Microsoft's Project Sonar: Malware detonation as a service

Microsoft's 'Project Sonar' service, which analyzes millions of potential exploit and malware samples in virtual machines, may be available to users outside the company in the not-too-distant future.
Written by Mary Jo Foley, Senior Contributing Editor

Microsoft looks to be gearing up to deliver a new distributed security service running on Azure that will help isolate and destroy malware.

Codenamed "Project Sonar," the service "dynamically analyzes millions of potential exploit & malware samples in VMs (virtual machines) and collects terabytes of data during that analysis every day," according to a recent Cloud and Enterprise Group job posting describing the service.

From the job posts about Sonar, it's not clear to me if Microsoft will allow customers to run Sonar and then amass and analyze the data collected, or if Microsoft will run Sonar and allow users to analyze the data gathered.

A Microsoft spokesperson whom I asked for more details about the service said Microsoft had "nothing to share" about Sonar.

One Sonar job posting said the small but rapidly growing Sonar team needed a web developer "to figure out how to store and search that data in performant manner, build a web-based Analyst Studio to make that data discoverable and actionable by analysts, build data pipelines to get our most interesting data to other Microsoft security systems in near real time, and also build publicly consumable Web APIs and portals for these services."

Another job posting for the Sonar "malware detonation platform as a service" notes that Microsoft already is using Sonar internally in the Windows App Store and Exchange Online."We are taking the service to the next level to handle more customers and data at scale," the second job posting said.

In a presentation from Microsoft's May 2015 Ignite conference, entitled "Deep Dive Into How Microsoft Handles Spam and Advanced Email Threats," there was a slide that showed off a "detonation chamber" (sandbox) that figures in Microsoft's Exchange Online service.

That component seems to be part of Microsoft's recently introduced Exchange Online Advanced Threat Protection (ATP) service. ATP uses a "detonation chamber" or sandbox running on Azure VMs to divert potentially dangerous messages, as well as machine learning techniques that "attempt to figure out whether the (message) content is malicious or not," as Windows IT Pro's Tony Redmond explained earlier this year.

Azure Chief Technology Officer and Technical Fellow Mark Russinovich also showed a slide that mentioned Sonar in an RSA 2015 conference presentation on malware hunting. (That slide is embedded above in this post.)

"Microsoft's operating system group runs an IE zero-day sandbox detection detonation chamber," according to that slide.

I'm curious how and if Sonar is connected to Microsoft's Cosmos service in some way, especially since expertise in Cosmos or "other No-SQL data stores," is mentioned in one of the Sonar job postings.

Microsoft has used Cosmos internally to process telemetry data; to perform analysis and reporting on large datasets, such as those created via Bing and Office 365; and to curate and perform back-end processing on many kinds of data.Currently, Cosmos is an internal-facing Microsoft service only. Sources have said Microsoft has been working on an external-facing version of Cosmos as a complement to HDInsight, which is Microsoft's Hadoop-on-Azure service.

(Thanks to Ryan Naraine for the pointer to the Sonar job post.)

Editorial standards