SONAR - Behavior Based Defense. SONAR - Behavior Based Protection Enabling Network Drive Protection

Millions of users are tricked into opening malware masquerading as video players or antivirus products that do not offer the declared capabilities, but infect the user's computer and make him pay for non-existent functions.

Drive-by downloads and common web attacks invisibly infect users who visit popular sites. Some programs install rootkits or inject malicious code into system processes. Modern malware can easily bypass file protection that is no longer sufficient to protect the end user.

Why Behavioral Defense?

In 2010, Symantec discovered over 286 million variants of malware and blocked over 3 billion attacks. With the continued growth of malware and its variants, Symantec saw the need for an innovative approach to prevent malware infections — automatically and silently, no matter what the user was doing or how the virus entered their system. Insight Reputation Technology and Symantec Online Network for Advanced Response (SONAR) behavioral technology from Symantec are two of these approaches.

Behavior-based protection is more cost-effective than file-based heuristics because it can simultaneously assess large-scale programs, both dangerous and non-threatening.

Behavior-based protection provides effective and non-invasive protection against zero-day threats. SONAR is a threat protection solution that builds on threat behavior, not threat behavior. " appearance". SONAR is Symantec's premier behavior-based protection engine: a classification engine powered by artificial intelligence, proprietary behavioral signatures, and policy-based behavioral blocking. All of these components work together to provide industry-leading threat protection.

The main areas of protection that Symantec behavioral technology provides are:

Targeted attacks, including Advanced Persistent Threats (APT), Trojans, spyware, keyloggers and general zero-day threats;
- Downloads by drive-by method, web attacks;
- Attacks of the "Social Engineering" type: FakeAV (fake antiviruses), malicious key generators and codecs;
- Bots and botnets:
- Non-Process and Injected Threats (NPTs)
- Threats of "zero day";
- Threats missed by other layers of protection
- Threats using rootkit technique.

When is behavioral protection carried out?

Regardless of whether the user deliberately launches a malicious application or automatically attempts to install, SONAR blocks the program in real time after it has been launched and / or tries to inject itself into running processes(NPT technology). Providing protection against Hydraq / Aurora, Stuxnet and malware like Tidsrev and ZeroAccess, it has established itself as one of the most important technologies endpoint protection.

How it works? Artificial Intelligence based classification engine

Symantec has built one of the largest behavioral profile databases in the world, with nearly 1.2 billion application instances. By analyzing the behavior of good and bad files using the method machine learning Symantec is capable of creating profiles for applications that have not yet been created. Relying on nearly 1,400 different behavioral attributes and the rich context that the company receives from other components such as Insight, IPS, AV engine, the SONAR classification is able to quickly detect malicious behavior and take action to stop malicious applications before they cause damage. In 2011, over 586 million executable DLLs and applications were analyzed using SONAR technology.

Non-process Based Threat Protection

Modern threats are not always separate executable files. Often, they try to hide themselves by injecting well-known running processes, applications or other components, thereby hiding their malicious activity under the guise of trusted processes (for example, system processes), or trusted applications. As an example, when executing a malicious application, it can inject malicious code into running processes such as explorer.exe (Desktop shell process), Iexplorer.exe (browser Internet Explorer) or register malicious components as extensions for similar applications. SONAR prevents the execution of code injected into the target process by classifying the source trying to inject. It also categorizes and, if necessary, stops malicious code being loaded into the target or trusted process.

Behavioral blocking policy

Downloading using the "Drive-by" method works by exploiting vulnerabilities in browser plugins such as Adobe reader, Oracle Sun Java, and Adobe flash... After a vulnerability has been detected by such a download, it can use the vulnerable application for its own purposes, i.e. to run any other application. By creating a Behavior Blocking policy definition, Symantec can block malicious behaviors such as "Adobe Acrobat must not create other executables" or "This DLL is not allowed to inject into the explorer.exe process," thereby protecting the system. This can be described as blocking behavior on Policy-Based and Rule-Based These SONAR policies / definitions are created by the Symantec STAR team and are automatically blocked and do not require management to prevent suspicious behavior from good applications and automatically protect users.

