Symantec 20032623 - Endpoint Protection Small Business Edition Implementation Manual page 199

Event The event type and the action that the client has taken on the
process, such as cleaning it or logging it. Look for the following
event types:
Application The process name.
Application type The type of malware that SONAR or a TruScan proactive threat scan
detected.
File/Path The path name from where the process was launched.
The Event column tells you immediately whether a detected process is a security
risk or a possible legitimate process. However, a potential risk that is found may
or may not be a legitimate process, and a security risk that is found may or may
not be a malicious process. Therefore, you need to look at the Application type
and File/Path columns for more information. For example, you might recognize
the application name of a legitimate application that a third-party company has
developed.
See Creating exceptions from log events in Symantec Endpoint Protection
Manager" on page 249.
To monitor SONAR events
1 In the console, click Monitors > Logs.
2 On the Logs tab, in the Log type drop-down list, click SONAR.
3 Select a time from the Time range list box closest to when you last changed
a scan setting.
4 Click Advanced Settings.
5 In the Event type drop-down list, select one of the following log events:
To view all detected processes, make sure All is selected.
To view the processes that have been evaluated as security risks, click
Security risk found.
To view the processes that have been evaluated and logged as potential
risks, click Potential risk found.
Monitoring SONAR detection results to check for false positives
A possible legitimate process is listed as a Potential risk found
event.
A probable security risk is listed as a Security risk found event.
Managing SONAR 199