Endpoint Protection

Hello everyone,  I am currently testing SONAR with socar.exe. Socar was detected as a risk when executed under any other location besides "C:\Program Files" and "C:\Program File(x86), Can anyone help to explain why socar is not detected under "C:\Program Files" and "C:\Program File(x86)? Thanks!!

Do you have some sort of exception in place for those locations that you can confirm?

it's a new environment, SEPM and  the SEP clients were just installed, there's no exception as I checked on both SEPM console and SEP client. I was using ProcessMonitor to monitor Socar, found that it took the same actions under any location. 

Note that if the "Show alert upon detection" configuration is unchecked, then no on-screen pop-up will be displayed.  Check the Proactive Threat Protection logs to see if an event was triggered by socar.exe.  The action taken to the socar.exe file (quarantined, log only, and so on) depends on the SEP client's configured policy.

Thanks Still, I've checked about AV and NTP log, no event logged for "C:\Program Files" and "C:\Program File(x86)", however for other location when I executed socar, there will be a risk prompted and the event will be logged.

Hi George_Ge,

Many thanks for the post.  I will look into this and let you know.

Here are some articles that may help when testing SEP's components in general:

Download the Socar.exe test file to verify that SONAR works correctly
Article URL: http://www.symantec.com/docs/TECH216647
 

How to test SEP 12.1 components for functionality
https://www-secure.symantec.com/connect/articles/how-test-sep-121-components-functionality

With thanks and best regards,

Mick

Hi George_Ge,

Many thanks for your patience.  I have confirmed that this behavior is by design.  The socar.exe tool will not be detected when run in program files folders.  For any other folder a "SONAR.Heuristic.121" event will be triggered when this tool is run.

Hope this helps!  &: )

Mick

Thanks Mick, noted, Thanks a lot!

Glad to help!  &: )