Video Screencast Help

Update for SONAR definition

Created: 15 Mar 2013 | 8 comments

Dear Support

We have Basic protection for server installed on SEP client, and disable SONAR in Antivirus policy. May we know why client still get the SONAR definition download? Is this function be disabled properly? How to prevent SONAR definition from downloading? Is this related to distribution selection on LUA server ?

Operating Systems:

Comments 8 CommentsJump to latest comment

pete_4u2002's picture

disable it from Liveupdate content from LU policy and verify.

SMLatCST's picture

"Thumbs Up" to the above.  Creating a new LU Content Policy for this group to disable SONAR updates will do the trick.

As an alternative, you could also just remove SONAR from the machines you don't want it on:

Ambesh_444's picture

Yes you can disable from Liveupdate content from LU policy.

Agreed with above both comments..

Thank& Regards,


"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

honey_jack's picture

Agree with Pete and SMLatCST. You can disable it from LU policy.

Thanks & Regard

Honey Jack

If your issue has been solved, please use the "Mark as Solution" for the valid thread.

AjinBabu's picture


From Security Definitions panel lets you select the type of updates that can be installed on Symantec Endpoint Protection clients. Use latest available specifies to install the latest update available from Symantec. Select a revision lets you test an update first before you install it on clients, and also lets you roll back to a previous version if necessary.

The definitions and content types that you select must also be downloaded to the Symantec Endpoint Protection Manager if the management server is the only update provider. You specify what is downloaded to the management server with the local site server property settings for LiveUpdate. Host Integrity templates are only available to download from a LiveUpdate server to Symantec Endpoint Protection Manager and then to clients. Clients cannot download Host Integrity templates directly from a LiveUpdate server.



Mick2009's picture

Hi SymQNA,

I recommend that you enable SONAR unless there is a specific and strong reason not to use it.  There's a lot of added protection in it and the updates are small.  Here's a thread with more info:

SONAR is the technology which helped solve this persistent infection case, for example:

Using SEPM Alerts and Reports to Combat a Malware Outbreak

With thanks and best regards,