How to test Suspicious Behavior Detection (SONAR) in Endpoint for Mac version 14.3 RU1
search cancel

How to test Suspicious Behavior Detection (SONAR) in Endpoint for Mac version 14.3 RU1


Article ID: 205109


Updated On:


Endpoint Protection


Symantec Endpoint Protection version 14.3 RU1 (Release Update 1) introduces "Suspicious Behavior Detection" in the macOS client. Also referred to as SONAR, BASH, or BPE (Behavioral Protection Engine). This is part of the SEP Virus and Spyware Protection settings. There is nothing in the local Mac client user interface to identify whether this is On or Off. The only On or Off toggle indicator for this setting is within the AV policy at the Endpoint Protection Manager under Mac Settings > Auto-Protect and SONAR.


14.3 RU1
macOS 10.15 or newer


To verify on the Mac agent if the feature is working an administrator can use the attached testBASH shell script.

  1. Copy the file to the Mac and uncompress it.

  2. Open a terminal window and change to the directory containing, e.g. "cd ~/Desktop" or "cd ~/Downloads"

  3. Execute the following commands to create a renamed copy, give it execute permissions, and run it:
    cp "{9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}"
    chmod a+x "{9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}"

    You will receive the following warning in macOS 10.15 or newer and this can be ignored. The script still runs.
    The default interactive shell is now zsh.
    To update your account to use zsh, please run `chsh -s /bin/zsh`.
    For more details, please visit

    You should shortly receive something like the following message:
    {9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}_Socar-3.2$ ./{9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9} line 4:  2739 Killed: 9

The "killed" action means we interrupted and stopped the script from running.

You can then see the risk event action shown in the client interface under:
Advanced > Activity > Security History > Threat Detections:

Scan Source: Behavioral Analysis
File: {9D5D7AC3-63CE-4046-B8E9-DCC75181A0D9}_Socar
Status: File was Quarantined
Infection Name: SONAR.Socar!g1

Attachments get_app