Video Screencast Help

Stateful Application Control for SONAR

Created: 10 Jul 2013 | 2 comments
Kris M's picture
2 Agree
0 Disagree
+2 2 Votes
Login to vote

I've been reviewing other security products to address the vulnerabilities that we still have with Endpoint Protection 12.1. Specifically, we still have machines that get infected by malware. I must admit that I am not aware of everything that SONAR does. I see almost nothing logged or quarantined by SONAR. That leads me to believe that some enhancement could be done. Similar to the following product.

One of the products with a novel concept is Trusteer Apex. It monitors a small set of applications (Java, Adobe Flash, Acrobat Reader, IE, Firefox, Chrome, Word, Excel, Powerpoint, and Outlook) and compares what it is doing and why it is doing it. By creating a context-aware application whitelist. There are only a finite number of actions that each application can legitimately perform. By monitoring the application memory state, it can be determined whether the action is legitimate or malicious or unknown. Allow the known legitimate function and block the malicious/unknown. Send information about the unknown to be reviewed to either be whitelisted or blacklisted. Customers can create their own exceptions through an administrative console.

Comments 2 CommentsJump to latest comment

.Brian's picture

This is a great Idea. SONAR only has only a couple f options so it would be nice to get more granular. Although it may fall outside the scope of SEP..but still, I like the idea.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

0
Login to vote
msauafXOM's picture

If Insight is not also turned on, SONAR just doesn't work if turned on.

They should operate fully independent, and a module to create additional STAR rules should be made available, to develop custom, in-house exceptions.

Disclaimer: all suggestions I may have given to personnel from other companies than my employee do not mean it validates, endorses or is involved at all. My suggestions for such people are merely personal. In other hand, communications to Symantec

0
Login to vote