Hello,
Behavioral detections are based on things like
- file versioning
- digital signatures
- file size
- type of file packing/encoding used
- the age of the file
- what actions the file takes
- and more...
Few Articles on SONAR:
About SONAR
http://www.symantec.com/docs/HOWTO55254
About the files and applications that SONAR detects
http://www.symantec.com/docs/HOWTO55292
Handling and preventing SONAR false positive detections
http://www.symantec.com/docs/HOWTO55273
How Symantec Endpoint Protection uses reputation data to make decisions about files
http://www.symantec.com/docs/HOWTO55275
In case, you want to Whitelist an Application, then check this Article:
Software developer would like to add his/her software to the Symantec White-List.
http://www.symantec.com/docs/TECH132220
Hope that helps!!