About analyzing the process behaviors that occurred on endpoints
Last Updated September 25, 2018
Symantec Endpoint Protection uses Symantec Online Network for Advanced Response (SONAR) technology for process behavior submission and remediation. However, Symantec Endpoint Protection provides no insight into the details of the SONAR submissions. When you integrate Symantec Advanced Threat Protection (ATP) 2.0.2 and later with Symantec Endpoint Protection, ATP can provide you with insight into the details of the SONAR submissions.
ATP provides SONAR submission information based on an endpoint/file relationship (that is, a specific file makes system changes on a specific endpoint). This information is only available when there has been a Symantec Endpoint Protection SONAR submission. The information that appears in ATP Manager is based on the information that ATP is able to extract from the Symantec Endpoint Protection submission information.
A process is created when a file is executed and is represented by a group of system changes. Behaviors refers to the system changes made by a process. For each event, ATP also provides the dynamic file attributes that are associated with the system change. These attributes are dynamic because the behaviors that are detected on one endpoint may differ from the behaviors that are detected on a different endpoint. Examples of process behaviors include: modifications to system policies; modifications to firewall policies; creating registry key paths.
Examples of dynamic file attributes include: SHA256; registry value data; process's parent.
Process behaviors and their dynamic file attributes appear on the Process Behavior details page. This page is only available when a file performs a process on a managed endpoint. You can navigate to this page in the following ways:
From the Endpoint details page:
A Behavior option appears in the Malicious Files row for the file that was involved in the process.
These file attributes are considered static because they do not change regardless of the endpoint on which it appears. Examples of static file attributes include: the number of strings in a file's resource; the file imports only Kernel32 functions; the file has an embedded PE file.
Static file attributes appear on the File details page on the Attributes tab. The Attributes tab only appears when static file attributes are available.