As a best practice, when you first start to manage the scans yourself, set the action to
. This means that neither the security risks nor the legitimate processes use the action that you ultimately want. You want the scans to quarantine or terminate security risks and to ignore the legitimate processes.
Create exceptions for any false positive detection. The exceptions define the process and the action to take when a scan detects a specified process.
When you first adjust the sensitivity level for Trojan horses and worms, set the sensitivity level to 10. When the sensitivity level is low, the scans detect fewer processes than with the sensitivity level set higher. The rate of legitimate processes that are logged as potential risks is low. After you run the sensitivity level at 10 for a few days and monitor the log for any legitimate applications, you can raise the sensitivity level to 20. Over a 60-day to 90-day period, you can gradually increase the sensitivity level in 10-unit increments to 100. For maximum protection, leave the sensitivity level at 100.
By using this gradual break-in approach, the users on the client computers are not overwhelmed with detection notifications as soon as you deploy the client. Instead, you can allocate time to monitor the increase in notifications at each level.
For keyloggers, start the sensitivity level on Low.
As you increase the sensitivity level, more processes are detected, both malicious and legitimate. The sensitivity level does not appreciably affect the rate of logged legitimate processes. A higher sensitivity level means that a scan flags a higher quantity of processes that are security risks as well as legitimate processes. But the ratio of legitimate to malicious processes remains nearly constant, despite the sensitivity level. Furthermore, the sensitivity level does not indicate the level of certainty that is associated with a detection. For example, a scan may detect one process at sensitivity level 10 and detect another process at sensitivity level 90. But the sensitivity level does not mean that one process is more of a threat than the other.
After you change the sensitivity level of the scans, use the SONAR log to determine whether the sensitivity level is too low or too high. If the client reports many legitimate processes as security risks, then you may want to set the sensitivity level lower. You can increase the level after you create exceptions for the legitimate processes.
After you have added all the exceptions to an Exceptions policy, it is likely that any new detections are security risks. For greater security, you can change the response action for all processes back to either or . Continue to monitor the SONAR log in case the scan detects and quarantines new legitimate applications.