Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SONAR False Positive

Created: 30 Oct 2012 | 11 comments

The issue described below is on all Windows XP SP3 machines and Symantec Endpoint Protection 12.1 RU1.

We have an in house developed application that was recently changed/upgraded and deployed to about 500 machines.  What is weird is about 75% of the machines detected the application as a (Unknown) Trojan Worm by SONAR, and the other 25% were fine with the application.  I verfied that all 500 have the same policies definitions etc.

Is this normal for SONAR to do something like this?

Comments 11 CommentsJump to latest comment

.Brian's picture

I've seen same issue as well, you're best bet is to open a support ticket with Symantec for them to investigate.

You can have your app whitelisted:

Software White-Listing Request

https://submit.symantec.com/whitelist/

You can also add the exception:

Handling and preventing SONAR false positive detections

https://www.symantec.com/business/support/index?pa...

Monitoring SONAR detection results to check for false positives

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Prindte's picture

We created an exception which fixed the issue.  I am just curious as to why SONAR would detect it on some machines and not others.

Support could not answer my question.  Does anyone else know why this happens? 

.Brian's picture

Did support even have an answer?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Prindte's picture

No support did not have an answer.  They just kept going back to asking about the exception and if that worked.

.Brian's picture

That's unfortunate as I would think they would know or have the means to investigate a level deeper.

My thought was definitions revisions were different or the client whitelist may have not yet been updated on the clients where it was being flagged but from reading your original post, it seems all are uniform.

Aside from that, I'm not really sure and anything else would just be speculation.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Behavioral detections are based on things like

- file versioning

- digital signatures

- file size

- type of file packing/encoding used

- the age of the file

- what actions the file takes

- and more...

Few Articles on SONAR:

About SONAR

http://www.symantec.com/docs/HOWTO55254

About the files and applications that SONAR detects

http://www.symantec.com/docs/HOWTO55292

Handling and preventing SONAR false positive detections

http://www.symantec.com/docs/HOWTO55273

How Symantec Endpoint Protection uses reputation data to make decisions about files

http://www.symantec.com/docs/HOWTO55275

In case, you want to Whitelist an Application, then check this Article:

Software developer would like to add his/her software to the Symantec White-List.

http://www.symantec.com/docs/TECH132220

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Prindte's picture

Mithun,

We have already created a hash based exception.  This application changes fairly often (every 3 months or so) and whitelisting that frequently does not makes sense.

I am going to see if our developer can digitally sign the executable that is getting quarantined, or I will try the application monitor tool.

Mithun Sanghavi's picture

Hello,

In your case there are either of the 3 things you could do- 

1) Report a Suspected Erroneous Detection and Fill the Insight Dispute Submission Form by following the steps below:

  • Connect to the website: https://submit.symantec.com/false_positive/
  • Select "When installing an application" OR " While using an application" and click on NEXT
  • Select "Symantec Endpoint Protection 12.x " and click on NEXT
  • Select "SONAR (Behavioral Heuristics Detection)"
  • Click on the Button "Take me to the Insight Dispute Submission Form"
  • Fill all the important Details (* marked in red)

2) Sign your files with Class-3 digital certificates (X.509) from a Certificate Authority if you need to publish softwares/files.

3) Also participate in white-listing program if needed http://www.symantec.com/docs/TECH132220

Hope that helps!!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

But what about an explanation as to why some clients are flagged and others are not?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Prindte's picture

I will be talking to the person assigned to our case tomorrow.  I will be asking him about it then (again). 

Mick2009's picture

Hi Prindte, 

This article may also help:

Insight Deployment Best Practices
http://www.symantec.com/docs/DOC5077

With thanks and best regards,

Mick