A growing number of EdgeRater users have started reporting that after an EdgeRater program update, Norton Sonar removes the program and it no longer runs on their computer because of this.

Norton File Insight

The first reports started coming in late last year and it seemed that with every update, more and more users were reporting the problem. Yesterday I finally was able to get to the bottom of this and discover the reason and solution, read on…

When this problem occurs

This problem only reproduces on Windows XP machines with Norton Sonar running and only when an EdgeRater program update is issued, not during the initial installation. It does not reproduce on Windows 7 so if you are running Windows 7 you will not have this issue.

Why this problem occurs

EdgeRater uses a deployment technology from Microsoft called “Click-Once deployment” which is an ideal solution for this frequently updated trading tool because it allows updates to be released very quickly and easily. Click-once is relatively new and has not been widely adopted by software companies at this time and hence Norton Sonar is not aware of how this type of update is delivered and flags the update as suspicious regardless of what is in the update.

The nitty-gritty reason behind the problem is that Click-Once updates are run under a Windows service called dfsvc.exe, which creates a sibling folder of the initial program installation and delivers the updated executable to that folder. To Norton Sonar this is the typical pattern of a malicious program – an initial executable (dfsvc.exe) is spawning a new executable (updated_program.exe). The default behavior of Norton Sonar under this condition is to quarantine the spawned executable.

If this happens to you

The first thing to do is not to panic! All EdgeRater updates are guaranteed to come from us. They are signed with a special code-signing certificate which ensures they have not been tampered with. In fact, click-once technology is built around this type of trust relationship and will not allow tampered programs to be installed or updated on your computer.

The second thing to do is to restore the quarantined program using Norton, here’s how:

Restore Quarantined File using Norton

Norton will always report that there are Very Few Users because the file is an updated file that has just been released. Norton will also always report that the file is ‘Very New’ for that same reason.

Restore from quarantine - second dialog box

A Workaround for future updates

Perhaps Norton will one day recognize click-once deployed updates and allow them to go through, they could even check the code-signing certificate to make sure it is from the correct publisher but this is not at all necessary because click-once does all of this checking anyway. We have contacted Norton to try to get EdgeRater added to their white-list but this process appears to take a while. For now the best workaround to avoid removal by Norton for future EdgeRater updates is to add the program in question (in this case edgerater.exe, or for ETF Trading Bandit it would be etffinder.exe) to the exclusions list in Norton Sonar, here’s how:

Exclude file from Norton Sonar