SONAR out of control

In NIS 2010 SONAR is out of my control!  It simply deleted a file and requires me to reboot.  I do not see anyt way to tell it to restore this file.  It is ccrypt (ccrrypt.sf.net) which I have used for years and is no threat at all under clamAV or Malwarebytes, etc., etc.

 

How can I control this, other than shutting it off completely!  Unfortunately, shutting off SONAR permanently shows up as unprotected (red Xin tray icon).

 

In other words, only SONAR low threats can be restored from Quarantine and marked to be not scanned.  The high threats can be simply (like in this case) that only two users reported its use to Symantec.

 

I have to wait until the machine reboots to get this file of Quarantine!

Message Edited by ingber on 09-09-2009 01:28 PM
Message Edited by ingber on 09-09-2009 01:31 PM

Hi ingber,

 

We are currently looking into this issue.

 

Thanks,

Barrett

Message Edited by BarrettBaxter on 09-09-2009 03:42 PM

not a solution, but maybe helps...

 

Click on the small "i" next the Sonar protection  and then choose IGNORE, turn off Sonar and you will have no red X cross in GUI.

 

pic1

 

pic2

 

SaLaDiN:

 

Yes, this is a good temp solution.

 

A more permanent solution would be the choice to override High Threat SONAR removal (which require reboots) of files, similar to how Low Threat SONAR files can be treated (which of course I turned off since even the High Threats make no sense).  SONAR is a poor heruistic at this time, as evidenced by the criteria for removal of ccrypt.exe -- it is not know well enough to Norton!

 

Of coruse, other **known** threats can still be removed by Norton.

 

Thanks.

 

Lester

Just to update, this file has been processed and the issue should be resolved within the next 24 hours.

 

Thanks for bringing it to our attention and sorry for any inconvenience!

Message Edited by BarrettBaxter on 09-09-2009 05:18 PM

This is the kind of repsonse that keeps me a customer.  At least the problem is being addressed.

 

Thanks.

 

Lester

NIS 2010 and Sonar 2 are new projects, just give Symantec more time to resolve these FP´s. Rome was not built in a day :smileywink:

The best thing, what we can do, is just to report this FP´s to Symantec.

Yes, Rome was not built in a day, but if you weren't a member of the ruling class your life surely was miserable!

 

When new Norton projects are so introduced, I do not think their most intense actions should be defaults.  The user should be able choose or modify such actions.  Most of us are end-users, not alpha or beta testers.

 

Thanks.

 

Lester

If the reports are also handled like this Another threat not detected! then surely nothing much happens :smileysurprised:

Hey, thats a fast reaction on this SONAR issue! nortons is working hard to make us happy---- i like this. :smileyvery-happy:

I am still having issues also, but worst with this build than b127.  When I recompile a Visual Fortran file SONAR deletes it when I try to run it.  Before I could do a restore on the file and SONAR would leave it alone(as long as I did not recompile it), now it is deleting it every time and the ‘ignore this file’ is doing nothing.


Easternokie wrote:
I am still having issues also, but worst with this build than b127.  When I recompile a Visual Fortran file SONAR deletes it when I try to run it.  Before I could do a restore on the file and SONAR would leave it alone(as long as I did not recompile it), now it is deleting it every time and the 'ignore this file' is doing nothing.

so the SONER is removing things all the time?

Sorry I meaned the SONAR . excuse my french :smileysurprised:

I take it back.  Setting SOANR to Ignore does not work.  It still prevents me from running my own executables and scripts -- at High Threat in Unresolved  means I have to reboot just to get files into Quarantine so I can restore them and exclude them.  Of course they do not show up in exclusions so I was sent a hotfix to get them into exclude, so this does not keep repeating!!  -- but this is only useful after I reboot to then see the files in Quarantine!!!!  (Yes, as many "!"'s as I care to put.)

 

I cannot do my work by rebooting after I run each executable.  I'm a scientist and a developer of my own C codes and I can;t go through this nonsense all day long.

 

If this is not cleared up in a day ro so, I will just have to uninstall and drop NIS and go to another anti-virus vendor.   I can;t spend time developing NIS which looks like it is in alpha.  I don't even want to take time now to Spell check this.

 

Lester

Message Edited by ingber on 09-09-2009 07:28 PM

These issues are elaborated on further in http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=71304 .

 

Lester

Hi ingber,

 

Please follow the stepsthat I send you via PM.

 

Let us know how you get on.

 

Thanks,

 

TomV

Norton Forums Moderator

Symantec Corporation

Message Edited by Tony_Weiss on 09-10-2009 01:41 PM

TomV:

 

Yes, I installed that hotfix.  However, this still does not address the false postive SONAR High Threats which place issues in Unresolved and require a reboot to see such files in Quarantine, and only then can these files be restored and excluded from future SONAR scans. 

 

There are no Options as there are for Low Threats to make this choice without rebooting.  Furthermore, since I compile a lot of my own executables and scripts (as do many developers and researchers), many files are not "recognized" by SONAR which seems to be a key issue in its determining (false positive) High Threats.  This means I would be constantly rebooting all day just to get a long exclusion list (with the hotfix).

 

So, I have to turn Off AND Ignore SONAR and hope that works.  I also hope that the regular Idle Full Scan does not also find such false postiives based on no-recognition, not based on established risks.  I also have added an entire large folder and sub-folders under C:\cygwin (a full Unix system -- see cygwin.com) under both Scan Exclusions and Auto-Protect Exclusions.  This all is pretty drastic, since C:\cygwin contains not only the Cygwin files but my own work covering 25 years and over one million files which now are not ideally protected.

 

Do you understand what I am saying?

 

Thanks.

 

Lester

Message Edited by ingber on 09-10-2009 06:48 AM
Message Edited by ingber on 09-10-2009 07:06 AM

Hi inbger,

 

Can you tell me your cCrypt file Version? You can find it under your program files\cCrypt\cCrypt.exe. I need the detailed version, such as 6.1.1.0.

 

Thanks.

 

This main problem was identified and reported on the day before official release of nis by me in this thread

http://community.norton.com/norton/board/message?board.id=nis2010_pb&thread.id=6702

 

But main problem was ignored by Symantec. So, i have a request to take steps on a complaint right away instead of waiting for 5 to 10 customers to complain.

David:

 

I'm running ccrypt 1.9.  I tested this latest version for Peter (the developer) on half a dozen different platforms.

 

I think you still do not believe me about the real problem.  I think the problem is that SONAR classifies just about anything a High Threat that it does not recognize.  It does not use any information about known viriuses or sypware, etc.  Such problems of course then arise when compiling many new executable, e.g., using gcc.  I could live with such a heuristic classifying something as unknown or as a Low Threat which Norton has immediate Options to override to restore and exclude from future scans.

 

However -- and read this again please (I've written this about half a dozen times, but it does not seem to register, and so this is positively the last time I will say this) -- Norton SONAR processes High Threats as Unresolved, and requires a reboot.  Only after the reboot  does the file show up under Quarantine, when Options are availiable to restore and exclude from scans.

 

Since I have many files of the one milllion files I have developed under Unix/Cygwin that would be unknown to SONAR, I would be constantly rebooting to get all these files excluded from scanning.  I have no choice now but to turn off SONAR completely AND to exclude all of c:/cygwin from scans.

 

Do you understand the depth of the problem now?

 

Thanks.

 

Lester

Message Edited by ingber on 09-11-2009 07:08 AM