Sonar protection is not fixed what to do. SONAR is behavior based protection. Enabling Network Drive Protection

Millions of users are tricked into opening malware that masquerades as video players or anti-virus products that don't offer what they claim to do, but infect the user's computer and force them to pay for features that don't exist.

Drive-by downloads and common web attacks silently infect users visiting popular sites. Some programs install rootkits or inject malicious code into system processes. Modern malware can easily bypass file protection, which is no longer sufficient to protect the end user.

Why behavior-based protection?

In 2010, Symantec detected over 286 million malware variants and blocked over 3 billion attacks. With the continued growth of malware and its variants, Symantec saw the need to create an innovative approach that would prevent malicious infections - automatically and silently, no matter what the user is doing and how the virus entered their system. Insight Reputation Technology and Symantec's behavioral technology, Symantec Online Network for Advanced Response (SONAR), are two of these approaches.

Behavior-based protection is more cost-effective than file-based heuristics because it can evaluate large scale programs, both dangerous and non-threat, at the same time.

Behavior-based protection provides effective and non-invasive protection against zero-day threats. SONAR is a threat protection solution that is based on the behavior of threats, not their "appearance". SONAR is Symantec's core behavior-based protection engine: a classifier engine based on artificial intelligence, authored behavioral signatures, and policy-based behavioral blocking. All of these components come together to provide the best threat protection in the security industry.

The main areas of protection provided by Symantec behavioral technology are:

Targeted attacks, including Advanced Persistent Threats (APT), trojans, spyware, keyloggers, and general zero-day threats;
- Drive-by downloads, web attacks;
- Social engineering attacks: FakeAV (fake antiviruses), malicious key generators and codecs;
- Bots and botnets:
- Non-Process and Injected Threats (NPTs)
- Threats of "zero day";
- Threats missed by other layers of protection
- Threats using rootkit techniques.

In what cases is behavioral protection carried out?

Regardless of whether the user launches a malicious application intentionally, or it makes an automatic installation attempt, SONAR blocks the program in real time after it has been launched and / or tries to inject itself into running processes (NPT technology). Providing protection against Hydraq/Aurora, Stuxnet, and malware such as Tidsrev and ZeroAccess, it has established itself as one of the most important endpoint security technologies.

How it works? Classification engine based in the field of Artificial Intelligence

Symantec has one of the largest behavioral profile databases in the world, with approximately 1.2 billion application instances. By analyzing the behavior of good and bad files using machine learning, Symantec is able to create profiles for applications that have not yet been created. Based on almost 1400 different behavioral attributes and the rich context that the company receives from other components such as Insight, IPS, AV engine, SONAR classification is able to quickly detect malicious behavior and take action to stop malicious applications before they cause damage. In 2011, over 586 million DLL executables and applications were analyzed using SONAR technology.

Non-process Based Threat Protection

Modern threats are not always separate executable files. Often, they try to hide by injecting into well-known running processes, applications or other components, thereby hiding their malicious activity under the guise of trusted processes (for example, system ones), or trusted applications. As an example, when a malicious application is executed, it may inject malicious code into running processes such as explorer.exe (Desktop shell process), Iexplorer.exe (Internet Explorer browser) or register malicious components as extensions for such applications. SONAR prevents the execution of code injected into the target process by classifying the source attempting to inject. It also classifies and optionally stops malicious code loaded into a target or trusted process.

Behavior Blocking Policy

Drive-by loading works by exploiting vulnerabilities in browser plug-ins such as Adobe Reader, Oracle Sun Java, and Adobe Flash. Once a vulnerability has been discovered by such a download, it can use the affected application for its own purposes, i.e. to launch any other application. By creating a Behavior Blocking policy definition, Symantec can block malicious behaviors such as "Adobe Acrobat must not create other executable files" or "This DLL is not allowed to be injected into the explorer.exe process" thereby protecting the system. This can be described as blocking the behavior on policy and rule based These SONAR policies/definitions are created by the Symantec STAR team and are automatically enabled in a blocking mode and do not require management, this prevents suspicious behavior of "good" applications, and automatically protects users.

