now we only get information about that a file was blocked by SONAR but nothing about why.

It would be a killer feature to see more details like what triggered the detection (reading a file, opening a TCP connection, accessing a specific URI resource etc). Showing more information would also help users to make a qualified guess if the SONAR detection is correct or not; ex users might have a better idea of what their programs are supposed do than SONAR, especially advanced users.

As reference/example one could consider ThreatExpert which displays detailed information on what a program is doing.

Best regards,

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 12-Mayo-2010 | 2:19PM · Enlace permanente

I agree, SONAR must do it like ThreatFite do.
Kudos0

Re: SONAR should display detailed information on detections

al corriente: 13-Mayo-2010 | 1:54AM · Enlace permanente

I am agree too , it is good idea.

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 13-Mayo-2010 | 3:30AM · Enlace permanente

Agree here too!

Same idea, I believe:

http://community.norton.com/t5/Norton-Internet-Security-Norton/More-Information-about-a-Sonar-Detection/idi-p/217625#comments

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 13-Mayo-2010 | 12:29PM · Enlace permanente

excellent idea

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 08-Jun-2010 | 5:14AM · Enlace permanente

This already exists at the File/Threat Insight UI under the "Actions" tab but the text is not as user friendly. We plan to fix this for 2011. Did you check the Actions tab in File/Threat Insight?
Kudos0

Re: SONAR should display detailed information on detections

al corriente: 10-Jun-2010 | 2:37AM · Enlace permanente

Sorry for the empty comment above.

> This already exists at the File/Threat Insight UI under the "Actions" tab but the text is not as user friendly. We plan > to fix this for 2011. Did you check the Actions tab in File/Threat Insight?

I did notice this button when I used file insight on files from the right-click menu, but I never knew that Sonar would put its info in here. Isn't it illogical that you have to use "File Insigh" on a file to see what actions it performed even though the file was removed by Norton? Normally I use file insight from the right-click menu so this is kind of counter intuitive to me.

 think you really have to rethink how you display the Sonar information, because I don't think it's logical that you have to browse the Norton history, find the file it put in quarantine, click on another button to open the File Insight dialog for the quarantined file and then use the dropdown menu in the File Insight dialog to actually see what the file did.

Half of my suggestion was about the presentation of information - that is, the information should be presented before Norton blocks the file (or at least this should be a setting) so users can actually view the relevant data right on screen whenever sonar activity occurs and don't have to dig deep into the logs and whatever else to find it. I think the ability to show Sonar info is of great advertising value to Norton so by not making it easily accessible is to me like you're shooting yourself in the foot.

Regards,

Ole

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 12-Jun-2010 | 1:12PM · Enlace permanente

Addition:

I have also noticed that Norton often does not give any information to why a file was detected by SONAR. For example I have a file that Norton just blocked with SONAR, and the only information in the "Actions" tab is:

"File "C:\.....\hello.exe" removed"

There are no other options than "File Actions" I can click in the dropdown box. In this case it seems Norton isn't giving me any information at all.

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 12-Jun-2010 | 2:07PM · Enlace permanente

@athena

i can not find any Information about "harmful behavior"  on a Sonar 3 (Beta) Detection .

http://img535.imageshack.us/img535/3229/aufzeichnen3v.jpg

http://img268.imageshack.us/img268/7770/aufzeichnen1p.jpg

http://img33.imageshack.us/img33/3517/aufzeichnen2r.jpg

where they read the information e.g. DLL Injection, Memory Manipulation ? ;)

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 24-Jun-2010 | 12:51PM · Enlace permanente

Thanks Voyager10 for providing more details.

I did some research into this and here is what happens. File Insight provides the data that you ask for at the time of the detection and before an action is taken. See screenshots below.

However, this shows only if you don't have the SONAR detections being remediated automatically. After the action is taken we do not carry this info in History.

I agree with you this flow needs some improvement. We are considering your suggestion for our next release.

Thanks for bringing this up.

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 24-Jun-2010 | 12:52PM · Enlace permanente

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 27-Jun-2010 | 1:32PM · Enlace permanente

Thank You  ;)

This "Behavior Details"  you can see here 

http://en.wikipedia.org/wiki/File:Norton_Antibot_Screenshot.png

into Sonar 3 were perfect !

Kudos0

Re: SONAR should display detailed information on detections

al corriente: 30-Oct-2010 | 3:21AM · Enlace permanente

Yes, It's a good idea to see why sonar has removed it (for example unsigned executable, not visible, etc...)