Monitoring SONAR detection results to check for false positives
The client collects and uploads SONAR detection results to the management server. The results are saved in the SONAR log.
To determine which processes are legitimate and which are security risks, look at the following columns in the log:
The event type and the action that the client has taken on the process, such as cleaning it or logging it. Look for the following event types:
The process name.
The type of malware that a SONAR scan detected.
The path name from where the process was launched.
Eventcolumn tells you immediately whether a detected process is a security risk or a possible legitimate process. However, a potential risk that is found may or may not be a legitimate process, and a security risk that is found may or may not be a malicious process. Therefore, you need to look at the
File/Pathcolumns for more information. For example, you might recognize the application name of a legitimate application that a third-party company has developed.
- To monitor SONAR detection results to check for false positives
- In the console, clickMonitors > Logs.
- On the Logs tab, in theLog typedrop-down list, clickSONAR.
- Select a time from theTime rangelist box closest to when you last changed a scan setting.
- ClickAdditional Settings.
- In theEvent typedrop-down list, select one of the following log events:
- To view all detected processes, make sureAllis selected.
- To view the processes that have been evaluated as security risks, clickSecurity risk found.
- To view the processes that have been evaluated and logged as potential risks, clickPotential risk found.
- ClickView Log.
- After you identify the legitimate applications and the security risks, create an exception for them in an Exceptions policy.You can create the exception directly from the SONAR Logs pane.