Behavioral Policy Enforcement (BPE) signatures

The ability to evolve with ever-evolving threats is an integral part of SONAR technology, so the protection of Symantec's products has the ability to focus on the threats of tomorrow, even before the day has come. When Symantec detects a new threat family, such as new rootkits, Trojans, FakeAV, or other types of malware, it can create new behavioral signatures to detect such threat families and deliver them with updates. Therefore, it is absolutely not necessary for a company to update the code of the product itself. These are the so-called SONAR Enforcement Policy behavioral signatures. These signatures can be written, tested, and delivered to the user fairly quickly, and they are what give SONAR the "flexibility" and "adaptability" that allows it to respond to certain classes of emerging threats while having a very low false positive rate.

So how do BPE signatures work?

Let's take a look at the application that is being launched for execution.

1) It creates certain components in the TEMP directory
2) Adds its entries to the registry
3) Change the hosts file
4) It has no interface
5) It opens connections on "high" ports

Any of these forms of behavior cannot be "bad" in and of itself, but in general its behavioral profile is regarded as bad. The STAR Analyst creates a rule that specifies that if there is a particular sequence of behavior for executables with certain Insight Reputation characteristics, then the product should stop the process and roll back the changes. SONAR is able to create a virtual sandbox around an infected, but completely legitimate application, and thus can prevent any malicious actions of an infected application that can harm a user's computer. This is a completely new paradigm in the field of ultimate user protection. It works by using data that shows the actions of the application rather than its appearance.

Automatic Recovery of Malicious Files Using the Sandbox

Real-time behavior-based protection monitors and sandboxes applications, processes, and events as they happen. System changes can be undone to prevent malicious activity.

Monitor applications and processes in real time

SONAR monitors and protects over 1400 aspects of all running applications, DLLs and processes, providing real-time protection as they run.

STAR Intelligence Communication Bus

SONAR protection technology does not work on its own. The engine communicates with other security services using the STAR Intelligence Communication (STAR ​​ICB) protocol. The Network IPS engine, connects to the Symantec Sonar engine and then to the Insight Reputation engine. This allows you to provide more informative and accurate protection, which almost no other product can provide.

According to Symantec

The Symantec Online Network for Advanced Response (SONAR) feature detects new threats by analyzing file characteristics. It detects malicious code before virus definitions are available in LiveUpdate, providing protection against additional threats.

To use real-time SONAR protection, your computer must be connected to the Internet.

If necessary, you can change the SONAR settings, including advanced mode settings and network drive protection.

To ensure the security of network drives, it is recommended that network drive protection is always enabled.

Enabling Network Drive Protection

Open a tab Automatic protection, find the SONAR Protection section and move the slider in the row Network drive protection to the On position. .

SONAR categorizes threats as more or less certain based on their behavior. By default, SONAR blocks threats with high confidence. For low-certainty threats, you can choose to block all threats or send notifications that allow you to decide whether to block each specific threat. It is enough to resolve the threat once to no longer receive notifications about the detection of similar threats from SONAR.

Setting up advanced SONAR mode

Open a tab Automatic protection, go to the SONAR Protection section and look for the line Advanced SONAR Mode :

• If you want to block high-certainty threats and allow low-certainty threats, move the switch to the Off position.

  If you want to block threats with high confidence and receive notifications of threats with low confidence, move the switch to the Automatic position.

  If you want to block threats with high confidence and receive notifications for threats with low confidence and few suspicious characteristics, move the switch to the Aggressive position.

  This value corresponds to high sensitivity and may lead to false positives for legitimate files. It is recommended to choose only experienced users.

By default, SONAR only blocks high-certainty threats. SONAR protection settings can be changed to either block all threats or prompt the user to make a low-confidence decision about detected threats.

Configuring Automatic Threat Removal

Open a tab Automatic protection, go to section Advanced SONAR Mode and find the line Automatic removal of threats :

• Only undeniable threats.

  To customize how the program behaves when a threat is detected, move the button to the Ask me position.

By default, SONAR blocks threats with high confidence only when the computer is idle. SONAR protection settings can be changed to remove all threats or prompt the user to make a low-confidence decision about detected threats.

Configuring removal of threats in the absence of a user:

Open a tab Automatic protection, go to section Advanced SONAR Mode and find the line Removing threats if I'm not there :

• If you want to block all threats, move the switch to the Always position.

  If you only want to block high-certainty threats, move the switch to Only undeniable threats.

  To ignore threats while you're away, move the switch to the Ignore position.

