SONAR is deleting programs

We have turned off SONAR since it deletes programs that we wrote and which have been working for many years.

 

This is a BIG PROBLEM!!!

 

We develop and provide software to companies all over the world.  SONAR deleting programs wihtout having any chance to stop it is not reasonable behavior.   Such is the default.  Several programs were deleted on our and customer machines wihtout anyone understanding what was happening.

 

While this technology might be worthwhile, it is not made clear upon installation of Internet Security 2010 that such is going to happen.  2009 does not have this function available.

 

At this point we do not know that we can continue using NORTON products.  It would appear that the SONAR solution is to delete all programs and leave a PC that has nothing running on it.

 

Upon investigation of what SONAR was doing, it checked against a database that did not have record of our software.  Writing a new program will cause SONAR to delete it upon first execution.

 

To repeat, we are very unhappy.

Hi rft, welcome to the Norton Community :-)

 

We're sorry to hear about the problems you are experiencing with SONAR. 

Does SONAR quarantine the files? If you open your NIS product, you can restore these files from Quarantine (provided SONAR has not flagged them as high-risk items, in which case you cannot exclude them because they are removed at once) and you will be given the option to exclude the files and stop SONAR from flagging them as threats. 

 

Also, because this seems to be a case of false positives, please submit your files to Symantec via this form:

https://submit.symantec.com/dispute/false_positive/

Message Edited by Yaso_Kuuhl on 10-13-2009 11:06 PM

For some programs SONAR just deleted them.

 

To have to register every program that we write with NORTON does not seem reasonable.  We did not create this problem.

 

NORTON turns this malicious software on by default.  We innocently purchased NORTON Internet Security 2010 and programs started to disappear.  Why isn't this made clear during the installation and configuration process?

 

This is going to cost my company a lot of time and money to correct and when customers lose programs due to this it will hurt our business.  None of this ever reflects back to NORTON.

 

SONAR needs to be removed and re-engineered. 

You will also find that even though you exclude a program(with the hotfix installed) when you recompiled it SONAR will delete it again.  I believe that Norton is aware of this and are working on a fix.  I have the same problem with programs developed under Intel Visual Fortran.  I have sent in a file for testing some time ago, but I have no time frame when this problem will be addressed.  Maybe someone with Norton can provide this?

It's impractical to have to submit each rebuild of every application, to constantly have to un-quarantine and mark files for exclusion (that with the hot fix, still doesn't seem to be properly ignoring the file is to be excluded from future scans).

 

I've had to disable SONAR permanently and marked it to be ignored that it is off. My subscription ends in a few months and I am seriously considering trying something else. First the Firefox issue, now SONAR. Getting to be a real hassle.

 

John

Gentleman

 

This problem has already been reported and in the other thread I explained that when you "turn off" Sonar you are NOT disabling SOnar. You are only disabling the detection of low-certaintly threads. Sonar is still active in  detecting high-certaintly threads. The creation of an executable by various third party programes is considering by NIS as a low security thread.

 

At this time I suggest the only downside of disabling Advanced mode Sonar is that you will not get advised about other low-security threads besides your created executables.

 

Is this position acceptable or does anyone still feel uneasy?

I agree with rft and jbtran

We didn’t ask for SONAR, we didn’t buy 2010, and yet we now have it on one of our computers and it turns off and “quaratines” all of self-written applications. Tell us how we can get rid of it – we can’t run our company without those applications. Please also explain how this pest invaded our computer. To have it only partly turned off as described is NOT acceptable

We have users who are very disatisified with NORTON.  Many of the my colleagues have switched to Kaspersky.

 

The internal support cost of Kaspersky is trivial when compared to NORTON products. 

 

We currently have NORTON installed on a large number of computers internally, at our employee's homes, and at customers.  The problems created cost us money, time and possibly customers.

 

This SONAR bug just ruined our office administrator's computer.  It is taking me away from other tasks to get her computer back on line.  It has cost a colleague three working days to trouble shoot the problems created by this malicious software on one of our production machines.

