Hello,
Behavioral detections are based on things like
- file versioning
- digital signatures
- file size
- type of file packing/encoding used
- the age of the file
- what actions the file takes
- and more...
For software developers/authors and Independent Software Vendors (ISVs) the Symantec Software White-List program offers you the opportunity to be added to a white list of known good software maintained by Symantec to reduce the possibility of false positives.
Please note that Symantec offers this service to reduce false positives, but cannot guarantee that false positives will not occur.
Decisions made by Symantec are also subject to change depending on a variety of factors that include but are not limited to alterations in the software, distribution of the software, or vulnerabilities in the software to misuse by the publisher or others. Symantec may also change its classification criteria and policies over time to address the constantly evolving security landscape.
Note: If an application for white-listing is approved it can take a number of weeks for the software in question to be white-listed. The applicant will be notified after the white-listing process for that software is completed. The applicant will be notified if the application is not approved.
https://submit.symantec.com/whitelist/isv/
Few Articles on SONAR:
About SONAR
http://www.symantec.com/docs/HOWTO55254
About the files and applications that SONAR detects
http://www.symantec.com/docs/HOWTO55292
Handling and preventing SONAR false positive detections
http://www.symantec.com/docs/HOWTO55273
Hope that helps!!