Handling and preventing SONAR false positive detections

Article:HOWTO80987  |  Created: 2012-10-24  |  Updated: 2014-09-21  |  Article URL http://www.symantec.com/docs/HOWTO80987
Article Type
How To


Handling and preventing SONAR false positive detections

SONAR might make false positive detections for certain internal custom applications. Also, if you disable Insight lookups, the number of false positives from SONAR increases.

See Enabling or disabling client submissions to Symantec Security Response.

You can change SONAR settings to mitigate false positive detections in general. You can also create exceptions for a specific file or a specific application that SONAR detects as a false positive.

You can also adjust settings and create exceptions for TruScan proactive threat scans, which run on Symantec Endpoint Protection clients version 12.0 or earlier. See Managing TruScan proactive threat scans for legacy clients.


If you set the action for high risk detections to log only, you might allow potential threats on your client computers.

Table: Handling SONAR false positives



Log SONAR high risk heuristic detections and use application learning

You might want to set detection action for high risk heuristic detections to Log for a short period of time. Let application learning run for the same period of time. Symantec Endpoint Protection learns the legitimate processes that you run in your network. Some true detections might not be quarantined, however.

See Configuring the management server to collect information about the applications that the client computers run.

After the period of time, you should set the detection action back to Quarantine.


If you use aggressive mode for low risk heuristic detections, you increase the likelihood of false positive detections. Aggressive mode is disabled by default.

See Adjusting SONAR settings on your client computers.

Create exceptions for SONAR to allow safe applications

You can create exceptions for SONAR in the following ways:

Legacy ID


Article URL http://www.symantec.com/docs/HOWTO80987

Terms of use for this information are found in Legal Notices