Symantec’s File Insight (SONAR) program was recently added to the Norton Antivirus and Norton Internet Security programs.  SONAR automatically deletes or quarantines any program it believes may be malware.  This is a problem for you as a software developer if it decides your program looks like malware.

Symantec provides instructions for how to prevent your program from being quarantined on a particular computer, or how to get it back out of quarantine: http://community.norton.com/t5/Norton-Internet-Security-Norton/SONAR-is-deleting-programs/m-p/192633/highlight/true#M96287.  But that is not going to help you when you are trying to distribute your program to others.  If someone downloads a trial version of your program, and his antivirus program deletes it as malware, he is most likely not going to try to get it back.

Symantec also provides the ability for you to white list your program (described later in this post) as not malicious.  However, it is impractical to white list every test version of your program that you create as you are developing it.

Another solution is to digitally sign your program.  SONAR recognizes signed programs as not malicious.  Unfortunately, code signing certificates are expensive and must be renewed annually.  This may not be an acceptable solution for you either.

So what can you, as a small ISV (Independent Software Vendor), do to prevent SONAR from treating your programs as malware? Fortunately, there are a few steps you can take that are fairly easy to do and may be done for free.

Does Your Program Look Malicious?

I remember the first time I ran a program I was developing on a computer that had Norton Antivirus with SONAR installed.  When I tried running my new program so I could test it, Norton AntiVirus presented a warning window indicating that a security risk was found.  It claimed that the program was behaving suspiciously on my computer and recommended that I block or remove the program.  This took me by surprise because I knew my program would not have been doing anything suspicious.  It then deleted my program before I could do any testing with it.

Why did Norton AntiVirus consider my program to be a security risk?  The details of the warning said fewer than 10 users in the Norton Community have used this file, and the file was released less than 1 week ago. This is the same warning others would get if they try to run my new program on their computer with Norton Antivirus active.

Consider the fact that any new program you create is going to at first have been used by very few members of the Norton Community and not be very old.  How can you get past SONAR with a brand new program?

Wikipedia, http://en.wikipedia.org/wiki/SONAR_%28Symantec%29, has the following in its explanation of how SONAR works:

An algorithm is used to evaluate hundreds of attributes relating to software running on a computer. Various factors are considered before determining that a program is malicious, such as if the program adds a shortcut on the desktop or creates a Windows Add/Remove programs entry. Both of those factors would indicate the program is not malware.

So the first thing you need to do is add a shortcut to your program on the desktop.  During development, when you do not yet have an installer for your program, manually create a shortcut to your program on your desktop.  That seems to be enough to keep SONAR from treating it as malware.  With that manually created shortcut to your program in place, you may continue your development cycle without SONAR deleting your program.

After development is complete, create an installer (a setup program) for your program.  Have the installer automatically create a shortcut on the user’s desktop and create an entry for your program in the Windows Add/Remove program.  This will keep SONAR from automatically deleting your program from computers as long as your program was installed using your installer.

White List the Setup Program

The installer you create for your program is itself another program.  I provide my installer as a downloadable program from my Web site.  Downloading the installer does not create a shortcut to the installer on the desktop, nor does it create the necessary Windows Add/Remove program entries.  Therefore, if someone downloads an installer from my Web site, SONAR deletes it.

This is the one instance where I’ve found that a program should be submitted to Symantec’s white list, https://submit.symantec.com/whitelist/. However, it is only this final version of the installer, not all the prior versions worked on during development, and not the program itself, that must be submitted to the white list.

Conclusion

It is frustrating that SONAR may delete perfectly harmless programs, such as yours.  Your reaction might be to complain about SONAR, decide not to use Norton Antivirus, or simply ignore it.  But that doesn’t mean that people who would want to use your program would do the same.  Whether you like it or not, you have to prepare your program to handle these issues.  Otherwise, a lot of people will not be able to use your program.

You can prevent SONAR from deleting your program by digitally signing it, but then you must pay an annual fee to renew the digital signing certificate every year.  Or you may prevent SONAR from deleting your program at no cost to you by taking the following steps:

  1. Create an installer that puts a shortcut to your program on the desktop and adds an entry for your program in the Windows Add/Remove program.
  2. White list the installer.

These two simple steps will ensure that others may safely download your program and install it on their computer without SONAR deleting it.

No related posts.


About the Author


4 Responses to Is Symantec’s File Insight (SONAR) Deleting Your Programs?

  1. mike t says:

    We have the same issue with Norton 2010 Sonar. It delete program without warning nor does it say anything about Sonar is enabled and will delete program without letting you know. Sonar caused us some headache and lose face with client because it make us look foolish when we know our software run perfectly fine and not malware. We develop custom software that run on desktop and flash/portable drive. Sonar think our software is “BAD” and delete without warming. Norton, “This is not acceptable”. I have done quick search and lots of people upset about Sonar deleting program without warning. It’s troublesome and time consuming to explain to the client that Sonar had a bug and not us.

  2. I’d be happy to help any readers get a code signing certificate — I resell for Comodo and offer quite a discount on their retail prices. http://codesigning.ksoftware.net – please feel free to email me with any questions.

  3. bwross says:

    Thanks, very good information. Struggled with the issue as well. Good to know that a desktop shortcut may prevent program from being deleted, although impractical in some cases and adds to desktop clutter. I can manually exclude them from scan and restore the programs, but unfortunately it’s after the fact.

  4. Bernie Regan says:

    I’ve just had SONAR delete software that was accessed through a desktop shortcut. Perhaps someone in Norton has decided that it’s a loophole they need to fix. Why can’t they credit the people who buy their software with some intelligence – oh dear, maybe I’ve answered my own question.

More Do-It-Yourself Java Games

More Do-It-Yourself Java Games: An Introduction to Java Graphics and Event-Driven Programming is the second book of the Do-It-Yourself Java Games series. You'll learn to create windows and dialogs, to add buttons and input fields, to use images and drawings, and to respond to keyboard input and mouse clicks and drags. You'll create 10 more games including several puzzles, a dice game, a word game, and a card game.

This book assumes you either have an understanding of basic Java programming or you have read the first book, Do-It-Yourself Java Games: An Introduction to Java Computer Programming. Read more.

Do-It-Yourself Java Games

Do-It-Yourself Java Games: An Introduction to Java Computer Programming uses a unique "discovery learning" approach to teach computer programming: learn Java programming techniques more by doing Java programming than by reading about them.

Through extensive use of fill-in blanks, with easy one-click access to answers, you will be guided to write complete programs yourself, starting with the first lesson. You'll create puzzle and game programs like Choose An Adventure, Secret Code, Hangman, Crazy Eights, and many more, and discover how, when, and why Java programs are written the way they are. Read more

Step-by-Step Tutorial

Many of the tips, techniques, and tools discussed in this blog are demonstrated in a detailed step-by-step tutorial in the book, This Little Program Went to Market, by Annette Godtland.

The book takes a computer program through the entire process of creating, deploying and distributing a program, then selling and marketing it (or any other product) on the Internet. Read more.