Symantec Endpoint Protection 12.1 SONAR - Proactive Threat Protection or Download Insight False Positive Corrections

Article:TECH168849  |  Created: 2011-09-05  |  Updated: 2014-09-16  |  Article URL
Article Type
Technical Solution


A process was detected as suspicious by SONAR - Proactive Threat Protection (These detections are also referred to as "Behavior Based"), or Download Insight in SEP 12.1. The file was submitted to Security Response and the determination was this was a case of a False Positive (FP) detection. A message to that effect and information regarding corrected definitions were sent. The Proactive Threat Protection definitions in the SEP 12.1 Client Graphical User Interface do not show any updates and may appear to be out of date. 


Until new definitions are available, it is possible to overcome SONAR False Positives through policy.  See Exclusion Guidelines for Symantec Endpoint Protection 12.1 for details. 

Exceptions should be used with caution and only temporarily.  Remove the exclusion once new whitelisting definitions are available.  


In SEP 12.1, SONAR False Positive corrections are done differently than SEP 11.x TruScan/Proactive Threat Scan False Positives.

In SEP 11.x, confirmed False Positives were addressed by releasing updated Proactive Threat Scan Definitions.
In SEP 12.1, Behavior Based Threat scan works with a different definitions and engine set than SEP 11.x. These are updated less frequently than their SEP 11.x counterpart.  However, since SEP 12.1 Behavior Based Threat scan not only uses different definitions and engines than SEP 11, but also has a different underlying architecture, the less frequent updates do not affect confirmed False Positive corrections.
In SEP 12.1 confirmed False Positives are added to the so called IRON Whitelist. This IRON Whitelist gets updated on a daily basis and SEP 12.1 clients can download it as part of the IRON definitions via LiveUpdate. This IRON Whitelist is also used by the Download Insight component.
In the SEP 12.1 Client GUI, this IRON Whitelist containing corrected False Positives can be identified in:
Help> Troubleshooting> Versions.
In the SEP 12.1.2  Client GUI, this IRON Whitelist containing corrected False Positives can be identified in:
Help> Troubleshooting> Versions.
The Moniker {EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758} identifies these definitions, and the Seq Data denotes the definitions data. For example, Seq Data 110904002 means that the IRON Whitelist corresponds to Definitions from September 04, 2011 Revision 2.
On the file system these definitions will be located in \ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Definitions\IronWhitelistDefs\20110904.002
The main SEP 12.1 Client GUI may still show Proactive Threat Protection Definitions dated from an earlier date, e.g August 12, 2011 Revision 1, but as explained above, these specific definitions are not necessary to address confirmed False Positives. 
On the SEPM Side, the IRON Whitelist definitions would be contained in:
\Symantec Endpoint Protection Manager\Inetpub\content\{EDBD3BD0-8395-4d4d-BAC9-19DD32EF4758}\110904002\
SEPM will by default download and distribute these definitions as defined in "Content Types to Download" in a Site's LiveUpdate Policy. The Content Type in question is different than the type to select when distributing this to clients. To download the IRON Whitelist definitions select  "TruScan proactive threat scan commercial application list":
Distributing this content is configured in the LiveUpdate Content portion of any LiveUpdate Policy, under Windows Settings> Security Definitions > Reputation Settings.
To verify which revisions are available, check "Select a revision" and click on the Edit button. Symantec recommends using the latest available Revision of the selected Centralized Reputation Settings 12.1, Revocation Data and Symantec Whitelist 12.1 content types.
Finally, to verify which of these definitions were actually downloaded by SEPM, go to Admin> Site> Show LiveUpdate downloads.
The IRON Whitelist is the Symantec Whitelist 12.1 Content Type. The SONAR content types listed are actually 2 different SONAR types. One type is the SONAR component used in SEP 11.x.
These are identified by having "11.0" appended to  their name such as:
"SONAR Scan whitelist Win32 11.0"
"SONAR Scan whitelist Win64 11.0"

Article URL

Terms of use for this information are found in Legal Notices