SONAR (Symantec)

SONAR is the abbreviation for Symantec Online Network for Advanced Response. Unlike virus signatures, SONAR examines the behavior of applications to decide whether they are malicious. SONAR is built upon technology Symantec acquired in its late 2005 purchase of WholeSecurity, a developer of behavioral anti-malware and anti-phishing software solutions in the United States.

How it works
An algorithm is used to evaluate hundreds of attributes relating to software running on a computer. Various factors are considered before determining that a program is malicious, such as if the program adds a shortcut on the desktop or creates a Windows Add/Remove programs entry. Both of those factors would indicate the program is not malware. The main use of SONAR is to enhance detection of zero day threats. Symantec claims SONAR can also prevent attackers from leveraging unpatched software vulnerabilities.

Ed Kim, director of product management at Symantec, expressed confidence in SONAR, "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."

History
Symantec already had a behavior analysis security tool for enterprises, known as Critical System Protection. SONAR was introduced to serve the consumer antivirus market.

SONAR 1
SONAR was first offered as an add-on for Norton AntiVirus 2007 and Norton Internet Security 2007; subsequent annual editions of the Norton line have had SONAR, as well.

SONAR 2
SONAR 2 is part of Norton 2010 and Norton 360 v.4 antivirus software. According to the company, this version leverages data from more sources, including reputation data about a program. Therefore, SONAR 2 is able to more accurately detect security risks than it was before.

SONAR 3
SONAR 3 came with the Norton 2011 public beta. It is available for Norton 2010 customers with legitimate subscriptions through updates, Norton 2011 customers, and Norton 360 v.5 public beta users. According to the company, SONAR 3 is fine-tuned to better detect fake antivirus software and is better integrated with the network component. They advise: "In SONAR 3 we have further enhanced our integration with the network component in order to classify, convict, and remediate malware on the basis of its malicious network activity. With this feature in place, we will continue to block and remove many new variants of malware that leave their network footprint unchanged." According to Symantec it is now monitoring about 400 aspects of each application to determine whether it is safe or harmful.

SONAR 4
SONAR 4 was introduced with the 2012 BETA versions. According to a Norton Protection Blog post in the Norton Community, titled "What's new in Norton Internet Security 2012": "With 2012 we are introducing SONAR Policy Enforcement – We now have the ability to convict a suspicious process based on a behavioral “profile.” To create these profiles, an analyst looks at the 500+ attributes that SONAR tracks and make a series of associations. For example, let’s say a particular process tried to access the system folder and tried to call home, but does not have any running UI. Also, it downloaded more than 15 files the previous day.  Any one of these things alone may not be “bad” but taken as a whole, the behavioral profile is bad. The analyst will therefore make a rule that says if we see this string of behaviors, then we should stop the process from executing. Doing all of this is a big deal—we aren’t just looking at what the process does on your computer, we are also looking at its communication characteristics!

Sonar 4.0 also introduces protection against Non Process Threats (NPTs). As the name suggests, these threats are not active processes by themselves, but they inject themselves into legitimate active processes. SONAR 4.0 technology is able to much more aggressively remove threats on pre-infected machines."