Hello,
With Symantec Endpoint Protection 12.1, SEP has monitoring for behavior-based anomaly detection.
In SEP 12.1, Behavior Based Threat scan works with a different definitions and engine set than SEP 11.x. These are updated less frequently than their SEP 11.x counterpart. However, since SEP 12.1 Behavior Based Threat scan not only uses different definitions and engines than SEP 11, but also has a different underlying architecture, the less frequent updates do not affect confirmed False Positive corrections.
SONAR is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.
SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides an additional level of protection on your client computers and complements your existing Virus and Spyware Protection, intrusion prevention, and firewall protection.
SONAR uses a heuristics system that leverages Symantec's online intelligence network with proactive local monitoring on your client computers to detect emerging threats. SONAR also detects changes or behavior on your client computers that you should monitor.
Check this Article: About SONAR
Regards,