How to test Suspicious Behavior Detection (SONAR) in Endpoint for Mac version 14.3 RU1
search cancel

How to test Suspicious Behavior Detection (SONAR) in Endpoint for Mac version 14.3 RU1

book

Article ID: 205109

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection version 14.3 RU1 (Release Update 1) introduces "Suspicious Behavior Detection" in the macOS client. Also referred to as SONAR, BASH, or BPE (Behavioral Protection Engine). This is part of the SEP Virus and Spyware Protection settings. There is nothing in the local Mac client user interface to identify whether this is On or Off. The only On or Off toggle indicator for this setting is within the AV policy at the Endpoint Protection Manager under Mac Settings > Auto-Protect and SONAR.

Environment

14.3 RU1
macOS 10.15 or newer

Resolution

To verify on the Mac agent if the feature is working an administrator can use the attached testBASH shell script.

  1. Copy the testbash.zip file to the Mac and uncompress it.

  2. Open a terminal window and change to the directory containing testbash.sh, e.g. "cd ~/Desktop" or "cd ~/Downloads"

  3. Execute the following commands to create a renamed copy, give it execute permissions, and run it:
    cp testbash.sh "{9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}_Socar.sh"
    chmod a+x "{9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}_Socar.sh"
    "./{9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}_Socar.sh"

    You will receive the following warning in macOS 10.15 or newer and this can be ignored. The script still runs.
    The default interactive shell is now zsh.
    To update your account to use zsh, please run `chsh -s /bin/zsh`.
    For more details, please visit https://support.apple.com/kb/HT208050.

    You should shortly receive something like the following message:
    {9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}_Socar-3.2$ ./{9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}_Socar.sh: line 4:  2739 Killed: 9
    ~/Desktop/{9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}_Socar


The "killed" action means we interrupted and stopped the script from running.

You can then see the risk event action shown in the client interface under:
Advanced > Activity > Security History > Threat Detections:

Scan Source: Behavioral Analysis
File: {9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}_Socar
Status: File was Quarantined
Infection Name: SONAR.Socar!g1

Attachments

1607982588351__testbash.zip get_app
Powered by Wolken Software