Monitoring SONAR detection results to check for false positives
|Article:HOWTO80749|||||Created: 2012-10-24|||||Updated: 2013-10-07|||||Article URL http://www.symantec.com/docs/HOWTO80749|
To determine which processes are legitimate and which are security risks, look at the following columns in the log:
Thecolumn tells you immediately whether a detected process is a security risk or a possible legitimate process. However, a potential risk that is found may or may not be a legitimate process, and a security risk that is found may or may not be a malicious process. Therefore, you need to look at the and columns for more information. For example, you might recognize the application name of a legitimate application that a third-party company has developed.
Legacy clients do not support SONAR. Legacy clients collect similar events from TruScan proactive threat scans, however, and include them in the SONAR log.
To monitor SONAR detection results to check for false positives
In the console, click Monitors > Logs.
On the Logs tab, in the Log type drop-down list, click SONAR.
Select a time from the Time range list box closest to when you last changed a scan setting.
Click Advanced Settings.
In the Event type drop-down list, select one of the following log events:
Click View Log.
After you identify the legitimate applications and the security risks, create an exception for them in an Exceptions policy.
You can create the exception directly from the SONAR Logs pane.
Article URL http://www.symantec.com/docs/HOWTO80749