Hi,
SONAR is a real-time protection that detects potentially malicious applications when they run on your computers. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.
SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides an additional level of protection on your client computers and complement your existing Virus and Spyware Protection, intrusion prevention, and firewall protection.
Legacy clients do not support SONAR; however, legacy clients use TruScan proactive threat scans to provide protection against zero-day threats. TruScan proactive threat scans run periodically rather than in real time.
Go through the following helpful articles:
About SONAR
http://www.symantec.com/business/support/index?page=content&id=HOWTO55254
Managing SONAR
http://www.symantec.com/business/support/index?page=content&id=HOWTO55215
Adjusting SONAR settings on your client computers
http://www.symantec.com/docs/HOWTO55258
Handling and preventing SONAR false positive detections
http://www.symantec.com/docs/HOWTO55273