Endpoint Detection and Response (EDR)

 View Only
  • 1.  SEDR SONAR signature description

    Posted Jan 26, 2023 07:44 AM
    my customer uses SEDR 4.7.1 on-prem appliance. 

    Some of the incidents were triggered by SONAR with heurisitc signature.. For example these signatures:





    But when I click on every signature I am redirected to a general "Risk detected" web page. 

    Does anybody know where to find more details about the SONAR signatures ?

    I am aware of the Symantec Security Center, but I cannot find SONAR signatures there..

    thank you 


  • 2.  RE: SEDR SONAR signature description

    Broadcom Employee
    Posted Jan 27, 2023 10:45 AM
    Hi Rudolf,
    These are all behavioural detections driven by the SONAR component of SEP. Symantec has never published the specific details that theses behavioural detections trigger against to reduce the risk of threat actors using this intelligence to modify their behaviour to evade detection.
    Instead, the detection names have a "general focus" naming convention (i.e. SONAR.SuspDir relates to behaviours related to suspicious directory access or manipulation, SONAR.Injetor relates to process injection methods, etc).
    The Incidents that these events trigger have their own Rule Name which provides a description of the nature of the detection, and the Incident details will contain some recommended actions related to the nature of the Incident.
    More importantly, the endpoint activity recorder events either automatically incorporated in the Incident or in parallel available from the Investigate view, process dump or full dump, provide detailed events for all of the activities of the suspicious actors identified by the SONAR detections. This provides visibility of exactly what happened in YOUR environment when these processes executed, rather than what was maybe observed in a threat analyst sandbox of reverse engineering exercise.

  • 3.  RE: SEDR SONAR signature description

    Posted Jan 27, 2023 12:52 PM
    Hi Gavin, 

    thank you for your answer, that make perfectly sense.

    I have asked support the same question. Just for info, here is the answer:


    Here is the update. Before the Broadcom acquisition, we use to have the "write up" pages available publicly to customers. They contained details of the signatures and behaviour of the malware detected. Broadcom discontinued that service for now, however, there are talks to reintegrate those pages, but for now there is nothing unfortunately. 

    For SONAR however, there has always been little or nothing available to the public.

    For instance, regarding your requested events:
    ACM.Untrst-TskReg:    Untrusted Process(actor)    Windows Task Scheduler Settings(target)     T1053(mitre)

    For the rest is even less data, because they are behavioural signatures and security response will never disclose the algorithm behind what would trigger the detection."