SONAR - Proactive Threat Protection or Download Insight False Positive Corrections
Article ID: 154991
Updated On:
Products
Endpoint Protection
Issue/Introduction
A process was detected as suspicious by SONAR - Proactive Threat Protection (These detections are also referred to as "Behavior Based"), or Download Insight in Endpoint Protection. The file was submtted to Security Response and the determination was this was a case of a False Positive (FP) detection. A message to that effect and information regarding corrected definitions were sent. The Proactive Threat Protection definitions in the SEP Client Graphical User Interface do not show any updates and may appear to be out of date.
Resolution
| Until new definitions are available, it is possible to overcome SONAR False Positives through policy. See Exclusion Guidelines for Symantec Endpoint Protection for details. Exceptions should be used with caution and only temporarily. Remove the exclusion once new whitelisting definitions are available. |
In SEP confirmed False Positives are added to the Revocation list. This whitelist gets updated on a daily basis and SEP clients can download it as part of the Revocation definitions via LiveUpdate. This whitelist is also used by the Download Insight component.
In the SEP Client GUI, this IRON Whitelist containing corrected False Positives can be identified in:
Help> Troubleshooting> Versions.
SEPM will by default download and distribute these definitions.
Distributing this content is configured in the LiveUpdate Content portion of any LiveUpdate Policy, under Windows Settings> Security Definitions > Reputation Settings.
To verify which revisions are available, check "Select a revision" and click on the Edit button. Symantec recommends using the latest available Revision of the selected Reputation Settings content.
Finally, to verify which of these definitions were actually downloaded by SEPM, go to Admin> Site> Show LiveUpdate downloads.
Feedback
Yes
No
Powered by
