Thank you for your patience with this issue. We at Symantec take all customer problems very seriously and would like to apologize for the inconvenience these issues may have caused. The SONAR team has researched each of the 160 posts on this thread and would like to update the thread with our findings. Our goal as always is to provide the highest level of protection without disrupting the user in any way.
Based on the feedback from this thread and others we have made quite a few fixes either to the product itself or to the SONAR definitions and will continue to update the detection algorithms in order to improve their accuracy.
For those customers with Automatic Liveupdate enabled (this is the default setting), fixes will be deployed automatically. If you have the latest updates and the problem still persists, you may have to use one of the workarounds below.
1. Executable files created by compilers etc on development machines are deleted
We have identified the issue and are making incremental changes to fix the problem. Please ensure that you have the latest NIS patch installed 17.1.0.19 as that should minimize the occurrence of the issue.
In addition to this, developers should exclude dev directories from security scans using the following steps:
On the main UI panel, under Computer click Settings. This will bring up the Settings dialog box.
Under Scan Exclusions click Configure. This will display the Scan Exclusions dialog box.
Under the lower-half of the screen under Auto-Protect Exclusions click the Add button. This will bring up a dialog to add a new item.
2. Files when restored from quarantine are convicted again by SONAR.
When any protection technology like SONAR deletes a file, a copy of that file is stored in an invisible backup area called Quarantine. Quarantine can be accessed using the Quarantine link on the main page.
This will bring up the Quarantine History page below:
If you are certain that SONAR has incorrectly quarantined a file, you may restore this file to its original location by selecting the appropriate entry in the Quarantine Log and clicking Options. This will display the Security Risk Details dialog:
Click Restore this file. This will show the Quarantine Restore dialog. Ensure that the Exclude this risk from future scans is checked.
Click the Yes button. A progress indicator will be showing as NIS/NAV restores the file.
The file will be restored to its original location and will no longer be detected by SONAR.
Important Note: This feature was non-functional in NIS/NAV 17.0 but has been fixed in NIS/NAV 17.1. If you continue to see this problem, please check the version of your product.
Message Edited by BarrettBaxter on 01-12-2010 06:03 PM
3. Concern from the development community that their software being deleted on their client’s machines.
In order to guarantee that your application will not be deleted by SONAR, we suggest that you code-sign your executable using a Code Signing certificate from a reputable certificate authority. Here are some links on Code Signing and its advantages:
4. I have disabled SONAR, now my NIS/NAV products shows a red ‘X’; At Risk; Fix now. How do I get rid of this warning?
In the event that you are forced to disable SONAR, NIS/NAV will warn you with a Red ‘X’ status indicating that a critical protection component has been disabled. To ignore this and revert to a Green ‘Check’, perform the following steps:
a. On the main screen, to the right of the SONAR Protection slider, click the ‘i’ button. A small panel with an Ignore button will popup.
b. Click the Ignore button. This will change the status to a Green checkmark as shown below.
Thanks!
Barrett
Message Edited by BarrettBaxter on 01-12-2010 06:07 PM
I am using a code signing certificate from Godaddy. I use the Microsoft code signing tool.
I have an application that is deployed using Microsoft iexpress. This application creates a self-extracting executable. The contents of this exe include a batch file and two msi (microsoft installer) files.
When the self-extracting exe is launched, it extracts the files and then runs the batch file.
NIS 2010 deletes the self-extracting exe as soon as it is launched. This exe is signed by the Godaddy certificate.
Please help. I need to deploy soon. We have 7000 customers awaiting this update.
The only thing I can do is signing my software (to make sure the sw is not deleted on my customers machines).
This will cost me money (if I am not mistaken).
Why should it cost me money suddenly, while previous versions of NIS have worked without problems before ?
I made an executable in Delphi 2010 which does nothing but showing an empty form, and the SONAR warning is still displayed. I send three examples (one of them producing the error, the others don't) to the NORTON upload service but haven't heared from them yet.
I understand the need for security checking, but when security software is deleting files which are no risk to the computer, the security software is mall functioning and it should be fixed. After all, and please don't forget this, we all paid good money to receive a product which is working !
