This article describes how to download the Socar.exe test file to verify that the SONAR component of Proactive Threat Protection (PTP) works correctly.

About Socar.exe

Symantec created Socar.exe to test whether SONAR works on a computer. If SONAR is running, Socar.exe triggers a Proactive Threat Protection event. If Socar.exe does not trigger an event, SONAR is not running correctly. Symantec Endpoint Protection detects Socar.exe as a SONAR.Heuristic risk (SONAR.Heuristic.xxx).

Using Socar.exe

To use Socar.exe, ensure that the Symantec Endpoint Protection client has an active internet connection and that Download Insight is installed, enabled, and functioning. Download the socar.zip file from this article's Download Files section, extract all contents using the password "symantec", and then double-click Socar.exe.

Note that if Show alert upon detection is unchecked, then no on-screen pop-up will be displayed.  Check the Proactive Threat Protection logs to see if socar.exe triggered an event. The action taken to the socar.exe file (quarantined, log only, and so on) depends on the Symantec Endpoint Protection client's configured policy. As with other detections, an Event ID 51 "Security Risk Found!" event entry appears in the Windows Application Event logs.