Endpoint Protection

 View Only

  • 1.  Understanding SONAR (something I would like to do)

    Posted Apr 06, 2016 04:11 PM

    So I'm trying to get a better handle on SONAR as there are some aspects that escape me. I was hoping this community could give me more assistance than the regular channels are.

    I learned About SONAR here:
    https://support.symantec.com/en_US/article.HOWTO80968.html

    Can see the current definition version here:
    https://www.symantec.com/security_response/definitions.jsp

    Can supposedly test it using this (does not work for me):
    https://support.symantec.com/en_US/article.TECH216647.html

    Can supposedly see the logs using this procedure (13 entries from 20K + machines??):
    https://support.symantec.com/en_US/article.HOWTO80749.html

    Logging is enabled in all the requisite places, but I see almost no SONAR logs. Last week we experienced an issue where the SONAR defs dated 03/18/16, but actually released on 03/23/16, (grrrr!) were causing a conflict with one of our encryption applications. Turns out that if we either uninstalled/reinstalled the encryption application, or if we rolled back the SONAR Definitions (engine?) to 03/17/16, the problem of certian MS applications hanging the whole OS, went away. And now the 04/01/16 SONAR engine also works without issue (so what the heck changed??).

    Questions:

    Where can I see a history of SONAR releases??
    Why the heck did Symantec have a SONAR Engine release on the 23rd, that was dated the 18th??
    If SONAR was part of the issue, why did I not have HUNDREDS of SONAR log entries. Should I be looking somewhere else for SONAR events?

    I keep hoping that if I understood SONAR better, some of this would make more sense to me...right now I feel like unchecking the SONAR box on my SEPM's and being done with it. #IsItReallyHelpingMe
     



  • 2.  RE: Understanding SONAR (something I would like to do)

    Posted Apr 06, 2016 04:21 PM

    AFAIK there is no Symantec URL (or even SEP log) which shows the releases of each new component engine. It's on the release notes when new versions come out but that can always change any way.

    Did anything show in the System log? That usually contains all of the logs from everything going on. It may be something that isn't logged though but I can't say for sure. Sorta how like there is no log to show if ADC is installed but you can query the backend DB and it shows up...



  • 3.  RE: Understanding SONAR (something I would like to do)

    Posted Apr 06, 2016 10:17 PM

    Hi Brian,

    As usual you have some good suggestions. While the System log only had the typical SONAR Engine enabled/disabled entries, I really like the idea of attacking the backend DB directly...just in case there are some more useful details to be had. Still bugged about the whole situation, but this helps.

    -Mike



  • 4.  RE: Understanding SONAR (something I would like to do)

    Posted Apr 08, 2016 10:33 AM

    Hi iamadmin,

    Thanks for the post.  Absolutely, positively keep SONAR (aka BASH aka PTP) installed on your machines.  I have become a huge advocate of this line of defense.  New signatures written for SONAR are very effective against any new threats that get past IPS and AV.  Check out https://www.symantec.com/security_response/landing/threats.jsp for recent examples like SONAR.Cryptlocker!g51 etc.

    Socar.exe is definitely working... there may not be a pop-up depending on how you have settings configured, but it will be recorded in the PTP logs.

    socar_works.png

    Check your Windows Application Event logs for the Event ID 51 "Security Risk Found!" event entries.

    New engines are released for BASH several times per year. BCS customers can receive notifications in advance. 

    How BCS Customers can Sign Up for Alerts and Notifications
    https://www-secure.symantec.com/connect/articles/how-bcs-customers-can-sign-alerts-and-notifications

    BCS customers can also test out new Engines ahead of time through the EAS (Early Adopter System) to make sure that new updated will not cause any conflicts in their environment.

    Check out the Virus Definitions & Security Updates page for details on the latest/current date.  There's no page which records past releases.  Traditional AV signatures and IPS are the only components which offer that Release History.

    Hope this helps!  &: )  Definitely continue to use PTP/BASH/SONAR.  It is also an excellent tool for identifying undetected suspicious executable files and compromised machines.

    Using SEPM Alerts and Reports to Combat a Malware Outbreak
    https://www-secure.symantec.com/connect/articles/using-sepm-alerts-and-reports-combat-malware-outbreak 

    Please keep this thread up-to-date with your progress, or mark it solved if you have received your answer.

    With thanks and best regards,

    Mick