Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 10296 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best practice for On-Access scan settings

Sophos_User

Hello,

I know by default that the On-Access scan settings for Viruses/spyware is set to "Deny access only" but I wanted to get a feel for what others are doing and why?

We are using the defaul setting for On-Access and then in our weekly scan schedule we set the Automatically clean up.  But it seems that when machiens are offline during the weekly scan schedule that they are never getting cleaned unless we manually clean them from the console during the day.

Thoughts about why we should not just set the On-Access scan to automatically clean?

Does anybody know what the defaults are for other AV prodcuts?

:2647


This thread was automatically locked due to age.
  • 0

    But it seems that when machiens are offline during the weekly scan schedule that they are never getting cleaned unless we manually clean them from the console during the day.

    Right, that's exactly the problem everybody faces. Unless you implement a forced Scheduled Scan using WOL it will always be a manual job to clean the PC from malware. And this involves having luck that the PC is in use the minute you look at it....

    I personally have the On-Access scanner delete Virus'. Scheduled scans are set to cleanup and delete Virus _and_ Adware and in especially nasty malware cases I also delete suspicious files. No exceptions. If OS ecosystem or apps get corrupted due to suspicious file false positives, the machine has to be re-imaged by my technicians. HIPS is running in Alert only mode.

    :2648
  • 0

    I also implement a "take no prisoners" approach when it comes to viruses on users' PCs - anything detected by Sophos is deleted instantly without warning.  Servers are a bit more leniant in that they're set to quarantine only - that way if something goes horribly wrong it's easier to recover from... plus they're switched on constantly so manual cleanup of anything dodgy is a lot easier.  My reasons for this are that we have a lot of flash drives being plugged into our machines that have been to far out corners of the world and come back riddled with all kinds of garbage.  Any softer approach results in people trying to disable or somehow bypass Sophos (a few have local admin rights).

    I've got suspicious files set to 'alert only' as we have a lot of bespoke applications in use here, and quite a lot of them weren't really designed with any common sense a corporate situation in mind :robotwink:

    :2651
  • 0

    If it is a known virus/spyware, then again here, its a no nonsense outlook. We want it to clean up immediately! We are in the same boat that things may not be cleaned for weeks on end otherwise.

    If its suspicious files, then I leave them on the station, but block them. I then go in and submit a sample to Sophos.

    Ideally I'd like to move any suspiciously behaving files to move to my local C: on my admin station, but have so far struggled with implementing that.

    I can't see why you wouldn't automatically clean, as typically you should have a backup of any files that become infected, so you can roll back on those and leaving a virus on the computer may lead to it floating around the system (if some policies aren't up to date or a Sophos services aren't running correctly on a station)

    :2668
  • 0

    The only reason I can think of not to immediately delete an infected file would be the outlook.pst :) That's why i have this excluded.

    :2672
  • 0

    Thats a very good thought actually. We don't have any immediate backup for e-mails. We cannot retrieve anything from the specific day, if it was deleted by Sophos due to infection.

    I may well just implement that here! Cheers! :smileyvery-happy:

    :2673
  • 0
    RRR wrote:

    The only reason I can think of not to immediately delete an infected file would be the outlook.pst :) That's why i have this excluded.

    Curious why you put in an exlusion for a .PST file when Sophos does not appear to scan files with .PST extensions by default?  (Bring up Sophos GUI on a system -> Configure anti-virus and HIPS -> On-access scanning -> Extensions tab)

    :2691
  • 0

    Which version is this?

    I've just checked SAV (7.6.19) on my computer, but nothing in the exclusions list. Perhaps it was added to the default policies after installation, so appears to be default?

    :2693
  • 0

    Lestat said it's not in the File type extensions to be scanned list and therefore an exclusion is not necessary.

    Christian

    :2694
  • 0

    Ah! Yes, an oversight on my part. No, its not set to scan .pst files by default here either :smileyhappy:

    :2697
  • 0

    We had to put exclusions in for OST and PST because what we were seeing is that Sophos will not "Scan" them by default.

    Support explained the scanning process (AV version 9) to us as follows:

    1)  Sophos first checks if we add the files extension has been added by us to the exclusion list if so it skips it if not..

    2)  Sophos then checks files size if over 4GB logs and error in application event log if not over 4 GB then

    3)  Sophos will check against the files extension that it should not scan by default.

    Ever since we added the PST and OST exclusions we no longer see the errors on machines with larger than 4GB files.

    So even thought Sophos does not "scan" files by it looks lie it still touches the file and checks for the size.  This is what we were seeing with PST and OST files.

    :2702