Behavioral Policy Enforcement (BPE) signatures

The ability to evolve in response to ever-changing threats is an integral part of SONAR technology, so Symantec's product protection can target the threats of tomorrow, even before the day has arrived. When Symantec detects a new family of threats, such as new rootkits, Trojans, FakeAV, or other types of malware, it can create new behavioral signatures to detect such families of threats and deliver them along with updates. Therefore, the company does not need to update the code of the product itself. These are the so-called SONAR Enforcement Policy behavioral signatures. These signatures can be written, tested, and delivered fairly quickly, and they give SONAR the "flexibility" and "adaptability" that allows it to respond to some classes of emerging threats while having very low level false positives.

So how do BPE signatures work?

Let's take a look at the application that is being launched for execution.

1) It creates specific components in the TEMP directory
2) Adds its entries to the registry
3) Changes the hosts file
4) It has no interface
5) It opens connections on "high" ports

Any of these behaviors may not be "bad" in and of itself, but in general its behavioral profile is regarded as bad. The STAR analyst creates a rule, which indicates that if there is a certain sequence of behavior of executable files with certain characteristics of Insight Reputation, then the product should stop this process and roll back the changes. SONAR is able to create a virtual sandbox around an infected but legitimate application and thus can prevent any malicious actions of an infected application that could harm the user's computer. This is a completely new paradigm for end-user protection. It works by using data that shows the actions of the application, rather than its appearance.

Automatic recovery malicious files using a sandbox

Real-time behavior-based protection monitors and sandboxes applications, processes and events as they happen. System changes can be reversed to prevent malicious activity.

Real-time monitoring of applications and processes

SONAR monitors and protects over 1,400 aspects of all running applications, DLL files and processes, providing real-time protection as they run.

STAR Intelligence Communication Bus

SONAR protection technology does not work by itself. The engine communicates with other security services using the STAR Intelligence Communication (STAR ​​ICB) protocol. The Network IPS engine, connects to the Symantec Sonar engine and then to the Insight Reputation engine. This allows for more informative and accurate protection that virtually no other product can provide.

Based on materials from Symantec

• Windows XP (32-bit) Service Pack 2 or later
• Windows Vista (32- or 64-bit)
• Windows 7 (32- or 64-bit)

Hardware:

• Processor with clock frequency 300 MHz or more powerful
• 256 MB of RAM (512 MB for Recovery Tool)
• 300 MB free hard disk space
• DVD or CD drive (if there is no network connectivity)

Supported email clients:

• Outlook 2002 and later
• Outlook Express 6.0 and later
• Windows Mail and other standard clients (spam filtering only)

Supported browsers:

• Microsoft Internet Explorer 6.0 and later (32-bit only)
• Mozilla Firefox 3.0 or later

Core Norton Technologies Internet Security 2010:

• Protection against viruses, rootkits, bots and spyware
• Norton Safe Web
• Smart Firewall
• Protection of personal information
• Instant updates
• Network monitoring
• Parental control
• Vulnerability protection
• Norton Insight Network
• Norton Download Insight
• Professional spam protection
• Norton File Insight
• Norton Threat Insight
• SONAR 2 heuristic protection
• Norton System Insight

Key benefits of Norton Internet Security 2010:

• The Norton Insight Network's intelligent reputation technology improves responsiveness and protects against the latest malware.
• Prevention of identity theft, detection of viruses, spyware, bots.
• SONAR 2 proactive protection technology.
• Highlight unsafe websites in search results.
• Updated network protection Smart Firewall.
• Norton Insight technologies to reduce the load on the system during operation.

Norton Internet Security 2010 has many new features, and the previous ones have been significantly improved. Intelligent protection has been replenished with five new components. Thanks to Norton Safe Web, unsafe sites are now highlighted in the browser right on the web search results page.

New technology Norton IdentitySafe On-the-Go- this is a kind of analogue of password managers with the only difference that access to passwords and other personal data is possible from any computer where Internet Security is installed. All downloads and applications are pre-tested and open only after they are deemed safe.

The product implements excellent spam protection using proven technology, which is used by leading manufacturers. Module parental control restricts children's access to unwanted Internet resources. These are all new technologies. The old ones remained, but they underwent significant improvements.

Function Norton IdentitySafe remembers and safely stores personal data entered in the browser and automatically fills out forms on sites if necessary. It integrates into the most common Firefox browsers, Internet Explorer, and at the same time prevents malware from intercepting the input data.