Using the "Show notifications about SONAR blocks" option, you can enable or disable notifications when threats are blocked by SONAR protection. For example, you can turn off notifications when you watch a movie or play in full screen mode.

Setting the display of SONAR block notifications:

Open a tab Automatic protection, go to section Advanced SONAR Mode and find the line Show SONAR block notifications :

• To receive notifications about all threats blocked by SONAR, move the switch to the Show all position.

  To disable sending notifications while maintaining the ability to view information about blocked threats in the Security Log move the switch to position Log only.

  In order to open Security Log, go to the main Norton window, double-click the Security icon, and select History .

• Windows XP (32-bit) Service Pack 2 or later
• Windows Vista (32 or 64 bit)
• Windows 7 (32 or 64 bit)

Hardware:

• 300 MHz processor or higher
• 256 MB RAM (512 MB for Recovery Tool)
• 300 MB free hard disk space
• DVD or CD drive (if network connectivity is not available)

Supported email clients:

• Outlook 2002 and later
• Outlook Express 6.0 and later
• Windows Mail and other standard clients (spam filtering only)

Supported Browsers:

• Microsoft Internet Explorer 6.0 and later (32-bit version only)
• Mozilla Firefox 3.0 or later

Core technologies of Norton Internet Security 2010:

• Protection against viruses, rootkits, bots and spyware
• Norton Safe Web
• smart firewall
• Protection of personal information
• Instant updates
• Network monitoring
• Parental control
• Vulnerability Protection
• Norton Insight Network
• Norton Download Insight
• Professional spam protection
• Norton File Insight
• Norton Threat Insight
• SONAR 2 heuristic protection
• Norton System Insight

Main advantages of Norton Internet Security 2010:

• Norton Insight Network reputation intelligence technology that improves response time and protection against the latest malware.
• Prevention of identity theft, detection of viruses, spyware, bots.
• Predictive SONAR 2 protection technology.
• Highlighting unsafe websites in search results.
• Updated network protection Smart Firewall.
• Norton Insight technologies to reduce the load on the system during operation.

Functional

Norton Internet Security 2010 has many new features, and the previous ones have been significantly improved. Intellectual protection is replenished with five new components. With Norton Safe Web, unsafe sites are now highlighted in the browser right on the web search results page.

New technology Norton IdentitySafe On-the-Go- this is a kind of analogue of password managers with the only difference that access to passwords and other personal data is possible from any computer where Internet Security is installed. All downloaded files and applications are pre-screened and opened only after they are found safe.

The product has excellent spam protection based on proven technology used by leading manufacturers. The parental control module restricts children's access to unwanted Internet resources. These are all new technologies. The old ones remained, but underwent significant improvements.

Function Norton IdentitySafe remembers and securely stores personal data entered in the browser and automatically fills out forms on sites if necessary. It integrates into the most common browsers Firefox, Internet Explorer, and at the same time, does not allow malware to intercept the input data.

Built-in vulnerability detection reveals and fixes vulnerabilities in the operating system and applications installed on the computer. If malware prevents the computer from booting normally, the tool helps to deal with them. Norton Bootable Recovery Tool.

In terms of performance, it has been greatly improved. System resources are used very sparingly. Function Norton Insight allows you to check only those files that can really pose some kind of danger to the computer and the data stored on it. This saves a lot of testing time. The amount of RAM used has also been reduced. Downloading, copying, editing files, and installing applications are now even faster. Norton System Insight graphs resource usage, optimizes and keeps your computer running at peak performance.

One of the major technological innovations in Norton Antivirus and Norton Internet Security 2010 is its reputation for in-the-cloud technology. Norton Insight Network. It connects to Symantec's so-called Global Safety Net and uses its database to detect the latest types of malware.

Heuristic technology has been updated in Norton Internet Security 2010 SONAR2(Symantec Online Network for Advanced Response, version 2), which monitors and analyzes suspicious program actions on the system.

Also, the novelty has been supplemented with a number of components that provide reputational information about threats and files downloaded from the network:

• Norton Download Insight warns about dangerous objects even before they are fully loaded.
• Norton Threat Insight notifies about the detection of threats, provides information about them and how to eliminate them.
• Norton File Insight displays the source of files and applications, their reliability, and the extent to which they affect the performance of your computer.

