Managing SONAR

Article:HOWTO80929  |  Created: 2012-10-24  |  Updated: 2014-09-21  |  Article URL http://www.symantec.com/docs/HOWTO80929
Article Type
How To


Subject


Managing SONAR

SONAR is part of Proactive Threat Protection on your client computers. You manage SONAR settings as part of a Virus and Spyware Protection policy.

You configure SONAR settings for the clients that run Symantec Endpoint Protection version 12.1. SONAR settings also include TruScan proactive threat scan settings for legacy clients. Many of the settings can be locked so that users on client computers cannot change the settings.

Table: Managing SONAR

Task

Description

Learn how SONAR works

Learn how SONAR detects unknown threats. Information about how SONAR works can help you make decisions about using SONAR in your security network.

See About SONAR.

Check that SONAR is enabled

To provide the most complete protection for your client computers you should enable SONAR. SONAR interoperates with some other Symantec Endpoint Protection features. SONAR requires Auto-Protect.

You can use the Clients tab to check whether Proactive Threat Protection is enabled on your client computers.

Note:

Legacy clients do not report Proactive Threat Protection status to Symantec Endpoint Protection Manager.

See Adjusting SONAR settings on your client computers.

Check the default settings for SONAR

SONAR settings are part of a Virus and Spyware Protection policy.

See About the default Virus and Spyware Protection policy scan settings.

Make sure that Insight lookups are enabled

SONAR uses reputation data in addition to heuristics to make detections. If you disable Insight lookups, SONAR makes detections by using heuristics only. The rate of false positives might increase, and the protection that SONAR provides is limited.

You enable or disable Insight Lookups in the Submissions dialog.

See Enabling or disabling client submissions to Symantec Security Response.

Monitor SONAR events to check for false positive detections

You can use the SONAR log to monitor events.

You can also view the SONAR Detection Results report (under Risk Reports) to view information about detections.

See Monitoring SONAR detection results to check for false positives.

See Monitoring endpoint protection.

Adjust SONAR settings

You can change the detection action for some types of threats that SONAR detects. You might want to change the detection action to reduce false positive detections.

You also might want to enable or disable notifications for high or low risk heuristic detections.

See Adjusting SONAR settings on your client computers.

See Handling and preventing SONAR false positive detections.

Prevent SONAR from detecting the applications that you know are safe

SONAR might detect the files or applications that you want to run on your client computers. You can use an Exceptions policy to specify exceptions for the specific files, folders, or applications that you want to allow. For the items that SONAR quarantines, you can create an exception for the quarantined item from the SONAR log.

You also might want to set SONAR actions to log and allow detections. You can use application learning so that Symantec Endpoint Protection learns the legitimate applications on your client computers. After Symantec Endpoint Protection learns the applications that you use in your network, you can change the SONAR action to Quarantine.

Note:

If you set the action for high risk detections to log only, you might allow potential threats on your client computers.

See Handling and preventing SONAR false positive detections.

Prevent SONAR from examining some applications

In some cases an application might become unstable or cannot run when SONAR injects code into the application to examine it. You can create a file, folder, or application exception for the application.

See Creating exceptions for Virus and Spyware scans.

Manage the way SONAR detects the applications that make DNS or host file changes

You can use the SONAR policy settings to globally adjust the way SONAR handles detections of DNS or host file changes. You can use the Exceptions policy to configure exceptions for specific applications.

See Adjusting SONAR settings on your client computers.

See Creating an exception for an application that makes a DNS or host file change.

Manage TruScan proactive threat scans for legacy clients

Symantec Endpoint Protection clients version 12.0 or earlier do not support SONAR; these clients use TruScan proactive threat scans. You can adjust TruScan proactive threat scan settings to change the scan actions, sensitivity, and frequency. You might want to adjust the settings to handle false positive detections on your legacy client computers.

See About adjusting TruScan settings for 11.0 clients.

See Configuring TruScan proactive threat scan settings for 11.0 clients.

Allow clients to submit information about SONAR detections to Symantec

Symantec recommends that you enable submissions on your client computers. The information that clients submit about detections helps Symantec address threats. The information helps Symantec create better heuristics, which results in fewer false positive detections.

See Enabling or disabling client submissions to Symantec Security Response.


Legacy ID



v40139626_v81626096


Article URL http://www.symantec.com/docs/HOWTO80929


Terms of use for this information are found in Legal Notices