Handling and preventing SONAR false positive detections
SONAR might make false positive detections for certain internal custom applications. Also, if you disable Insight lookups, the number of false positives from SONAR increases. See:
You can change SONAR settings to mitigate false positive detections in general. You can also create exceptions for a specific file or a specific application that SONAR detects as a false positive.
If you set the action for high risk detections to log only, you might allow potential threats on your client computers.
Log SONAR high risk heuristic detections and use application learning
You might want to set detection action for high risk heuristic detections to
Logfor a short period of time. Let application learning run for the same period of time.
Symantec Endpoint Protectionlearns the legitimate processes that you run in your network. Some true detections might not be quarantined, however. See:
After the period of time, you should set the detection action back to
If you use aggressive mode for low risk heuristic detections, you increase the likelihood of false positive detections. Aggressive mode is disabled by default.
For more information, see:
Create exceptions for SONAR to allow safe applications
You can create exceptions for SONAR in the following ways: