Maybe its my reading of the msgs so far posted, but I am not sure that Symantec appreciate the problem you clearly describe. What you are saying, if I understand correctly, is that the option on recovery to ignore an exe from future Sonar does not apply to "high risk" sonar items. In that case it seems that the best thing to do is to provide to Symantec or a guru, one of the executables so they can confirm the issue. What Symantec need is a reproducable problem.
So perhaps you can create one of these executables that does very little (i.e. bring up a web page or something) but otherwise does not change the users' systems in any way.
We develop software that is used for mission critical applications at our customers. The number of installations is small compared to retail applications. We continually update the software, i.e. there are incremental improvements, major rewrites, and as we are forced by MICROSOFT, etc. to use their latest proprietary technologies, the "signature" of the .exe and .dll's constantly change. For example the new INTEL compilers and MICROSOFT Visual Studio produce .exe and .dll files that are very different from the Visual Studio 6 environment, yet from an end-user prospective are identical.
Assuming that end users can be intercepted immediately after installing NORTON software utilizing SONAR to adjust settings so as to minimize problems, there is still the problem that software updates will be mistaken by SONAR and treated as high risk.
NORTON is just one of many vendors of solutions to "protect" computers from malware. The overhead to keep ahead of SONAR is too costly. There is not enough benefit realized to justify the extra labor and delays inherent in such. To update customers in a real time basis will involve having cutomers either grant remote administration priviledges (we never allow such in-house and don't expect most customers to allow such) or have customers at each computer speciifically make changes to SONAR's exclusion lists.
This product is too early in its development to have been integrated into a "retail product". SONAR should have been made available as an ALPHA test to those willing to provide feedback to NORTON and be prepared to deal with problems such software can create.
I'm having a problem simply making a BIOS update disk.
I run the .exe to create a bootdisk, but SONAR quarantines it. I go to the quarantine, restore, exclude and re-execute and SONAR completes the exact cycle again.
The only way to run it is by disabling the feature. If this is what has to be done every time, why bother with it in the first place?
I was developing applications on PCs more than 20 years ago. I have used MANY versions of Symantec/Norton products since then. I took a "Norton break" for 2 years as I felt the products were getting too large, unwieldy, and unnecessarily over-zealous in terms of quarantining applications.
I have found NIS 2010's "SONAR" the most annoying feature that I've seen a product for a LONG time!!! There are programs that I know that are safe --- SONAR will NOT let me run them --- it insists on DELETING/QUARANTING these programs. I have searched and searched in the software configuration, help files, Norton web site, the Norton Community web site, etc. but it seems like SONAR cannot be controlled. Two weeks ago, I tried contacting Support but I got a guy that could not even understand the issue --- let alone make any suggestions as to how to fix them!
Shane (Symantec Employee) said "IntheSettingspaneunderExclusions/ScanExclusions, youhavetheabilitytoenterpathnamesyoudon'twanttheReal-timescantoscan. Currently, anythingyouputinthislistwillonlybehonoredbytheReal-timesignaturescannerAutoProtect, andnotSONAR." I CAN NOT believe that Symantec would release a product where SONAR cannot be overriden by a user that wants to override it. I cannot tolerate antivirus software that will not allow me to make my own decisions. If I don't find a way, or if Symantec doesn't fix SONAR soon, I'm going to be demanding a refund and I'll never use another Symantec/Norton product again.
You know, the way NIS 2010 is configured, I don't even know if it's "SONAR" that's deleting certain of my application files or not. The files are DELETED and they do not appear in the Quarantine list; they do not appear in SONAR Activity; but they appear in the Resolved Security Risks list. And, as I said, the files are gone. NIS 2010 gives NO way to restore these files.
I don't think I'm going to be spending much more time on this issue... NIS 2010 is going to removed very soon...
Yes, two weeks ago, when I tried Support, I told them about MyDefrag-v4.2.x.exe on MyDefrag Download SONAR always quarantines the installer program -- I have to deactivate SONAR for 15 minutes to get it to run every time there a new version! MyDefrag is a safe defragger program so I don't know why SONAR makes me jumps through those hoops every time there's a new version of the program! And it's just the installer that SONAR dislikes -- it has no problem with the installed application. I actually found a NIS 2010 Patch on this forum which I applied yesterday which now allows me to specify that SONAR should allow that installer to run but I'll have to do it every time a new version is released.
One example that I'm having now, and I have sent each applicable app to Symantec for evaluation, is the set of utilities from NirSoft Utilities I have done a lot of investigation and everything indicates that this set of utilities is safe (it's similar to MS's SysInternals). SONAR (and it is SONAR -- I had cleared the log at some point) says that some of the utilties have Hacktool, ProduKey,or AsteriskLogger. SONAR immediately deletes them. I have tried putting the apps into directory for "Scan Exclusions" but, as covered already, that doesn't stop SONAR -- it ignores the "Scan Exclusions" directories.
No, I had not submitted them to Symantec using that form. I had submitted them to Symantec through the option in NIS 2010 that allows submission to Symantec.
Gosh I love the way these posts bounce round and round getting foggier and foggier.
