Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 6 subscribers
  • Views 3328 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does "Move threat to Folder" -- not actually work?

stevemaser

So, my On-Access Scanning preferences (with Sophos 8.0.10) are set to:

When a threat is found:  Deny access and move threat

Move threat to folder:  <various folder locations tested>

If I download eicar.com from:  

http://www.eicar.org/85-0-Download.html

The file is downloaded.   Sophos flags this in the Qurantine Manger.

But the file is still in it's default downloaded location (which I've tried various locations as well...)

Am I missing what *should* be happening with the "move threat" option with malware downloaded with a web browser?   Or is this something that is not actually working?

:1011374


This thread was automatically locked due to age.
Parents
  • 0

    Hi maser,

    The "move on threat detected" feature does work, except for situations where the threat has a cleanup action associated with it (e.g. could be cleaned up, if you've configured the product that way). This is the reason you won't see "move" working as you predicted for all possible threats.

    Eicar is a threat which has a cleanup action associated with it, so if you were using that to test then its probably the right answer.

    This isn't very intuitive and its something we'll be revising at some point in the future. BTW if you did an on-demand scan of the same threat with the same configuration, the log will give an explanation (even if its not intuitive). Unfortunately the on-access scanner is too silent about it.

    The product is expecting most people want threats to be covered by a cleanup action, which is typically preferrable anyways as it will secure the system against further infection.

    I'm interested to hear more about your use case for the "move" action. We've actually be discussing whether we want to remove it from the product in a future version.

    :1011430
Reply
  • 0

    Hi maser,

    The "move on threat detected" feature does work, except for situations where the threat has a cleanup action associated with it (e.g. could be cleaned up, if you've configured the product that way). This is the reason you won't see "move" working as you predicted for all possible threats.

    Eicar is a threat which has a cleanup action associated with it, so if you were using that to test then its probably the right answer.

    This isn't very intuitive and its something we'll be revising at some point in the future. BTW if you did an on-demand scan of the same threat with the same configuration, the log will give an explanation (even if its not intuitive). Unfortunately the on-access scanner is too silent about it.

    The product is expecting most people want threats to be covered by a cleanup action, which is typically preferrable anyways as it will secure the system against further infection.

    I'm interested to hear more about your use case for the "move" action. We've actually be discussing whether we want to remove it from the product in a future version.

    :1011430
Children
No Data