Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How do I create exception policies based on SONAR logs?

Created: 04 Feb 2014 • Updated: 07 Mar 2014 | 6 comments
This issue has been solved. See solution.

So I have a problem trying to add specific items to the exceptions ppolicy from the SONAR logs.  If I check the box and choose Allow Application it will not allow me to exclude some because they dont actually provide the file or path.  As an example I continuosly receive NetBackup Client Service, NetBackup Device Manager, and NetBackup Volume Manager in the logs as being detected by "Forced SONAR threat detected".  How do I work these into a safe list so I don't continue to have these show up in my reports?

 

One other thing I noticed when successfully adding certain exclusions that the SONAR logs do provide full file path.  It looks like they are only being excluded for SEP 11.x clients?  Is this true?  The majority of my environment is now SEP 12.x so I would like these exclusions to apply to SEP 12 clients also.

 

Thanks,

Mike

Operating Systems:

Comments 6 CommentsJump to latest comment

.Brian's picture

Go into your SONAR logs on the SEPM

From this screen, put a check in the box next to the SONAR risk and under Action set it to "Add folder to Exceptions policy" and click Apply

http://www.symantec.com/docs/HOWTO80919

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
SEP_FMI's picture

Ok I'm sorry I should have walked through it prior to posting.  So the issue is that yes I can add it to the exceptions list.  However, when I review the exceptions list it only shows that it applies to 11.x Client.  I want it to apply to All Clients.  Is there a way to do this?  I'm thinking no since like I said before it appears to only do this to items that were logged by name instead of file or path.  I have an example attached of what I'm experiencing.

 

I'm thinking the issue is that when it gets picked up in the SONAR logs it only provides the hash and actually creates the exception based on that instead of the file path.  And there is probably some constraint in SEP 12.x which doesn't allow for exclusions based on this criteria.  Am I right?

what-i-want-to-exclude.png
.Brian's picture

SONAR is for 12.1 and TruScan is 11.x

What you can do is add an application to monitor. Once it shows up you can than add it as an exception and it should apply to all clients.

Monitoring an application to create an exception for the application

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Have you gotten this sorted out?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.