You can change SONAR settings to mitigate false positive detections in general. You can also create exceptions for a specific file or a specific application that SONAR detects as a false positive.
If you set the action for high risk detections to log only, you might allow potential threats on your client computers.
Table: Handling SONAR false positives
Log SONAR high risk heuristic detections and use application learning
You might want to set detection action for high risk heuristic detections to Log for a short period of time. Let application learning run for the same period of time. Symantec Endpoint Protection learns the legitimate processes that you run in your network. Some true detections might not be quarantined, however.
Create exceptions for SONAR to allow safe applications
You can create exceptions for SONAR in the following ways:
Use the SONAR log to create an exception for an application that was detected and quarantined
You can create an exception from the SONAR log for false positive detections. If the item is quarantined, Symantec Endpoint Protection restores the item after it rescans the item in the Quarantine. Items in the Quarantine are rescanned after the client receives updated definitions.