Built-in vulnerability detection reveals and fixes vulnerabilities in operating system and application programs installed on the computer. If malware interferes with the normal boot of the computer, the tool helps to cope with them. Norton Bootable Recovery Tool.

In terms of performance, it has been greatly improved. System resources are spent very economically. Function Norton Insight allows you to scan only those files that can really pose some kind of danger to the computer and the data stored on it. This saves a lot of checking time. The amount of used RAM has also been reduced. Downloading, copying, editing files, and installing applications are now even faster. Norton System Insight charts resource utilization and optimizes and maintains maximum computer performance.

One of the major technological innovations in Norton Antivirus and Norton Internet Security 2010 is the reputable in the cloud technology. Norton Insight Network. She connects to the so-called global network Symantec security and uses its base to detect the latest species malware.

Heuristic technology has been updated in Norton Internet Security 2010 SONAR 2(Symantec Online Network for Advanced Response, version 2), which monitors and analyzes suspicious program activity on the system.

Also, the novelty was supplemented with a number of components that provide reputation information about threats and files downloaded from the network:

• Norton Download Insight warns of dangerous objects even before they are fully loaded.
• Norton Threat Insight notifies about detected threats, provides information about them and how to eliminate them.
• Norton File Insight displays the source of files and applications, their reliability, and the extent to which they affect computer performance.

It is worth paying attention to the technology of instant impulse updates Norton Pulse Updates, which allows you to maintain anti-virus databases in current state pumping small portions of updates every 5-15 minutes.

As part of the product in the form ISO file supplied Norton Bootable Recovery Tool to be written to clean CD-R disc... This is a rescue disk that runs before the operating system boots.

There are additional features... Every month the program generates a report containing information about all events that occurred on the computer during this period.

Technical support is provided free of charge, including by phone. True, only on weekdays during daytime.

Installation

The distribution kit weighs relatively little - 80 MB (30 MB without AV bases). The product was installed on a test machine with a 3 GHz processor with RAM volume of 512 MB. Operating system - Windows XP SP3.

The interface of the main window is designed in corporate black and yellow colors.

After adoption license agreement happens automatic installation, during which no questions are asked. However, immediately after the installation, the first problems began. At the time of the initial launch, the activation window opened, and a script error notification appeared on top of it:

Clicking on the "Yes" or "No" buttons were useless - the error occurred over and over again (most likely related to the use of Internet Explorer 6). Then I had to click on the "Next" button several times. At the same time, some pages were clearly missed. The error disappeared, and a form for entering an e-mail address appeared:

Test in operation

Finally, activation is completed successfully and the main window of Norton Internet Security 2010 is displayed:

There are two columns on the left side of the Norton Internet Security 2010 window that display the current processor load and how the antivirus suite itself affects performance. As soon as the cursor moved over the links and buttons of the main window, the performance indicator went off scale (apparently, this is due to the use of a virtual machine):

After running a quick scan, the system boot indicator in Norton Internet Security 2010 increased the reading:

If you leave the cursor motionless and start a full scan, then the processor is loaded by no more than 10%.

Computer settings in the Norton Internet Security 2010 interface, where you can configure protection against viruses and other threats, looks like this:

The next tab configures the protection of your computer against threats emanating from the network:

Next, the parameters are configured additional protection when surfing the web. This item is responsible for personal data management, anti-phishing protection, Norton Download Insight components, Norton Safe Web, etc.

The Other Options tab looks like this:

AND last tab Settings Norton Internet Security 2010 allows you to manage your privacy and parental controls:

Parental Controls in Norton Internet Security 2010 are not automatically installed during installation. To do this, you need to go to the special link in the product settings (see above).

When opening the Yandex page, the Norton IdentitySafe module was activated - it was suggested to create a new user profile:

The module is responsible for the automatic filling of forms on sites. For additional security, you need to enter a password, without which this function will be blocked:

The user profile was created without any problems, and the already existing autofill data was imported from the browser:

The developers of the Norton Internet Security 2010 interface used drop-down windows in the architecture of the main program window - this is much more convenient than individual tabs used in antivirus products of other companies:

At the end of the quick scan, spyware cookies were found in the browser:

Norton Internet Security 2010 deleted suspicious files, and also offered to delete them automatically afterwards:

The default settings in Norton Internet Security 2010 are designed to run silently — no multiple questions are asked to the user. This is how an antivirus product should work - quietly and unnoticed.

