Video Screencast Help

SONAR False Positive

Created: 30 Oct 2012 | 11 comments

The issue described below is on all Windows XP SP3 machines and Symantec Endpoint Protection 12.1 RU1.

We have an in house developed application that was recently changed/upgraded and deployed to about 500 machines.  What is weird is about 75% of the machines detected the application as a (Unknown) Trojan Worm by SONAR, and the other 25% were fine with the application.  I verfied that all 500 have the same policies definitions etc.

Is this normal for SONAR to do something like this?

Comments 11 CommentsJump to latest comment

_Brian's picture

I've seen same issue as well, you're best bet is to open a support ticket with Symantec for them to investigate.

You can have your app whitelisted:

Software White-Listing Request

You can also add the exception:


Handling and preventing SONAR false positive detections

Monitoring SONAR detection results to check for false positives

Prindte's picture

We created an exception which fixed the issue.  I am just curious as to why SONAR would detect it on some machines and not others.

Support could not answer my question.  Does anyone else know why this happens? 

_Brian's picture

Did support even have an answer?


Prindte's picture

No support did not have an answer.  They just kept going back to asking about the exception and if that worked.

_Brian's picture

That's unfortunate as I would think they would know or have the means to investigate a level deeper.

My thought was definitions revisions were different or the client whitelist may have not yet been updated on the clients where it was being flagged but from reading your original post, it seems all are uniform.

Aside from that, I'm not really sure and anything else would just be speculation.

Mithun Sanghavi's picture


Behavioral detections are based on things like

- file versioning

- digital signatures

- file size

- type of file packing/encoding used

- the age of the file

- what actions the file takes

- and more...


Few Articles on SONAR:


About the files and applications that SONAR detects

Handling and preventing SONAR false positive detections

How Symantec Endpoint Protection uses reputation data to make decisions about files


In case, you want to Whitelist an Application, then check this Article:

Software developer would like to add his/her software to the Symantec White-List.


Hope that helps!!

Mithun Sanghavi
Senior Consultant

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Prindte's picture


We have already created a hash based exception.  This application changes fairly often (every 3 months or so) and whitelisting that frequently does not makes sense.

I am going to see if our developer can digitally sign the executable that is getting quarantined, or I will try the application monitor tool.

Mithun Sanghavi's picture


In your case there are either of the 3 things you could do- 

1) Report a Suspected Erroneous Detection and Fill the Insight Dispute Submission Form by following the steps below:

  • Connect to the website:
  • Select "When installing an application" OR " While using an application" and click on NEXT
  • Select "Symantec Endpoint Protection 12.x " and click on NEXT
  • Select "SONAR (Behavioral Heuristics Detection)"
  • Click on the Button "Take me to the Insight Dispute Submission Form"
  • Fill all the important Details (* marked in red)

2) Sign your files with Class-3 digital certificates (X.509) from a Certificate Authority if you need to publish softwares/files.

3) Also participate in white-listing program if needed

Hope that helps!!!

Mithun Sanghavi
Senior Consultant

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

_Brian's picture

But what about an explanation as to why some clients are flagged and others are not?

Prindte's picture

I will be talking to the person assigned to our case tomorrow.  I will be asking him about it then (again). 

Mick2009's picture

Hi Prindte, 

This article may also help:

Insight Deployment Best Practices

With thanks and best regards,