Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 5842 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Stop the End point and Security Client from scanning

Rodeoboy

There are some times that I need to disable Sophos Endpoint from Scanning when I do installation of Network software.  However when I disable the Onaccess scanning, Web Scanning and Sophos Live Protection - It still manages to flag and quarantine files.

How do you stop Sophos from Scanning in order to install software?

Just wondering,

Rodeoboy

:19841


This thread was automatically locked due to age.
  • 0

    HI,

    What is being detected exactly, supicious behaviour detections?  If you know some of the files to be genuine you can authorise them under the Authorization Manager.

    If performance is horrendous which it shouldn't be given adequate resources, you could always look to exclude remote files under on-access exclusions.  This would be safer than disabling scanning completely. 


    Regards,

    Jak 

    :19843
  • 0

    Well the last problem I had was trying to do a scan with Combofix cause one of the computers was acting funny and my Cisco professor suggested using combofix.  So when I went to scan the drive with it, Sophos quarantined 2 files it was trying to use to scan with.  Then it went haywire on reboot - I had to do a restore to get it back.

    I know in the past while trying to patch our Netware server system, Sophos quarantined a file and it jacked up the patch and I had to backrev the server software and do it again with a computer that did not have Sophos installed on it.

    Normally I leave Sophos running during installs but when patching an OS or something related to the OS that I think will mess up the system I turn it off.

    Rodeoboy

    :19905
  • 0

    Hello Rodeoboy,

    as Jak said, the details of the detection are always important. Rather than trying to find all the knobs and switches needed to completely turn off scanning "unwanted" detections should be dealt with case-by-case. This does not necessarily mean item-by-item though. Thus if certain activity is known to trigger suspicious behaviour detections you could simply turn it off while performing this task. If OTOH a certain "suspicious" file is regularly used but doesn't change often it's better to authorize it.

    False positives (detected by on-access) can also be sent in as samples - I have done this a number of times. Depending on the nature (and prevalence) of these files modified identities might be issued to avoid future detection.

    As to Combofix - running more than one "Anti" software at the same time is a little bit like independently employing two security firms to watch over your estate. Chances are good rather sooner than later they are at each other's throats :smileywink:.

    Christian

    :19955