Microsoft’s ‘Project Sonar’ service, which analyzes millions of potential exploit and malware samples in virtual machines, may be available to users outside the company in the not-too-distant future.
Microsoft looks to be gearing up to deliver a new distributed security service running on Azure that will help isolate and destroy malware.
Codenamed “Project Sonar,” the service “dynamically analyzes millions of potential exploit & malware samples in VMs (virtual machines) and collects terabytes of data during that analysis every day,” according to a recent Cloud and Enterprise Group job posting describing the service.
From the job posts about Sonar, it’s not clear to me if Microsoft will allow customers to run Sonar and then amass and analyze the data collected, or if Microsoft will run Sonar and allow users to analyze the data gathered.
A Microsoft spokesperson whom I asked for more details about the service said Microsoft had “nothing to share” about Sonar.
One Sonar job posting said the small but rapidly growing Sonar team needed a web developer “to figure out how to store and search that data in performant manner, build a web-based Analyst Studio to make that data discoverable and actionable by analysts, build data pipelines to get our most interesting data to other Microsoft security systems in near real time, and also build publicly consumable Web APIs and portals for these services.”
Another job posting for the Sonar “malware detonation platform as a service” notes that Microsoft already is using Sonar internally in the Windows App Store and Exchange Online.”We are taking the service to the next level to handle more customers and data at scale,” the second job posting said.
In a presentation from Microsoft’s May 2015 Ignite conference, entitled “Deep Dive Into How Microsoft Handles Spam and Advanced Email Threats,” there was a slide that showed off a “detonation chamber” (sandbox) that figures in Microsoft’s Exchange Online service.
That component seems to be part of Microsoft’s recently introduced Exchange Online Advanced Threat Protection (ATP) service. ATP uses a “detonation chamber” or sandbox running on Azure VMs to divert potentially dangerous messages, as well as machine learning techniques that “attempt to figure out whether the (message) content is malicious or not,” as Windows IT Pro’s Tony Redmond explained earlier this year.
Azure Chief Technology Officer and Technical Fellow Mark Russinovich also showed a slide that mentioned Sonar in an RSA 2015 conference presentation on malware hunting. (That slide is embedded above in this post.)