SONAR is the abbreviation for Symantec Online Network for Advanced Response. Unlike virus signatures, SONAR examines the behavior of applications to decide whether they are malicious. SONAR is built upon technology Symantec acquired in its late 2005 purchase of WholeSecurity,[1] a developer of behavioral anti-malware and anti-phishing software in the United States.[2]
How it works
An algorithm is used to evaluate hundreds of attributes relating to software running on a computer. Various factors are considered before determining that a program is malicious, such as if the program adds a shortcut on the desktop or creates a Windows Add/Remove programs entry. Both of those factors would indicate the program is not malware.[1] The main use of SONAR is to enhance detection of zero day threats. Symantec claims SONAR can also prevent attackers from leveraging unpatched software vulnerabilities.[3]
Ed Kim, director of product management at Symantec, expressed confidence in SONAR, "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."[4]
History
Symantec already had a behavior analysis security tool for enterprises, known as Critical System Protection. SONAR was introduced to serve the consumer antivirus market.
SONAR 1
SONAR was first offered as an add-on for Norton AntiVirus 2007 and Norton Internet Security 2007; subsequent annual editions of the Norton line have had SONAR, as well.[3]
SONAR 2
SONAR 2 is part of Norton 2010 and Norton 360 v.4 antivirus software. According to the company, this version leverages data from more sources, including reputation data about a program. Therefore, SONAR 2 is able to more accurately detect security risks than it was before.
SONAR 3
SONAR 3 came with the Norton 2011 public beta. It is available for Norton 2010 customers with legitimate subscriptions through updates, Norton 2011 customers, and Norton 360 v.5 public beta users. According to the company, SONAR 3 is fine-tuned to better detect fake antivirus software and is better integrated with the network component.
References
- Harris, Janet. Symantec Behaviour-based Security For Consumers Security Watch, January 19, 2007, retrieved July 10, 2009^
- Press Release: Symantec To Acquire WholeSecurity Symantec, 2005^
- McMillan, Robert. Symantec to use SONAR to find zero-day attacks