After repeated attempts to copy the trojan to the desktop, a copy error occurred. The antivirus silently did not allow any actions to be performed with it. You could learn about the work done from the security log:

The Vulnerability Scan component in Norton Internet Security 2010 does not analyze the applications installed on the system and does not show which updates need to be installed; This function window lists all programs known to have vulnerabilities in Symantec.

When everything was ready, a window with a home network map opened:

In the "Internet" section, you can manage your personal data:

For example, set a password for a specific site, which will then be automatically substituted into the appropriate form:

In the settings for managing personal data, it is possible to create a personal user card:

By clicking the "Performance" link next to the rotary arrow in the main window of Norton Internet Security 2010, there is a spectacular transition to the window with performance graphs ( total load systems and the effect of protection):

The window of the Norton Insight component designed to optimize the work of the antivirus, which we wrote about at the beginning, looks like this:

All currently running processes are displayed in the Norton Insight list (you can also view all running applications and other options). The lines change their color depending on the rating specific application... There are programs that you can completely trust, and there are those that are less reliable.

After each update, you can additionally open another window and see what exactly was downloaded:

Worth noting is the extensive help guide for the program. There will be an answer to absolutely any question on all components without outside help.

Finally, I would like to show how the Norton Account service looks like.

After authorization on the site, you can go to your personal page indicating the products used, activation codes. On adjacent tabs control account and changing the password. Unfortunately, no attempt to log into your account through the Opera browser has been successful.

Price

As for the price, it is quite acceptable for most users. Annual subscription to Norton Internet Security 2010 for a year and two years - 1590 and 2290 rubles, respectively. For Norton AntiVirus 2010 - 990 rubles and 1390 rubles for one and two years of subscription, respectively.

Pros:

• The product perfectly copes with all existing types of computer threats, incl. and with unknowns, minimally affecting performance.
• Extensive use of reputable "cloud" technologies that allow not only to improve the level of protection, but also to reduce the overall load on the system.
• Updates every 5-15 minutes - earlier the company's products were updated less frequently.
• SONAR 2's heuristic protection is a significant step in the evolution of this vendor's proactive protection.
• A significant plus is support for 32- and 64-bit versions of the operating Windows systems 7, which is slated for release on October 20.

Minuses:

• Insufficient quality translation into Russian. You can easily come across phrases like "Blocks phishing websites" in help, in components and on the site.
• Technical support works only during the day and only on weekdays. At the same time, domestic companies often provide it around the clock and seven days a week.
• The most annoying problems are related to the web service. Activation was successful, but with many errors, despite using Internet Explorer 6 supported in the system requirements.

Sometimes SONAR.EXE errors and others system errors EXE issues may be related to issues in the Windows registry. Several programs can share the same SONAR.EXE file, but when these programs are uninstalled or changed sometimes orphaned (invalid) EXE registry entries are left behind.

Basically, this means that while the actual path to the file may have changed, its incorrect former location is still recorded in the Windows registry. When Windows tries looking up these incorrect file references (file locations on your PC), SONAR.EXE errors can occur. In addition, malware infection may have corrupted the registry entries associated with Guide to Hacking Software Security 2002. Thus, these invalid EXE registry entries need to be repaired to fix the root of the problem.

Manually editing the Windows registry to remove invalid SONAR.EXE keys is not recommended unless you are PC service professional. Errors made while editing the registry can cause your PC to malfunction and cause irreparable damage to your operating system. In fact, even a single comma in the wrong place can prevent your computer from booting!

Due to this risk, we highly recommend using reliable registry cleaning tools such as %% product %%(Developed by Microsoft Gold Certified Partner) to scan and repair any SONAR.EXE-related problems. Using cleaning the registry, you can automate the process of finding invalid registry entries, missing file references (like the one causing your SONAR.EXE error), and broken links within the registry. Before each scan, a backup copy that allows you to undo any changes with one click and protects you from possible damage to your computer. The best part is that elimination of registry errors can dramatically improve system speed and performance.

