Monitoring SONAR detection results to check for false positives

Article:HOWTO55026  |  Created: 2011-06-29  |  Updated: 2011-12-16  |  Article URL http://www.symantec.com/docs/HOWTO55026
Article Type
How To


Subject


Monitoring SONAR detection results to check for false positives

The client collects and uploads SONAR detection results to the management server. The results are saved in the SONAR log. Legacy clients do not support SONAR. Legacy clients collect similar events from TruScan proactive threat scans, however, and include them in the SONAR log.

To determine which processes are legitimate and which are security risks, look at the following columns in the log:

Event

The event type and the action that the client has taken on the process, such as cleaning it or logging it. Look for the following event types:

  • A possible legitimate process is listed as a Potential risk found event.

  • A probable security risk is listed as a Security risk found event.

Application

The process name.

Application type

The type of malware that SONAR or a TruScan proactive threat scan detected.

File/Path

The path name from where the process was launched.

The Event column tells you immediately whether a detected process is a security risk or a possible legitimate process. However, a potential risk that is found may or may not be a legitimate process, and a security risk that is found may or may not be a malicious process. Therefore, you need to look at the Application type and File/Path columns for more information. For example, you might recognize the application name of a legitimate application that a third-party company has developed.

See Creating exceptions from log events in Symantec Endpoint Protection Manager.

To monitor SONAR events

  1. In the console, click Monitors > Logs.

  2. On the Logs tab, in the Log type drop-down list, click SONAR.

  3. Select a time from the Time range list box closest to when you last changed a scan setting.

  4. Click Advanced Settings.

  5. In the Event type drop-down list, select one of the following log events:

    • To view all detected processes, make sure All is selected.

    • To view the processes that have been evaluated as security risks, click Security risk found.

    • To view the processes that have been evaluated and logged as potential risks, click Potential risk found.

  6. Click View Log.

  7. After you identify the legitimate applications and the security risks, create an exception for them in an Exceptions policy.

    You can create the exception directly from the SONAR Logs pane.


Legacy ID



v12184014_v59371754


Article URL http://www.symantec.com/docs/HOWTO55026


Terms of use for this information are found in Legal Notices