Hello,
Wanted to signal that when I try to change a Windows Form text property (title bar) SONAR flags it as dangerous and removes it.
I only trigger this after I uploaded my application to a website and redownloaded through it.
I understand that some I/O operations, network activities and memory checking could trigger a bell. But why the hell should a
private void Form1_Load(object sender, EventArgs e)
{
this.Text = "My application " + version;
should trigger it ?!
Paranoid version : application trying to mimick another process ?
Tried with .NET 4 Client
.NET 4
.NET 3.5 Client
.NET 3.5
.NET 3
Triggers everytime...
And it's not a enough widespeard application to deserve whitelisting process. Anywork around ?
If interested by whole source just say, will post it.
Hi Erendar!
I'm sorry that you are experiencing difficulties with SONAR.
Which Symantec product (and version) do you currently have installed?
It is possible to create a SONAR exclusion for an entire directory or file in NIS/NAV/N360 settings.
Could I ask for you to post the source code and detailed reproduction steps (including steps taken with your compiler)?
A screenshot of the detection would also be helpful.
Thank you very much for your time!
Alex Christian
SQA Analyst
Behavioral Analysis and System Heuristics
Security Technology and Response
I am using Norton Internet Security 19.7.1.5
Compiler : Microsoft Visual Studio 2010
Version 10.0.30319.1 RTMRel
Microsoft .NET Framework
Version 4.0.30319 RTMRel
First here is the source code
http://pastebin.com/WDK0t0QH this is FormMain.cs
http://pastebin.com/DYrLZGn9 this is FormMain.Designer.cs
Steps to reproduce the event :
1. uploaded my .exe (complied with default relase settings of VS) to one of my websites (http://www.donjon-fantasy.fr/test)
SHA1 : 83B96EEEBC2974DD0C1F1443ACA9A8AF1DD8DD6D
2. redownloaded and then it's immediately deleted by SONAR
Here is the screenshot :
Thanks for your time
Hi Erendar,
I was able to verify the SONAR detection that you are experiencing.
Unfortunately this particular type of SONAR detection, "WS.Reputation.1" (as the name might suggest), does not come from our heuristic analysis (which I deal with), but instead from our "reputation" on this particular file.
Personally I am unable to remove this detection (it does not involve heuristics), however, I have forwarded the information you have provided to the appropriate team for analysis.
In the meantime, you can add an entire folder to "Auto-Protect, SONAR, and Download Intelligence Exclusions List" and download all of the EXEs in question to that folder.
From the NIS 2012 interface click: "Settings" -> "Computer" -> "Anti-Virus and SONAR exclusions"; then click on "Configure [+]" to the right of "Items to exclude from Auto-Protect, SONAR, and Download Intelligence Detections"; Click "Add", then navigate to the folder that you wish to exclude, Click "OK", then "Apply".
This should exculde the entire folder you select from this type of detection in the future; however, please be careful when downloading to this folder, as anything within will be completely ignored by our Real-Time protection technology (catches 0-day malware/viruses).
Thank you very much for your time and ongoing patience in the matter.
Alex Christian
SQA Analyst
Behavioral Analysis and System Heuristics
Security Technology and Response
Symantec Corporation