It is worth paying attention to the technology of instant impulse updates Norton Pulse Updates, which allows you to keep anti-virus databases up to date by downloading small portions of updates every 5-15 minutes.

Included with the product as an ISO file Norton Bootable Recovery Tool to be written to a blank CD-R disc. This is an emergency recovery disk that runs before the operating system loads.

There are also additional possibilities. Every month the program generates a report containing information about all the events that occurred on the computer during this period.

Technical support is provided free of charge, including by phone. True, only on weekdays during the daytime.

Testing

Installation

The distribution kit weighs relatively little - 80 MB (30 MB without AV databases). The product was installed on a test machine with a 3 GHz processor and 512 MB of RAM. Operating system - Windows XP SP3.

The interface of the main window is designed in corporate black and yellow colors.

After accepting the license agreement, an automatic installation takes place, during which no questions are asked. However, immediately after installation, the first problems began. At the time of the initial launch, the activation window opened, and a notification about a script error appeared on top of it:

Pressing the "Yes" or "No" buttons turned out to be useless - the error occurred again and again (most likely related to the use of Internet Explorer 6). Then I had to click on the "Next" button several times. In this case, some pages were clearly skipped. The error disappeared, and a form for entering an e-mail address appeared:

Test at work

Finally, the activation is completed successfully and the main window of Norton Internet Security 2010 is displayed on the screen:

On the left side of the Norton Internet Security 2010 window, there are two columns that display the current processor load and how performance is affected by the antivirus complex itself. It was only necessary to move the cursor over the links and buttons of the main window, as the performance indicator went off scale (apparently, this is due to the use of a virtual machine):

After running a quick scan, the system loading indicator in Norton Internet Security 2010 increased in readings:

If you leave the cursor motionless and run a full scan, then the processor is loaded by no more than 10%.

The computer settings in the Norton Internet Security 2010 interface, where you can configure protection against viruses and other threats, looks like this:

The next tab configures computer protection against threats coming from the network:

Next, configure the settings for additional protection when surfing the web. This item is responsible for managing personal data, phishing protection, components of Norton Download Insight, Norton Safe Web, etc.

The "Other Options" tab looks like this:

And the last tab of Norton Internet Security 2010 settings allows you to manage privacy and parental controls:

Parental controls in Norton Internet Security 2010 are not installed automatically during installation. To do this, you need to follow a special link in the product settings (see above).

When opening the Yandex page, the Norton IdentitySafe module was activated - it was proposed to create a new user profile:

The module is responsible for automatic filling of forms on websites. For additional security, you must enter a password, without which this function will be blocked:

The user profile was created without problems, and the already existing autofill data was imported from the browser:

The developers of the interface of Norton Internet Security 2010 used drop-down windows in the architecture of the main window of the program, which is much more convenient than the separate tabs used in antivirus products from other companies:

At the end of a quick scan, spyware cookies were detected in the browser:

Norton Internet Security 2010 removed suspicious files and also offered to delete them automatically afterwards:

The default settings in Norton Internet Security 2010 provide silent operation - the user is not asked numerous questions. This is exactly how an antivirus product should work - quietly and imperceptibly.

After repeated attempts to copy the Trojan to the desktop, a copy error occurred. The antivirus silently did not allow you to perform any actions with it. You could learn about the work done from the security log:

The Vulnerability Scan component in Norton Internet Security 2010 does not analyze the applications installed on the system and does not show which updates need to be installed, without providing the user with real assistance, but rather automatically protects against all currently known errors in the software of numerous manufacturers. This feature window lists all programs known to have vulnerabilities at Symantec.

When everything was ready, a window with a home network map opened:

In the "Internet" section, you can manage your personal data:

For example, set a password for a specific site, which will then be automatically entered into the appropriate form:

In the personal data management settings, it is possible to create a personal user card:

By clicking on the "Performance" link next to the rotary arrow in the main window of Norton Internet Security 2010, there is a spectacular transition to a window with performance graphs (general system load and the impact of protection itself):

The window of the Norton Insight component designed to optimize the operation of the antivirus, which we wrote about at the beginning, looks like this:

The Norton Insight list shows all currently running processes (there is also an option to view all running applications and other options). The lines change their color depending on the rating of a particular application. There are programs that can be completely trusted, and there are those that have less reliability.

After each update, you can additionally open another window and see what exactly was loaded:

It is worth noting the extensive reference guide for the program. Absolutely any question on all components will be answered there without outside help.