There is a whole lot of missdirection here and we will never get it fixed if we don't get the issue clear:
Sending a 'false positive file' is in some ways a red herring. The SONAR issue we are trying to discuss is that:
A file appears on the PC that is both New and Not often/ever found. It can be saved to disk
It does not have a virus signature match so it is not a false positive. It passes normal quick/ autoscans etc
It does however do something 'bad' when run e.g Web browser that dares to contact the internet
SONAR at least quarantines it without choice or discusssion - also reported to Delete if it is even 'badder'
Restoring the file and using the UI proposal to not scan it again restores but does not stop SONAR quarantining again next time
The issue therefore is that SONAR is doing what it was designed to do. However its options to customise reactions or omit files in advance/subsequently are either absent or not currently working as expected. I can't send you a file for copyright reasons but just believe that it is possible to compile and save to disk a safe file that does not match a virus signature but when run does look new, rare and web active. The questions to Symantec :
1) how /are you going to allow people who make/use such files to create / use /work on them while enjoying NIS protection
2) how /are you going to allow other 'normal' people who want to receive / install /use such files to do so (manually or ideally as part of an installer script)
Good idea you have (sorta). I'm going with a variation. I'm going to remove NIS 2010 and use Microsoft Security Essentials instead. I'll try NIS 2010 again at a future date once some fixes have been released.
I just want to add my two cents. I think the exclusion process is getting to complex with three different areas that one has to handle: scan exclusions, AP exclusions, and signature exclusion. One should not have to tweak a number of things to make an exclusion work.
As far as the original issue with SONAR, like everything Symantec's defaults should protect ignorant PC users, but the controls should be provided that the product may be configured in any manner the user desires if they are willing to accept the consequences.
Actually if you take the download zip astlog.zip, and scan it with NIS it contains AsteriskLogger and is quarantined. AsterosskLogger is the Type: a potentially unwanted application. If you look this up on the Symantec site it says "Once executed, the potentially unwanted application can reveal the passwords concealed behind the asterisks in standard password text boxes".
You are installing an application that has a security risk because clearly it reveals passwords that are not intended to be revealed.
It is nothing like Sysinternals. It is "safe" only because you are installing it and running it and no doubt revealing your own passwords, but it is not "safe" from a community point of view because Norton has to rightly assume that someone is loading this application on your PC with a view to stealing your passwords.
In short, the responses you are getting from Norton are entirely correct and proper. I have restored the executable and find no Sonar activity.
I appreciate you trying to help. I have uninstalled NIS 2010 and installed MS Security Essentials (as I said I was going to do).
I am not attempting to run all of the NirSoft utilities. I am installing a "launcher program" which, by default, installs all the NirSoft utilities --- that's why I was encountering issues with NirSoft utilities.
AsteriskLogger, the example that you gave, is not a utility that I plan to use. I am well aware of the capabilities of some of these utilities. My comments have all been about the frustrations that NIS gave me because of false positives (e.g. MyDefrag) and not giving me (a very experienced PC user) the ability to override the various protections that NIS is providing. Also, (1) some parts of NIS do not work (e.g. where you tell SONAR to ignore a particular threat in the future) and (2) the NIS user interface needs a LOT of work -- one can hardly figure out what to configure where.
When I installed MS Security Essentials today, it gave me a serious warning about AsteriskLogger --- it did not just delete it without giving me any choice in the matter. I chose not to install it. That's the way NIS should work. Also, MS Security Essentials did not erroneously flag a whole of the other NirSoft utilities and just delete them.
There are programs that are and will never be a security issue that SONAR is deleting. Example, every program compiled with Intel Visual Fortran is flagged and deleted by SONAR. IMHO Norton has a very bad piece of code in SONAR that needs to be either corrected or deleted.
I will tell you something else that makes this whole thing more complex than it needs to be. Scan results history and quarantine includes flagged files from email attachments as well as local files.
Unfortunately, my PC is bombarded daily with virus attachments. Thus, a review of scan results and/or quarantine has such a low signal to noise ratio that these informational displays are practically useless. Email results need to be split off from local storage results.
Will someone from Norton please tell us that this is being sorted. There is such a lot of detailled feedback on how/why to address this being provided that I cannot believe that this is still being given a 'by design' tag or diverted into the 'endless what is malware loop'..
Presumably it will get taken seriously once it hits PC-Pro etc.
Amusing thought - Norton 2050 robo-home guard dog.
FAQ
My Robo-Dog Attacks harmless visitors because it hasn't seen them before and they are carrying potentially dangerous baggage like fireworks and cigarette lighters. Then attacks then them next week after being given their ID and details because their hair has grown and they are wearing different coat. Some visitors just disappear completely while others can be retrieved from the dogKennel
Resolution
This behaviour is by design. Please do not allow visitors to your home who have not already somehow survived a visit to all the other homes down your street. If you have such visitors please consider reverting to Guard-dog 2009 (The living learning canine variety)
Sorry you have dropped NIS 2010. There is no point me trying to assist further then. I took AsteriskLogger because I chose it at random from the list you gave. I do not see an issue yet with which I would get involved.I would be happy to champion an issue if I felt there was one. For example I do not yet see that Sonar is not working as designed.