A warning: Unless you are an experienced PC user, we do NOT recommend manually editing the Windows registry. Incorrect use of Registry Editor can lead to serious problems and require reinstall Windows... We do not guarantee that problems resulting from improper use of Registry Editor can be fixed. Your use of the Registry Editor is at your own risk.

Before manually restoring windows registry, you need to create a backup by exporting a portion of the registry related to SONAR.EXE (eg. Guide to Hacking Software Security 2002):

1. Click on the button Begin.
2. Enter " command" v search bar ... DO NOT PRESS YET ENTER!
3. Holding the keys CTRL-Shift on the keyboard, press ENTER.
4. A dialog box for access will be displayed.
5. Click on Yes.
6. The black box opens with a blinking cursor.
7. Enter " regedit" and press ENTER.
8. In the Registry Editor, select the SONAR.EXE-related key (eg.Guide to Hacking Software Security 2002) you want to back up.
9. On the menu File select Export.
10. In the list Save to select the folder where you want to save the Guide to Hacking Software Security 2002 backup key.
11. In field File name type a name for your backup file such as "Guide to Hacking Software Security 2002 Backup".
12. Make sure in the box Export range value selected Selected branch.
13. Click on Save.
14. The file will be saved with the extension .reg.
15. You now have a backup of your SONAR.EXE-related registry entry.

The next steps for manually editing the registry will not be described in this article, as they can most likely damage your system. If you would like more information on manually editing the registry, please see the links below.

Symantec Online Network for Advanced Response (SONAR) detects new threats by analyzing file characteristics. It detects malicious code before virus definitions are available in LiveUpdate, providing protection against additional threats.

To use SONAR's real-time protection, your computer must be connected to the Internet.

You can change the SONAR settings as needed, including Advanced Mode and Network Drive Protection settings.

To ensure the security of network drives, it is recommended that network drive protection be always enabled.

Enabling network drive protection

Open the tab Automatic protection , find the SONAR Protection section and move the slider in the line Protecting network drives to the On position. ...

SONAR classifies threats as having higher or lower confidence based on their behavior. By default, SONAR blocks threats with high confidence. For threats with low confidence, you can choose to block all threats or send notifications so that you can decide whether to block each specific threat. You only need to resolve the threat once to no longer receive notifications of similar threats from SONAR.

Setting up SONAR Advanced Mode

Open the tab Automatic protection, go to the SONAR Protection section and find the line Advanced SONAR Mode :

• If you want to block high-confidence threats and resolve low-confidence threats, move the switch to the Off position.

  If you want to block high-confidence threats and receive notifications about low-confidence threats, move the switch to the Automatic position.

  If you want to block threats with high confidence and receive notifications about threats with low confidence and few suspicious characteristics, move the switch to the Aggressive position.

  This value corresponds to high sensitivity and can lead to false positives of protection for valid files. It is recommended for advanced users only.

By default, SONAR only blocks high confidence threats. You can change SONAR's security settings to block all threats or to prompt the user to make low-confidence decisions about detected threats.

Configuring automatic threat removal

Open the tab Automatic protection, go to section Advanced SONAR Mode and find the line Automatically remove threats :

• Only undoubted threats.

  To configure the application's behavior when a threat is detected, move the button to the Ask me position.

By default, SONAR blocks high-confidence threats only when your computer is not in use. You can modify SONAR's protection settings to remove all threats or prompt the user to make a low-confidence decision regarding detected threats.

Configuring the removal of threats in the absence of a user:

Open the tab Automatic protection, go to section Advanced SONAR Mode and find the line Removing threats if I'm not there :

• If you want to block all threats, move the switch to the Always position.

  If you want to block only high confidence threats, move the switch to the Only undoubted threats.

  To ignore threats while you are away, move the switch to Ignore.

Use the Show SONAR Block Notifications option to turn on or off notifications when threats are blocked by SONAR protection. For example, you can turn off sending notifications if you are watching a movie or playing full screen.

Configuring the display of SONAR lock notifications:

Open the tab Automatic protection, go to section Advanced SONAR Mode and find the line Show SONAR lock notifications :

• To be notified of any threats that SONAR blocks, move the switch to Show All.

  To disable sending notifications while maintaining the ability to view information about blocked threats in the window Security log slide the switch to position Log only.

  To open Security log, go to the main Norton window, double-click the Security icon, and select History.