If my software is malfunctioning, I too have to fix it.
And not only that: I sell hardware and software too, and have for the last decade (and longer) told my customers that Norton is a good product. What if I send those customers my software and this software is suddenly deleted from their PC ? Who do you think they will blame ? And if Norton can delete my software, it can delete software from other vendors too. I loose all credibility.
Are there any SONAR-2 corrections in the new 17.5 update?
Yes, we have fixed a few scenarios in which false positives can occur.
You dont need to update to 17.5 just to get these fixes. SONAR updates come down as definitions and 17.1 customers have already been updated with the same defset as is present in 17.5.
Shane.
Message Edited by shane_pereira on 01-14-2010 07:16 PM
I still have a problem with Visual Studio 2008 and SONAR. Now I have NAV 17.5.0.127 and in my opinion now is worse than NAV 17.1. Because SONAR all the times remove my compilation files. Why this issue is not fixed?
I'm going to have to agree with you guys. I've currently got version 17.5.0.127 on my PC. But, whenever I want to start up M.A.M.E.32(Multiple Arcade Machine Emulator) and this is after build #.130 to play my games, SONAR detects it and says it's a high risk application and removes it from my computer even though that should not be the case after I have SONAR excluded it from scanning it, but that doesn't work and once again removes it and classifies it as high risk. Something really should be done about this.
I still have a problem with Visual Studio 2008 and SONAR. Now I have NAV 17.5.0.127 and in my opinion now is worse than NAV 17.1. Because SONAR all the times remove my compilation files. Why this issue is not fixed?
Hi przemek,
Have you followed the steps in this post to exclude your work directories from SONAR?
Well I used to hate norton, then loved it.. now I'm about to take every box I own (all 8 of them!) and throw them in the compactor.
Not giving the user SOME method to force a file to be excluded is just plain wrong. Even if I had to create a text file of some sort with filenames and some sort of hash code would be acceptable if annoying.
I've several applications that I've written for my self and my family.. mostly small stuff to syncronize file settings and whatnot... they all are gone...and NIS is only one ONE PC! It actually reached through the network, saw them on my other workgroups and eliminated them whenever i tried to replace them.
Furthermore you cannot seem to specify a network location in the exclusion window?? What kind of junk is that? It won't accept UNC paths at all from what I can gather. I didn't bother trying to map the drive to a letter because I'm about to uninstall and purchase something else... hell even Windows firewall is better than this at this point.
I really , really hope Symantec is considering adding some sort of 'total exclusion' ability with SONAR , sure it's somewhat risky if someone excludes the wrong item.. but the LEGITIMATE uses of such a feature should dictate the feature request.
I'm so upset right now that I have to spend next weekend doing tech support for family members, I cannot imagine the headaches this has caused the for software companies.
SONAR = Symantec of the 90's.. good intentions.. horrible implementation.
Oh and I just have to comment on this particular gem:
"In order to guarantee that your application will not be deleted by SONAR, we suggest that you code-sign your executable using a Code Signing certificate from a reputable certificate authority. Here are some links on Code Signing and its advantages:"
So basically Symantec is saying.. If you don't want our product to delete YOUR product.. you have to pay our partner approx 1k for the privlidge. Total crap. In fact.. isn't this the sort of 'ad-ware'/'malware that Symantec is supposed to PROECT us from???
Perhaps the complaint here will get exquisitely customized attention if it "termination with extreme prejudice" by Sonar is considered from the legal side: it is intrinsically anti-competitive, favouring as it does the established to the merciless excusion of the innovator. Isn't the core concept of "reputation" itself an anticompetitive conceit, whose logical extreme is "buy Microsoft or we'll snuff it out"?
I had great difficulty installing Vaita's OsaSync update last week - Sonar or something like it popped up from NIS2010 & kiboshed it. If 9 of 10 upgraders haven't the persistence & sophistication to brave over-riding the dire warnings, OsaSync's user base will collapse by an order of magnitude. I reverted to MobileMe sync for my calendars & contacts for a couple of days. Apple won. I understand Apple is somewhat larger than the Vaita. If Symantec confers with the "majors" in testing compatibility, could one be forgiven for inferring collusive/oppressive intent?
