When reviewing the Incidents that Symantec Endpoint Detection and Response (SEDR) is creating, you notice they include Events from Endpoint clients for files you have added to the Allow list. You may also see Sandbox submissions for these files in the Actions menu.

The ATP/SEDR SHA2 Allow list only applies to Network detections and Endpoint Insight queries. It does not preclude these files from being correlated along with other events into an Incident, matching known threat feeds, or being submitted to the configured Sandbox.

If you need to ignore all Endpoint detections for this file, you will need to create a Recorder Rule specifying 'Do Not Record' under the Recorder Policies.

If you need to create an exception for a Safe application from SONAR, see this Help page for further details:

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-sonar-v40139626-d47e6/handling-and-preventing-sonar-false-positive-detec-v45103447-d47e151.html