Video Screencast Help
Information Unleashed

Symantec Statement Regarding New York Times Cyber Attack

Created: 30 Jan 2013 • 8 comments
Symantec Corp.'s picture
+5 5 Votes
Login to vote
As a follow-up to a story run by the New York Times on Wednesday, Jan. 30, 2013 announcing they had been the target of a cyber attack, Symantec (NASDAQ: SYMC) developed the following statement:
"Advanced attacks like the ones the New York Times described in the following article, (, underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

Comments 8 CommentsJump to latest comment

Serengeti's picture

A lot of organisations have reservations about enabling SONAR in blocking mode because of the risk of False Positives and challenges in preparing their environments for SONAR. Best practice and guidance from Symantec on how to analyse SONAR logged detections before going into blocking and how to design policy and processes to ensure reaction to FPs with minimal impact and delay would be useful. Incidentally, the fact that there has been such a large relative increase in the numbers of behaviours analysed by SEP 12.1 RU2 compared to 12.1 RU1 is an indication of how SONAR is still evolving. Has this also reduced FPs?

Whilst the vast majority of PEs may not get FP'ed, organisations have significant amounts of critical in-house developed apps that need to be released at rapid turnover (daily, weely). It is this kind of app that needs to be focussed on in Symantec advice on avoiding and dealing with FPs. Please help us turn SONAR on in blocking mode and start blocking the unknown threats that are getting past AV and IPS! But please do not advise us to submit everything to Symantec for Whitelistng - there must be a more refined approach!

Login to vote
Mithun Sanghavi's picture


I agree. Antivirus software alone is not enough.

Check this Article:

Why AntiVirus is not Enough??

Hope that helps..!!

Mithun Sanghavi
Senior Consultant

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Login to vote
Serengeti's picture

the article is two years old and refers to the benefits of SEP11 vs SAV10, so not helpful. We are looking for cutting edge to try to offer something to slow the bad guys down . . .

Login to vote
Serengeti's picture

I would prefer a logical, thought-out wriiten response, rather than URLs, given the importance of the topic and the background provided. The fact is: it is difficult for large global enterprises to apply SONAR in blocking mode without introducing operational and hence financial risk. What are Symantec doing to enable their customers to put in place the main technology that differentiaties SEP 12.1 from the rest of the pack? Is there a team specialising in enabling SEP 12.1 technology for large enterprises?

Regarding your link:

How do we distinguish between SONAR (SEP 12.1) and TruScan (SEP11) entries?

Login to vote
abhinav_singh's picture

Advancements in technology are made in order to prevent advance threats.

Login to vote
josh_symc's picture

The #1 protection engine in SEP 11, and 12.1, for efficacy is the IPS engine.  IPS uses highly generic signatures (GEB or generic exploit blocking) that look at packets in the network stream, and catches malware before resident on the endpoint. Whats more efficient-catching malware before it hits the box or after :)? That being said, we Symantec reccomend running all the 12.1 protection stack on an endpoint. Plenty of articles and best practices that I will not point out, on the finer aspects of the matter.  Suffice to say not running 12.1 with Insight, running AV alone without IPS in 11.X or 12.1, is placing the endpoint years back in the malware threat landscape, that has changed dramatically.

12.1 adds a number of newer protection and performance features, with the Insight reputational whitelisting ability feeding AV, Download Insight, SONAR, scanless/scan on idle for performance reduction of I/O.

SONAR is the next generation(actually a couple generations plus) Truscan:now SONAR is real time, heuristic and Insight enabled.

Couple points-you can read articles and KB's on SONAR, and 12.1 best practices, but note you can run SONAR in log mode, and see exactly any FP in your environment before moviong to blocking mode. With Insight enabled SONAR is less FP than Truscan, and being real-time more effective.

If we are convicting a file aka FP:

1)Run in log mode to have peace of mind and see the FP if any with 12.1 SONAR

2)For a FP make an exception in SEPM

3) Add the FP to this online link

4)There exists a tool only accessible from Symantec Support, that can be run on a directory(ies) and send Insight anonymous data on applicatiopns/executables to the Insight Cloud to proactively vet your companies endpoints.

5)COPntact Symantec Support if you desire to track the URL whitelisting submission

SONAR logs are marked as SONAR by the can denote SONAR from TRUSCAN. Take a look at your 12.1 endpoint, Help-View lLgs, Proactive Threat Protection View Logs-Threat Logs. Note the Logged By field which states SONAR in 12.1.

In today's world, not running 12.1 powered by Insight, not running IPS, and just running AV alone, one has opened the attack surface for malware. Effectively running ednpoint security back in 2006 days when under 100K unique threatsd existed....

There exists a large body of documentation, both in the product manuals, and online on how to implement SONAR, how to handle FP's if they are seen both at indivdual level, and at larger company level. MY reccomendation:

-Log mode till comfortable initially, if you see threats being caught, but logged only and low FP, then enable blocking mode

-Handle indivdiual FP via application exceptions on SEPM, and use the submission URL portal above

-If seeing FP in any number, then contact Symantec Support.

With 12.1 and Insight, we would expect less FP for SONAR, than with Truscan and no Insight. And it is a real time protection feature with SONAR, whcih Truscan was not. But please note that IPS is the #1 protection mechanism today.

Login to vote
peter ashley's picture

The following video quickly demos how easily attackers can evade signature based AV with hacker tools and how the latest Symantec products detect these threats.

Login to vote