 

I'd rather leave my systems "open" than install supposed security software that is worse than most of the  beasts roaming in the wild. 


jforrest wrote:

I agree with rft and jbtran

We didn’t ask for SONAR, we didn’t buy 2010, and yet we now have it on one of our computers and it turns off and “quaratines” all of self-written applications. Tell us how we can get rid of it – we can’t run our company without those applications. Please also explain how this pest invaded our computer. To have it only partly turned off as described is NOT acceptable


 

To completely turn off SONAR in NIS2010, you will have to remove the product.  Since you didn't buy the product or install it on your company computer, it should not matter if it is removed.  The Norton Removal Tool can be found here; you can also run the Uninstaller from the program menu group in the START menu.  Sorry for your inconvience.

It is well and good to disable SONAR so that new programs do not get silently deleted.  We develop software and new programs are constantly being created and tested.

 

The problem that SONAR is enable by default and the new NOROTN Internet Security 2010 installation does not give any opportunity to tailor the installation.  It is enabled and does its damage before a user can even turn it off.

 

SONAR should never be installed or enabled by default.  User who install NIS 2010 as an upgrade/renewal get no warning and applications disappear startling rapidity.

 

As far as I can see SONAR is only useful for someone who uses their computer as a net appliance, i.e. email, web browsing, and simple office suites.

 

This is not the world that I, my colleagues and customers live in.

SONAR has been in the Norton products since the introduction of the 2009 product lines.  It is an integral part of the product and can not be separated from the rest.  SONAR is the heuristic scanning engine / process in the AV side of the Norton consumer products. 

 

I, as a programmer / developer, understand your frustration but since Norton is a consumer product and will be on a great many consumer systems, I make sure the developed programs work with it.

These systems all had NIS 2009 installed and there were no issues.  I do not recall seeing any references to SONAR in the 2009 options.

 

From what you are saying NIS 2010 is a consumer, i.e. non-computer literate, no programming, scriptng or other customization of programming activites, product.  What product should one be using if one does more than email, web browse, and office suite functions?

 

We have been using NORTON security products for at least 10 years.

 

What are NORTON's intentions with respect to software engineers and other sophisticated users?

You might want to check on the Symantec Business side of the company.  Endpoint Security may be a better fit for the "industrial" type user.  SONAR may not have given you much problem in the NIS2009 version; it did me and others.  It was refered to in the Settings under Computer Scans as Advanced Heuristic Protection.

 

Scroll bar.png

rft

 

I am affraid that English may not be your native language and that therefore I may be misinterpreting your remarks. AFAIK SONAR causes no damage, it merely quarantines files, and you can recover those files from quarantine. In that process you can decide whether the file is to be ignored in future from SONAR. If Sonar acted immediately after installationa and before you became acquainted with the software or able to modify the configuration settings, then you have only to recover the files.

 

I note your comments.

 

It is interesting that you are looking for a security and AV product to protect your systems that are not connected to the net in any way. The vast majority of users, I suggest, of NIS are those wishing to protect themselves because they are connected to the web and that is their potential source of virus and other pests.

 

 

 

I am sorry I cannot help further.

 

 

[edit: Please keep post content respectful per the Participation Guidelines and Terms of Service.]

Message Edited by shannons on 10-19-2009 11:55 AM

cgoldman wrote:

rft

 

I am affraid that English may not be your native language and that therefore I may be misinterpreting your remarks. AFAIK SONAR causes no damage, it merely quarantines files, and you can recover those files from quarantine. In that process you can decide whether the file is to be ignored in future from SONAR. If Sonar acted immediately after installationa and before you became acquainted with the software or able to modify the configuration settings, then you have only to recover the files.

 

I note your comments.

 

It is interesting that you are looking for a security and AV product to protect your systems that are not connected to the net in any way. The vast majority of users, I suggest, of NIS are those wishing to protect themselves because they are connected to the web and that is their potential source of virus and other pests.

 

 

I am sorry I cannot help further.

 

 


 

I do not find your response professional.  In fact it is insulting.

 

I have over 40 years experience in computer systems, O/S design, and networks.  I am the CTO for my corporation and our customers include many of the Fortune 100.  I deal with IT professionals at those corporations on a daily basis.

 

If this is NORTON's concept of customer relationship management, we will have to eliminate all NORTON and Semantec products from our systems.

 

[edit: Fixed quote error.]

 

Message Edited by shannons on 10-19-2009 11:56 AM

I don't believe this thread should've gotten this far.

