SONAR logs

The
SONAR
logs contain information about the threats that SONAR detected. SONAR detects any behavior that is similar to known risk behavior to detect unknown viruses and security risks.
The SONAR quick reports are part of the Risk quick reports. The filter options that you can use to configure the reports are described in the Risk quick reports help.
Additional filter settings for the SONAR logs describes the additional settings filter options for the logs.
Action options in the SONAR logs describes the options in the logs.
Additional filter settings for the SONAR logs
Option
Description
  • Event type
  • Domain
  • Group
  • Server
  • Computer
  • IP address
  • User
  • Operating system
Action taken
Specifies the action taken that you want to view information about.
You can select one of the following actions:
  • All
  • Access denied
    View the events where the Auto-Protect portion of the client prevented a file from being created.
  • Action invalid
    View the events where the action was invalid. These risks may still be present on the computer.
  • All actions failed
    View the events where all the configured actions failed.
  • Bad
    View events where scan engine failure occurred for an unspecified reason. These risks may still be present on the computer.
  • Cleaned
    View the events where the software cleaned a virus from the computer.
  • Cleaned by deletion
    View the events where the action configured was “clean,” but a file was deleted because that was the only way to clean it. For example, this action is generally needed for Trojan horse programs.
  • Cleaned or macros deleted
    View the events where a macro virus was cleaned from a file either by deletion or some other means. This action applies only to the events that have been received from computers running Symantec AntiVirus 8.x or earlier versions.
  • Deleted or removed
    View the events where the software deleted an object, such as a file or a registry key, to remove a risk.
  • Excluded
    View the events where users chose to exclude a security risk from detection. For example, this action can occur when a user is prompted for permission to terminate a process.
  • Left alone
    View the events where a risk was left alone. This action can occur if the first configured action was Leave alone. This action can also occur if the second configured action was Leave alone and the first configured action was not successful. This action may mean that a risk is active on the computer.
  • No repair available
    View the events where a risk was detected but a repair was not available to fix it.
  • No repair available - Power Eraser recommended for repair
  • Partially repaired
    View the events where
    Symantec Endpoint Protection
    cannot completely repair the effects of a virus or security risk.
  • Pending repair or Pending admin action
    View the events where a user still needs to take action to complete the remediation of a risk on a computer. This action may occur if a user hasn’t responded to a prompt to terminate a process.
  • Process terminated
    View the events where a process was terminated.
  • Process termination pending restart
    View the events where a process needs to be terminated, but a restart of the computer is required to complete this action.
  • Quarantined
    View the events where
    Symantec Endpoint Protection
    quarantined a virus or a security risk.
  • Restored
  • Suspicious
    View the events where a scan detected a potential risk but has not remediated it. The scan did not remediate the risk either because it can not or because you configured it to only log detections.
  • Threat blocked - Power Eraser recommended for repair
  • Restart required - Quarantined
  • Restart required - Cleaned
Risk severity
Specifies the severity category of risk that you want to view information about.
Unknown
Unknown risks are the risks that Symantec Security Response has not rated.
Risk level
Specifies the level of the risks that you want to view information about. SONAR categorizes risks as low, medium, or high.
Risk name
Specifies the risk names that you want to view information about.
You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. This field also accepts a comma-separated list as input.
Application
Specifies the names of the applications that you want to view information about.
You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. This field also accepts a comma-separated list as input.
Action options in the SONAR logs describes the exceptions you can add to the Exceptions policy from the log. Select the exception and click
Apply
.
Action options in the SONAR logs
Option
Description
Add folder to Exceptions policy
Creates a SONAR folder exception for the folder where the file resides and does not automatically apply to subfolders. The exception applies only to SONAR.
Allow application
Creates an application exception with an action of
Ignore
. The file is identified by its hash. The exception applies to both SONAR and any virus and spyware scan.
Block application
Creates a SONAR application exception with an action of Quarantine. The file is identified by its hash.
Trust Web domain
Creates a trusted web domain exception that applies to the URL from which the file was downloaded. The exception only applies to files that Download Insight detected.