Monitoring Sonar Detection Results To Check For False Positives - Symantec 20032623 - Endpoint Protection Small Business Edition Implementation Manual

198 Managing SONAR

Monitoring SONAR detection results to check for false positives

Monitoring SONAR detection results to check for false
positives
Managing SONAR (continued)
Table 13-1
Task
Monitor SONAR events to check for
false positive detections
Prevent SONAR from detecting the
applications that you know are safe
Allow clients to submit information
about SONAR detections to Symantec
The client collects and uploads SONAR detection results to the management
server. The results are saved in the SONAR log. Legacy clients do not support
SONAR. Legacy clients collect similar events from TruScan proactive threat scans,
however, and include them in the SONAR log.
To determine which processes are legitimate and which are security risks, look
at the following columns in the log:
Description
You can use the SONAR log to monitor events.
You can also view the SONAR Detection Results
report (under Risk Reports) to view information
about detections.
See Monitoring SONAR detection results to check
for false positives" on page 198.
See Monitoring endpoint protection"
SONAR might detect the files or applications that
you want to run on your client computers. You
can use an Exceptions policy to specify exceptions
for the specific folders or applications that you
want to allow. For the items that SONAR
quarantines, you can create an exception for the
quarantined item from the SONAR log.
See Managing exceptions for Symantec Endpoint
Protection Small Business Edition"
Symantec recommends that you enable
submissions on your client computers. The
information that clients submit about detections
helps Symantec address threats. The information
helps Symantec create better heuristics, which
results in fewer false positive detections.
See Enabling or disabling client submissions to
Symantec Security Response"
on page 261.
on page 238.
on page 172.