SONAR is the abbreviation for Symantec Online Network for Advanced Response. Unlike virus signatures, SONAR examines the behavior of applications to decide whether they are malicious. SONAR is built upon technology Symantec acquired in its late 2005 purchase of WholeSecurity, a developer of behavioral anti-malware and anti-phishing software solutions in the United States.
How it works
An algorithm is used to evaluate hundreds of attributes relating to software running on a computer. Various factors are considered before determining that a program is malicious, such as if the program adds a shortcut on the desktop or creates a Windows Add/Remove programs entry. Both of those factors would indicate the program is not malware. The main use of SONAR is to enhance detection of zero day threats. Symantec claims SONAR can also prevent attackers from leveraging unpatched software vulnerabilities.
Ed Kim, director of product management at Symantec, expressed confidence in SONAR, "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."
Symantec already had a behavior analysis security tool for enterprises, known as Critical System Protection. On the other hand, SONAR is leveled towards the consumer antivirus market. It was available as an add-on for Norton AntiVirus 2007 and Norton Internet Security 2007. The Norton 2008 to 2012 line has had SONAR.
SONAR 2 is part of Norton 2010 and Norton 360 v.4 antivirus software. According to the company, this version leverages data from more sources, including reputation data about a program. SONAR 2 is able to more accurately detect security risks than it was before.
SONAR 3 came with Norton 2011 public beta. It is currently available for Norton 2010 customers with legitimate subscriptions through update, Norton 2011 customers and Norton 360 v.5 public beta users. SONAR 3 is fine-tuned to better detect fake antivirus software and it is better integrated with the network component. " In SONAR 3 we have further enhanced our integration with the network component in order to classify, convict, and remediate malware on the basis of its malicious network activity. With this feature in place, we will continue to block and remove many new variants of malware that leave their network footprint unchanged." According to Symantec it is now monitoring about 400 aspects of each application to determine whether it is safe or harmful.
SONAR 4 was introduced with the 2012 BETA versions. Citation from Norton Protection blog "What's new in Norton 2012" located at
- Norton Protection Blog: What's new in Norton 2012 
"With 2012 we are introducing SONAR Policy Enforcement – We now have the ability to convict a suspicious process based on a behavioral “profile.” To create these profiles, an analyst looks at the 500+ attributes that SONAR tracks and make a series of associations. For example, let’s say a particular process tried to access the system folder and tried to call home, but does not have any running UI. Also, it downloaded more than 15 files the previous day. Any one of these things alone may not be “bad” but taken as a whole, the behavioral profile is bad. The analyst will therefore make a rule that says if we see this string of behaviors, then we should stop the process from executing. Doing all of this is a big deal--we aren’t just looking at what the process does on your computer, we are also looking at its communication characteristics!
Sonar 4.0 also introduces protection against Non Process Threats (NPTs). As the name suggests, these threats are not active processes by themselves, but they inject themselves into legitimate active processes. SONAR 4.0 technology is able to much more aggressively remove threats on pre-infected machines."
- Harris, Janet. "Symantec Behaviour-based Security For Consumers", Security Watch, January 19, 2007, accessed July 10, 2009.
- Symantec To Acquire WholeSecurity
- McMillan, Robert. "Symantec to use SONAR to find zero-day attacks", Computerworld, January 16, 2007, accessed July 10, 2009.
- Keizer, Gregg. "Symantec Adds Zero-Day Defense To Consumer Security Line", InformationWeek, January 17, 2007, accessed July 10, 2009.
- What's New in Norton Internet Security 2012 - Norton Community