Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 3973 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing Sophos potential false positive

Sophos_User

I wanted to get some ideas on how we can prevent a potential issue like that recently discovered with MacAfee’’’’s false positive.

I will list below what I am doing and would like to get feedback on what others are doing. 

1)  I have multiple groups within the Sophos console containing pilot and production machines. 

2)  I have multiple polices that I keep in sync except for AV version. 

3)  I keep the pilot machines on the "recommended" setting in the policy. 

4)  The production machines stay 1 version behind which at this time is 9.0.5 VDL4.52 for at least 1 week.  

5)   If nothing happens to my pilot machines, nothing is reported in the news  and there is nothing in posted in this user community I rollout the latest version to production.

Can anybody post their processes or comment on my processes?

thanks

:2590


This thread was automatically locked due to age.
Parents
  • 0

    While I don't have the 20 years of experience that QC does, I agree that it's less hassle and risk (overall) to keep everything up to date.  Even in your worst case scenario where Sophos goes down the same route as McAfee and can't tell the difference between the genuine svchost.exe and a virus, you still leave your systems open by trying to prevent this.

    For example, say you set Sophos to alert only.  While in the hypothetical situation above this will allow you to verify that svchost.exe is not a virus and resolve the issue, between these times you'd have all the real viruses spreading across your systems infecting everything they come into contact with.

    While 'alert only' may be taking things a bit too far and delaying updates may seem a better option, remember that any allowances you make for false positives will also apply to genuine positives.  This of course depends on your situation, but in my experience rescuing a system in safe mode once in a blue moon is a lot easier than rescuing hundreds of systems from a virus infection every two days.

    :2620
Reply
  • 0

    While I don't have the 20 years of experience that QC does, I agree that it's less hassle and risk (overall) to keep everything up to date.  Even in your worst case scenario where Sophos goes down the same route as McAfee and can't tell the difference between the genuine svchost.exe and a virus, you still leave your systems open by trying to prevent this.

    For example, say you set Sophos to alert only.  While in the hypothetical situation above this will allow you to verify that svchost.exe is not a virus and resolve the issue, between these times you'd have all the real viruses spreading across your systems infecting everything they come into contact with.

    While 'alert only' may be taking things a bit too far and delaying updates may seem a better option, remember that any allowances you make for false positives will also apply to genuine positives.  This of course depends on your situation, but in my experience rescuing a system in safe mode once in a blue moon is a lot easier than rescuing hundreds of systems from a virus infection every two days.

    :2620
Children
No Data