SONAR - Proactive Threat Protection or Download Insight False Positive Corrections
search cancel

SONAR - Proactive Threat Protection or Download Insight False Positive Corrections


Article ID: 154991


Updated On:


Endpoint Protection


A process was detected as suspicious by SONAR - Proactive Threat Protection (These detections are also referred to as "Behavior Based"), or Download Insight in Endpoint Protection. The file was submtted to Security Response and the determination was this was a case of a False Positive (FP) detection. A message to that effect and information regarding corrected definitions were sent. The Proactive Threat Protection definitions in the SEP Client Graphical User Interface do not show any updates and may appear to be out of date. 


Until new definitions are available, it is possible to overcome SONAR False Positives through policy.  See Exclusion Guidelines for Symantec Endpoint Protection for details. 

Exceptions should be used with caution and only temporarily.  Remove the exclusion once new whitelisting definitions are available.  
In SEP confirmed False Positives are added to the Revocation list. This whitelist gets updated on a daily basis and SEP clients can download it as part of the Revocation definitions via LiveUpdate. This whitelist is also used by the Download Insight component.
In the SEP Client GUI, this IRON Whitelist containing corrected False Positives can be identified in:
Help> Troubleshooting> Versions.
SEPM will by default download and distribute these definitions.
Distributing this content is configured in the LiveUpdate Content portion of any LiveUpdate Policy, under Windows Settings> Security Definitions > Reputation Settings.
To verify which revisions are available, check "Select a revision" and click on the Edit button. Symantec recommends using the latest available Revision of the selected Reputation Settings content.
Finally, to verify which of these definitions were actually downloaded by SEPM, go to Admin> Site> Show LiveUpdate downloads.