Why are SONAR.SuspcCL!g1 detections being recorded for routine Windows processes?
search cancel

Why are SONAR.SuspcCL!g1 detections being recorded for routine Windows processes?

book

Article ID: 235345

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

  • Incidents are being created for windows processes in Symantec Endpoint Security Complete (SESC).
  • The threat name appears to be SONAR.SuspCL!g1

 

Examples:




Environment

SESC Agent - Release: 14.3 RU4

Cause

SONAR.SuspCL triggers on process A when process A is trying to launch process B and process B's command line triggered a detection.

In the past it has been observed that certain silent detections on the command line caused SONAR.SuspCL to trigger, which is why this FP issue was encountered.

Resolution

A fix for this issue was deployed in the refresh deployed for the cloud console (ICDm or CDM or SESC Cloud Console) on February 16, 2022.

SuspCL detections are now analyzed further in order to avoid false positives.

Powered by Wolken Software