status of SONAR High Threat automatic removal of false positives?

By now several posters have cited problems with NIS 2010 SONAR's automatic removal (with no immediate recourse to restore and exclude from future removals) of High Threats.  The problem is the high number of false positives (FP), requiring rebooting each time of such a FP just to get the file into Quarantine which it can be restored.  (It's not clear if removal takes place again, e.g., if a developer recompiles such executables, etc.).

 

Actutally, it seems that the High Threat is labeled Unresolved, but the user is powerless to do anything until the next reboot, whereupon the file has been removed and placed in Quarantine.  Of course, any automatic removal of a false postive that is used regularly can lead to  a nightmare upon the next reboot, and it is even more risky to ignore these "insecure" warnings and let a few of these Unresolveds pile up, so one is forced to reboot everytime this occurs,  while trying to save a copy of the "High Threat" FP in case it is destroyed upon rebooting.

 

A SONAR Low Threat permits immediate automatic restoration of the file placed in Quarantine, and permits exclusion from future scans.  Given the high number of FPs under High Threat, I think there should be an option to turn on to permit such User actions under High Threat.

 

Some Symantec staff have mentioned this is under review.  What is the status?

 

For now, under Computer Settings, I have had to turn off SONAR completely.  Since this triggers warning of an insecure system, I also have to turn on Ignore next to its location on the main window, which effectively brings back a "secure" system. (no red 'x' in the tray, and no warnings in the main window that now has a green check)

 

It just might be the case that any developer or researcher that develops his/her own codes has to turn off such heuristic tools, since they largely rely on statistics developed from many users, and of course only a few users would be developing the same tools with the same file names, etc.  Is this going to be the case with NIS 2010?

 

To further compound this, the problem I and others are having is that among such files being labeled High Threat are very standard Cygwin (cygwin.com) file.  I have run full scans on our computers, with SONAR off, on C:\cygwin\, with NIS, Malwarebytes, ClamAV, etc., and no problems have shown up at all. (On one computer, under cygwin\ with few entries added to Cygwin, there were 300,000 files, and on another PC there were more added files totaling 850,000 files directly under cygwin\.)  Clearly, these SONAR removals all are FP.  Except for a couple of low threats with Tracking cookies under the Idle Full Scan, no problems surfaced there as well.

 

Thanks.

 

Lester

Message Edited by ingber on 09-17-2009 09:54 AM
Message Edited by ingber on 09-17-2009 09:55 AM