Finally, I wanted to show what the Norton Account service looks like.

After authorization on the site, you can go to your personal page indicating the products used, activation codes. On the adjacent tabs, account management and password change. Unfortunately, not a single attempt to log into your account through the Opera browser failed.

Price

As for the price, it is quite acceptable for most users. Annual subscription to Norton Internet Security 2010 for a year and two years - respectively 1590 and 2290 rubles. For Norton AntiVirus 2010 - 990 rubles and 1390 rubles for one and two years of subscription, respectively.

conclusions

Pros:

• The product perfectly copes with all existing types of computer threats, incl. and with unknowns, with minimal impact on performance.
• Widespread use of reputational "cloud" technologies, which allow not only to improve the level of protection, but also to reduce the overall load on the system.
• Updates every 5-15 minutes - previously, the company's products were updated less frequently.
• SONAR 2's heuristic protection is a significant step in the evolution of this vendor's proactive protection.
• A significant plus is support for 32- and 64-bit versions of the Windows 7 operating system, which is scheduled for release on October 20th.

Minuses:

• Poor quality translation into Russian. In the help, in the components and on the site, you can easily find phrases like "Blocks phishing websites."
• Technical support works only during the day and only on weekdays. At the same time, domestic companies often provide it around the clock and seven days a week.
• The most annoying problems are related to the web service. Activation was successful, but with many errors, despite the use of Internet Explorer 6, which is supported in the system requirements.

Sometimes SONAR.EXE and other EXE system errors can be related to problems in the Windows registry. Several programs can use the SONAR.EXE file, but when those programs are uninstalled or changed, sometimes "orphaned" (invalid) EXE registry entries are left behind.

Basically, this means that while the actual path to the file may have been changed, its incorrect former location is still recorded in the Windows registry. When Windows tries looking up these incorrect file references (file locations on your PC), SONAR.EXE errors can occur. In addition, malware infection may have corrupted the registry entries associated with Guide to Hacking Software Security 2002. Thus, these invalid EXE registry entries need to be repaired to fix the root of the problem.

Manually editing the Windows registry to remove invalid SONAR.EXE keys is not recommended unless you are PC service professional. Mistakes made while editing the registry can render your PC unusable and cause irreparable damage to your operating system. In fact, even a single comma in the wrong place can prevent your computer from booting up!

Because of this risk, we highly recommend using a trusted registry cleaner such as %%product%% (Developed by Microsoft Gold Certified Partner) to scan and repair any SONAR.EXE-related registry problems. Using a registry cleaner automates the process of finding invalid registry entries, missing file references (like the one causing your SONAR.EXE error), and broken links within the registry. A backup copy is automatically created before each scan, allowing you to undo any changes with a single click and protecting you from possible damage to your computer. The best part is that fixing registry errors can drastically improve system speed and performance.

A warning: Unless you are an advanced PC user, we do NOT recommend manually editing the Windows Registry. Incorrect use of the Registry Editor can lead to serious problems and require you to reinstall Windows. We do not guarantee that problems resulting from misuse of Registry Editor can be resolved. You use the Registry Editor at your own risk.

To manually repair your Windows registry, first you need to create a backup by exporting a portion of the registry related to SONAR.EXE (eg. Guide to Hacking Software Security 2002):

1. Click on the button Begin.
2. Enter " command" in search bar... DO NOT PRESS YET ENTER!
3. Holding keys CTRL-Shift on the keyboard, press ENTER.
4. An access dialog will be displayed.
5. Click Yes.
6. The black box opens with a blinking cursor.
7. Enter " regedit" and press ENTER.
8. In the Registry Editor, select the SONAR.EXE-related key (eg. Guide to Hacking Software Security 2002) you want to back up.
9. On the menu File select Export.
10. Listed Save to select the folder where you want to save the backup copy of the Guide to Hacking Software Security 2002 key.
11. In field File name enter a name for the backup file, such as "Guide to Hacking Software Security 2002 Backup".
12. Make sure the field Export range value selected Selected branch.
13. Click Save.
14. The file will be saved with .reg extension.
15. You now have a backup of your SONAR.EXE-related registry entry.

The next steps for manually editing the registry will not be covered in this article, as they are likely to damage your system. If you would like more information on editing the registry manually, please see the links below.