About high-intensity detection

Symantec Protection Engine decouples the notion of monitoring from that of blocking through high-intensity detection (HID). SPE now performs detections at a certain level and blocking at a different level. To use the high-intensity detection feature, you must configure the
Monitoring Level
setting in the antimalware policy. The high-intensity detection feature ensures that you do not disruptively block any new files without understanding their behavior, risk, and so on. It also enables you to retain maximum visibility on the new detected files.
The
Monitoring Level
setting has four different settings from Known Bad (Level 0: Less intensive) to High (Level 3: Highly intensive). The
Monitoring Level
setting lets you control the logging for suspicious detections through the aggression levels or intensity of the threat detection technologies in the product.
When Symantec Protection Engine detects a file as a threat, it also identifies the detection level at which the threat is detected. The detection level determines the intensity for detecting and acting on the infected file. This information about the detection level is logged in Symantec Protection Engine logs. When a threat is detected at a level which is equal to or less than a configured
Detection Level
, SPE reports the threat and takes configured action on the file.
When a threat is detected at a level which is in between the
Detection Level
and the
Monitoring Level
, the file is reported as suspicious and logged without taking any action on the file. You can use logging details to figure out what types of detections the policy makes at a certain monitoring level before you start to block at that level. The false positive rate goes up the higher you move the slider. You can also create exclusions for suspicious files that you know are safe.
For example, if the Detection Level (Blocking level) is set to "2" and the Monitoring level (Suspicious level) is set to "3":
  • All files being detected with Detection Level up to "2" will be blocked.
  • All files with the Detection Level higher than the configured Detection Level, but less than or equals to the Monitoring Level, will be logged as "Suspicious threat". No action is taken on such files. Make sure you always configure the Monitoring Level higher than or equals to the Detection Level.