Monitoring SONAR detection results to check for false positives

The client collects and uploads SONAR detection results to the management server. The results are saved in the SONAR log.
To determine which processes are legitimate and which are security risks, look at the following columns in the log:
Event
The event type and the action that the client has taken on the process, such as cleaning it or logging it. Look for the following event types:
  • A possible legitimate process is listed as a
    Potential risk found
    event.
  • A probable security risk is listed as a
    Security risk found
    event.
Application
The process name.
Application type
The type of malware that a SONAR scan detected.
File/Path
The path name from where the process was launched.
The
Event
column tells you immediately whether a detected process is a security risk or a possible legitimate process. However, a potential risk that is found may or may not be a legitimate process, and a security risk that is found may or may not be a malicious process. Therefore, you need to look at the
Application type
and
File/Path
columns for more information. For example, you might recognize the application name of a legitimate application that a third-party company has developed.
  1. To monitor SONAR detection results to check for false positives
  2. In the console, click
    Monitors > Logs
    .
  3. On the Logs tab, in the
    Log type
    drop-down list, click
    SONAR
    .
  4. Select a time from the
    Time range
    list box closest to when you last changed a scan setting.
  5. Click
    Additional Settings
    .
  6. In the
    Event type
    drop-down list, select one of the following log events:
    • To view all detected processes, make sure
      All
      is selected.
    • To view the processes that have been evaluated as security risks, click
      Security risk found
      .
    • To view the processes that have been evaluated and logged as potential risks, click
      Potential risk found
      .
  7. Click
    View Log
    .
  8. After you identify the legitimate applications and the security risks, create an exception for them in an Exceptions policy.
    You can create the exception directly from the SONAR Logs pane.