I would really like for Norton products to show detailed information on SONAR detections. As it is now we only get information about that a file was blocked by SONAR but nothing about why.
It would be a killer feature to see more details like what triggered the detection (reading a file, opening a TCP connection, accessing a specific URI resource etc). Showing more information would also help users to make a qualified guess if the SONAR detection is correct or not; ex users might have a better idea of what their programs are supposed do than SONAR, especially advanced users.
As reference/example one could consider ThreatExpert which displays detailed information on what a program is doing.
I would really like for Norton products to show detailed information on SONAR detections. As it is now we only get information about that a file was blocked by SONAR but nothing about why.
It would be a killer feature to see more details like what triggered the detection (reading a file, opening a TCP connection, accessing a specific URI resource etc). Showing more information would also help users to make a qualified guess if the SONAR detection is correct or not; ex users might have a better idea of what their programs are supposed do than SONAR, especially advanced users.
As reference/example one could consider ThreatExpert which displays detailed information on what a program is doing.
This already exists at the File/Threat Insight UI under the “Actions” tab but the text is not as user friendly. We plan to fix this for 2011. Did you check the Actions tab in File/Threat Insight?
> This already exists at the File/Threat Insight UI under the "Actions" tab but the text is not as user friendly. We plan > to fix this for 2011. Did you check the Actions tab in File/Threat Insight?
I did notice this button when I used file insight on files from the right-click menu, but I never knew that Sonar would put its info in here. Isn't it illogical that you have to use "File Insigh" on a file to see what actions it performed even though the file was removed by Norton? Normally I use file insight from the right-click menu so this is kind of counter intuitive to me.
think you really have to rethink how you display the Sonar information, because I don't think it's logical that you have to browse the Norton history, find the file it put in quarantine, click on another button to open the File Insight dialog for the quarantined file and then use the dropdown menu in the File Insight dialog to actually see what the file did.
Half of my suggestion was about the presentation of information - that is, the information should be presented before Norton blocks the file (or at least this should be a setting) so users can actually view the relevant data right on screen whenever sonar activity occurs and don't have to dig deep into the logs and whatever else to find it. I think the ability to show Sonar info is of great advertising value to Norton so by not making it easily accessible is to me like you're shooting yourself in the foot.
I have also noticed that Norton often does not give any information to why a file was detected by SONAR. For example I have a file that Norton just blocked with SONAR, and the only information in the "Actions" tab is:
"File "C:\.....\hello.exe" removed"
There are no other options than "File Actions" I can click in the dropdown box. In this case it seems Norton isn't giving me any information at all.
I did some research into this and here is what happens. File Insight provides the data that you ask for at the time of the detection and before an action is taken. See screenshots below.
However, this shows only if you don't have the SONAR detections being remediated automatically. After the action is taken we do not carry this info in History.
I agree with you this flow needs some improvement. We are considering your suggestion for our next release.