 

rft,

 

 I understand your frustration over this matter, and I agree that you should switch to a different AV suite that would suite you more than Norton does...no pun intended.

 

cgoldman,

 

I believe that a forum Guru should not make posts like the one you posted. A person of your power on this forum should never be saying such things to posters who are having problems, but that is just my opinion.

Message Edited by Maestro on 10-14-2009 02:54 PM

Hi Rft,

 

Firstly I would like to apologize about the SONAR-related problems you have been experiencing. The SONAR team as well as other teams at Symantec have been actively looking at various solutions. Newly created executables on developer's machines present unique challenges because of the fact that they are new and hence have low reputation. However I want to stress that just because we have not seen a file before it doesn't mean that SONAR will convict it (more on this later).

 

Here is a synopsis what we have been working on:

 

1. In the Settings pane under Exclusions/Scan Exclusions, you have the ability to enter path names you don't want the Real-time scan to scan. Currently, anything you put in this list will only be honored by the Real-time signature scanner AutoProtect, and not SONAR. We are going to change this so that any pathnames you enter here will be honored by both. This fix is tentatively scheduled to be released in the November time-frame. We are testing the fix at the moment. Software developers can use this option to exclude any folders on their development machines where they are constantly creating new binaries.

 

2. SONAR2 is a real-time behavioral engine. It monitors behaviors of all running processes, looking for suspicious behaviors or traits in the exe that appear similar to malware. A running process has to pass a minimum threshold of bad behaviors before it becomes a candidate for being deleted. In addition to this we also check the Quorum backend looking at the file's reputation across the entire customer base which in the case of newly created files would be not be very high.

 

The point here being that  just because we have no info on a file on the backend, doesn't mean it will get convicted. This is a common misconception. The process had to have exhibited malicious traits, either static e.g. its packed, or has suspicious imports etc. or dynamic behaviors e.g created a run key etc., in order for the SONAR scoring engine to convict itWe look at hundreds of such behaviors and growingWe are actively looking at the scoring algorithms in light of this issue and currently testing a new one.

 

3. We are looking at a change to the UI to allow customers to configure SONAR to always ask before deleting anything. Currently SONAR only prompts the user when it is not fully confident that what it has detected is in fact a threat.

 

Just as an FYI, Symantec like many software companies signs all binaries it releases with a code-signing Class-3 certificate from a reputable CA like VerisignDoing this has a number of advantages. We encourage other vendors to do the same. If your exe is class3 verisign signed, SONAR will not delete it.

 

Hope this helps.

 

Thanks,

 

Shane.

 

 

Message Edited by shane_pereira on 10-21-2009 11:46 AM
Message Edited by shane_pereira on 10-21-2009 11:47 AM

Hi:

 

Interestingly enough, this is similar to the problem in my thread:

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=82237

 

Any ideas? The version of SONAR in NIS 2010 is a bit annoying, like the UAC deal in Vista.

 

TIA

Message Edited by Plankton on 10-21-2009 09:44 PM

rft

 

I apologize for the offence that my remark gave. It actually was not intentional. I truly believed, having regard to your posts, that I was in danger of misinterpreting your remarks.

 

Least of all I am not challenging your industry experience.



cgoldman wrote:

rft

 

I am affraid that English may not be your native language and that therefore I may be misinterpreting your remarks. ....


 

I have just found this thread and have the same problem - I think

 

A newly created 1-off executable file (a compiled web browser in development as a college project) triggers SONAR as high risk and is whisked away to quarantine whenever it is asked to run (New, Few Users, does stuff etc)

 

Excluding the file from normal and auto protect scans is ineffective  - but these normal 'signature' scans were not flagging it anyway .

 

Recovering it from quarantine has an option to ignore it in future scans but this does not stop SONAR quarantining it yet again immediately it is run.  = Incorrect behaviour from a promising looking option

 

The Context menu for the file in the directory provides a Norton File Insight tab where I can expressly trust the file.  The setting appears to be cleared or ineffective as SONAR again quarantines the file on the next run.

 

I hope I have documented this sufficiently to know if this is the general problem.  If so the issue appears to be that adequate options to resolve the issue exist but are not working as would be expected. 

In Particular if a user expressly trusts a single file with a static location and signature that should be good enough !

 

Is there any progress/ETA  on resolving this issue please ?