This article describes how to download the Socar.exe test file to verify that the SONAR component of Proactive Threat Protection (PTP) works correctly.

About Socar.exe

Symantec created Socar.exe to test whether SONAR works on a computer. If SONAR is running, Socar.exe triggers a Proactive Threat Protection event. If Socar.exe does not trigger an event, SONAR is not running correctly.

As of May 16th 2022, Symantec Endpoint Protection detects Socar.exe as SONAR.Socar!gen1 on Endpoint Protection clients running SONAR engine 12.4 or greater.  Detections on Endpoint Protection clients with SONAR engine 12.3 and earlier will be detected as SONAR.Heuristic.xxx.

Using Socar.exe

To use Socar.exe, Download the socar.zip file from this article's Download Files section, extract all contents using the password "symantec", and then double-click Socar.exe.

Note that if Show alert upon detection is unchecked, then no on-screen pop-up will be displayed.  Check the Proactive Threat Protection logs to see if socar.exe triggered an event. The action taken to the socar.exe file (quarantined, log only, and so on) depends on the Symantec Endpoint Protection client's configured policy. As with other detections, an Event ID 51 "Security Risk Found!" event entry appears in the Windows Application Event logs.

NOTE: Socar.exe will not be convicted by SONAR unless Download Insight (Reputation) is enabled.