I've been reviewing other security products to address the vulnerabilities that we still have with Endpoint Protection 12.1. Specifically, we still have machines that get infected by malware. I must admit that I am not aware of everything that SONAR does. I see almost nothing logged or quarantined by SONAR. That leads me to believe that some enhancement could be done. Similar to the following product.
One of the products with a novel concept is Trusteer Apex. It monitors a small set of applications (Java, Adobe Flash, Acrobat Reader, IE, Firefox, Chrome, Word, Excel, Powerpoint, and Outlook) and compares what it is doing and why it is doing it. By creating a context-aware application whitelist. There are only a finite number of actions that each application can legitimately perform. By monitoring the application memory state, it can be determined whether the action is legitimate or malicious or unknown. Allow the known legitimate function and block the malicious/unknown. Send information about the unknown to be reviewed to either be whitelisted or blacklisted. Customers can create their own exceptions through an administrative console.