SONAR is the abbreviation for Symantec Online Network for Advanced Response. Unlike virus signatures, SONAR examines the behavior of applications to decide whether they are malicious. SONAR is built upon technology Symantec acquired in its 2005 purchase of WholeSecurity.

How it works:
An algorithm is used to evaluate hundreds of attributes relating to software running on a computer. Various factors are considered before determining that a program is malicious, such as if the program adds a shortcut on the desktop or creates a Windows Add/Remove programs entry. Both of those factors would indicate the program is not malware. The main use of SONAR is to enhance detection of zero day threats. Symantec claims SONAR can also prevent attackers from leveraging unpatched software vulnerabilities.

Ed Kim, director of product management at Symantec, expressed confidence in SONAR, "We've done extensive testing on emerging threats, and it catches early threats and variants of existing threats."


Background:
Symantec already markets a behavior analysis security tool for enterprises, known as Critical System Protection. On the other hand, SONAR is leveled towards the consumer antivirus market. It will be available as a add-on for Norton AntiVirus 2007 and Norton Internet Security 2007. The Norton 2008 to 2010 line will have SONAR.

SONAR 2:
SONAR 2 is part of Norton 2010 antivirus software. This version leverages data from more sources, including reputation data about a program.

SONAR 2 provides real time proactive protection which is not in the old SONAR 1.

Comparison of SONAR 1 & 2

Sonar 1 provides the advance protection before the traditional virus definitions will be release. Sonar 2 provides the advance, real - time proactive protection before the virus definitions will be release.

The SONAR 2 has the more powerful SONAR because it has now the real - time proactive protection

More Information:
1) Turn off or turn on SONAR Protection
2) SONAR Protection