Like I said, "at the risk". My intent is simply to sow sensitivity at Symantec - NIS2010 is an oustanding product, but its attempt at proactive interdiction of novelty is ill conceived. On the contrary, no one could complain if it simply popped up with "Dude, that app has only been downloaded by 3 other guys, and you're picking it up from Ebola.com...".
The problem seems to be worse with NIS 17.5.0.127. It is bad to have to go through the process of restoring the exectable from the Quarantine. It is even worse when you have to do it two or three times in a row, even after using the option to exempt the executable file from future scans.
I am beginning to lose patience with Symantec. I lost hundreds of Excel files in the summer, thanks to the "Bloodhound heuristic 252" debacle, and Symantec did not help at all. Now, my executables get deleted by "Sonar" (at least they did not decide to delete the uderlying source code [dangerous stuff!] without a warning). This reinforces my complaint that NIS has wrecked more of my files than any virus attack.
Hello, I'm an amateur programmer from Japan, i write some simple tools for our products such as an USB device read/write tool.
The language i am using is C# with some windows APIs like WriteFile(),RegisterDeviceNotification()..
As you experienced, i upgraded my Norton 2009 to 2010 this month, and when i update my software: compiled & execute, sonar appeared and told me the software is "behaving suspiciously". At first i thought my PC is polluted by viruses, so i completely scaned my PC and recompiled my program, ... nothing changed.
I can uninstall norton 2010 but it never ends, if our customers saw that warning i can make a bet that they would be scared and beleive something wrong with my software just not Norton.
Even if customers would call me and ask if my software is safe, I can't tell them that" it is 100% safe, trust me!" clearly because i can't know if user's pc is really being attacked by viruses.
So, the thing i'm trying to do, is finding a solution in programing to avoid the worning. I hope symantec can offer a guide to develpers to tell us how should we do in programing.
Of cause, if Norton 2010 can kill Sonar itself, it would be the best solution, i don't beleive they will do that.
Well I used to hate norton, then loved it.. now I'm about to take every box I own (all 8 of them!) and throw them in the compactor.
Not giving the user SOME method to force a file to be excluded is just plain wrong. Even if I had to create a text file of some sort with filenames and some sort of hash code would be acceptable if annoying.
Hi DaGnome - I tend to think that your idea has merit, but I would go a bit further.
It should make no difference where an excluded file is located in order for that file to remain safe and untouched.
Further, I do not think NIS should do anything to one's system that the user cannot undo. It is not my belief that Symantec knows what is best for me -- only I can decide that.
I am a software developer (still using VB6). Recently, I noticed that Sonar was moving my deployment package (setup.exe) into the quarantine bin. It should be noted that Sonar did not delete anything. I should also mention that the setup.exe file consisted of several Microsoft Installer packages (msi) and a batch file. Everything, including the application exe, msi files (which contained the application), and the final deployment package setup.exe were signed with a Godaddy code signing certificate.
Evidently, the Godaddy certificate is a "class 2" certificate. Currently, Sonar only ignores files signed with a "class 3" certificate.
After reading my post here, a Symantec tech support agent contacted me. I sent them a copy of my "setup.exe" file and they then "whitelisted" the file. I currently have about 7,000 users to which this file has been sent.
As a developer, I would like to learn more about how Sonar identifies potentially dangerous files. So far, I have only experienced this problem with ONE specific application. Maybe it is because I am still using VB6. Can we start a list of files and/or file types and/or the application that created the file that Sonar is moving?
Perhaps you're not familar with most development environments, but rare do people store items on a local HD for development, so the solution posted above does not work since you cannot exclude UNC Path drives, and thus I am unable to protect my working folders.. (Even mapped drives convert to the UNC path it seems)
Furthermore, it appears you can only Exclude files once they are quarantined.
Thus I had to explain to someone today to install the program.. wait for NIS to remove it.. then go back in quarantine and restore it and tell it not to delete it ever again. The question was posted to me "What if the file does get infected by something else?" To that I had no response and it shouldn't have to be whitelisted in the first place.
Still awaiting a more permanent solution before I install NIS on my other machines.
