Disabling SONAR in Symantec Endpoint Protection 14.3 RU5 and later
search cancel

Disabling SONAR in Symantec Endpoint Protection 14.3 RU5 and later

book

Article ID: 257992

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Protection

Issue/Introduction

SONAR settings have been simplified in version 14.3 RU5. As part of this changes "Enable SONAR" button has been removed from the Symantec Endpoint Protection Manager (SEPM) console. It is now enabled by default.

 

Environment

SEPM 14.3 RU5 and later

Resolution

In case of an emergency, it is still possible to disable SONAR. Broadcom does not recommend manually disabling SONAR unless there is an emergency need to do so.

To update this setting, the admin has to edit the profile.xml manually for the SEPM Group(s) where you want to disable SONAR,  then import the updated profile.xml file directly into the agent using the SMC command line or by using the Policy Profile > Import button in the clients Help > Troubleshooting… dialog box.


In the SEPM, go to Clients then select the SEPM Group that you want where you want to disable SONAR. In the upper right corner of the SEPM Group view, note the first four characters of the Policy serial number. Open File Explorer and navigate to the :\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent directory. Look for the directory name that starts with the same four characters of the SEPM Group Serial Number. 

Open that directory and pick up the profile.xml file. Edit the file and locate this line that starts with “<BASHBPESettings”.  Change the Enabled=”1” to Enabled=”0”  as shown below:


<BASHBPESettings ApplyModeHighConfidenceAction="ADMIN" ApplyModeLowConfidenceAction="ADMIN" Enabled="0"


In the same file, edit the the <SerialNumber> line by changing the last three digits of the Serial Number to a three digit number that is higher than the current number:


Example: 


Current:
<SerialNumber>5028-08/15/xxxx 09:00:15 895</SerialNumber>


After changing last three digits to a higher number:
<SerialNumber>5028-08/15/xxxx 09:00:15 995</SerialNumber>

Save the profile.xml file with the changes, then  import the updated profile.xml file directly into the agent using the SMC command line (at the client, run "smc -importconfig profile.xml.", or through the SEP client interface Policy Profile > Import button located in the clients Help > Troubleshooting… dialog box.


Once the SEP client has checked into the SEPM with the modified profile.xml file, check the Clients > SEPM Group > Clients tab. Select the SEP device you imported the updated profile.xml file into and verify the View: Protection technology shows: SONAR Status – Disabled by Policy

 

RESULT:

Note: Once the emergency need to disable SONAR is completed, update the "Virus and Spyware Protection policy for the SEPM Group that the device is a member of, and once the client checks back into the SEPM, it will get the updated policy and should once again reflect that SONAR is "Enabled"

 

Powered by Wolken Software