I want to clarify SONAR. I know that SONAR work on executable files.
For Sonar detection I have question about
Sonar Risk level corespondig High risk detection on Scan Details or Suspicious Behavior Detection or not ?
How is calculate sesitivity and Detection Score?
SONAR has the following dependencies:
Download Protection must be installed.
Auto-Protect must be enabled.
If Auto-Protect is disabled, SONAR loses some detection functionality and appears to malfunction on the client. SONAR can detect heuristic threats, however, even if Auto-Protect is disabled.
Insight lookups must be enabled.
Without Insight lookups, SONAR can run but cannot make detections. In some rare cases, SONAR can make detections without Insight lookups. If Symantec Endpoint Protection has previously cached reputation information about particular files, SONAR might use the cached information.
Insight Lookup uses the latest definitions from the cloud and the Insight reputation database to make decisions about files. If you disable Insight lookups, Insight Lookup uses the latest definitions only to make decisions about files.
Insight Lookup also uses the Automatically trust any file downloaded from an intranet website option.
NOTE: Insight Lookup uses the configured Insight Lookup slider level value to evaluate the files that were downloaded from a supported portal. If the files were not downloaded from a supported portal, then Insight Lookup detects them only if they have the worst reputation (similar to level 1).
Check these Articles:
Adjusting SONAR settings on your client computers
This is proprietary information within Symantec. They have algorithms in place to do this and isn't something released publicly. The only setting you can change within the policy is to set the detection level for High and Low risks but there is no infor to say what is considered high or low.
As I said this info isn't public.
Perhaps support can shed more light on it.
What is available:
About the files and applications that SONAR detects
Handling and preventing SONAR false positive detections
I understand but I want know same more daitails about this