Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 18660 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why Quarantine and how do I make it stop?

dwilson

Apparently I asked this in the wrong group. Hopefully this is the right one.

Hey Guys, so I've JUST started taking over Sophos management at my university and I'ms till trying to find my feet. For the meantime, I wonder if I can ask a couple of questions. This is for what is showing as Sophos Endpoint Security and Control 10.3 and the corresponding Sophos Enterprise Console 5.2.2.

1) Why does Sophos ONLY quarantine now and not clean infections and Spyware? I find a lot of products are doing this and it's frustrating. I want things gone, not just put aside.

2) Since yesterday I've been getting a notice that something has been found and moved to quarantine. Is there a way for it to only tell me once or to set it so it only pops up once an hour instead of every few seconds?

I truly find Sophos to be vastly over complicated so if there's any place I can go to get things explained or shown in much simpler terms I'd be very grateful.

:57623


This thread was automatically locked due to age.
  • 0

    Hello dwilson,.

    I've JUST started taking over Sophos management

    climbed the ladder, eh? :smileyhappy:

    Why does Sophos ONLY quarantine now

    You've asked almost the same question in March. Now, first of all, the recommended (and therefore default) settings haven't changed for quite some time but versions up to 9.7 had different settings. If your university upgraded from a pre-5.x SEC version and the policies weren't amended then your settings will not be state-of-the-art. An upgrade adds items (with appropriate defaults) to the policies as necessary but doesn't change the values of existing items.

    So, automatic cleanup is available, recommended, and the default. Keep in mind that it's not always possible and for certain threat types not available. Thus please check your policies.

    Note: Sophos' quarantine is simply a list of detections which have not (yet) (successfully) been dealt with. Files are neither moved nor gelded thus if you turn off on-access you are not protected from them.

    Since yesterday I've been getting a notice that something has been found

    likely it didn't exist before (but it might as well be the updated detection, it seems to be rather new) and you should deal with it accordingly. An alert should, well, alert you that an attempt has been made to access a (potential) threat - it wouldn't be wise to suppress the alerts, be it for a certain time or count.

    I truly find Sophos to be vastly over complicated

    Perhaps it seems so because it doesn't work the way you expect it to do? It's definitely not vastly over, if complicated at all. Feel free to ask (please start separate threads for different topics, SEC has its own board).

    Christian

    :57637
  • 0

    Thanks for the response Christian. And yes you're right, I probably just find it complicated because it's not working the way I want AND I'm not totally familiar with it yet. I'm also just overwhelmed by all the different "Products".

    So, from what I gather, it sounds like we need to reconfigured how our detections are handled overall. The guy I'm taking over from described things as getting quarantined and then cleaned once a week but your description sounds like a list is just being made but cleaning never actually happens until manually initiated. 

    As for the alerts issues, yeah, I'm not looking to completely eliminate the alerts, just to have it so that it's not popping up a notice every 1-3 seconds non-stop all day long...Seriously, before one message has finished fading away it's coming back up again. Massively annoying and intrusive.

    Anyway, thanks again.  Bye for now.

    :57644
  • 0

    Hello dwilson,

    quarantined and then cleaned once a week [...] manually initiated

    not necessarily manually - if you open an Anti-Virus and HIPS Policy there's a pane titled Scheduled scanning in the lower half. Should be fairly obvious what it's for and that's what the guy probably meant. As said, up to 9.7 automatic cleanup wasn't the recommended default although it hasn't actually been very dangerous. The drawback of a scheduled scan is that it's missed when the endpoint is switched off at the scheduled time.

    popping up a notice every 1-3 seconds

    you shouldn't take this lightly. SAV intercepts (depending on your settings) open, close and rename operations. Now why would a legitimate and clean application repeatedly perform (and apparently retry) these? It's not AV with its alerts which is intrusive but the process trying to access the file(s). Is it always the same file which is flagged? Some Adware and PUA can have pretty nasty consequences (especially the type delivering all kinds of offers and ads - just the other day I had an endpoint which contracted ransomware in this way).

    Again with the Anti-Virus and HIPS Policy, button Authorization ... you can authorize (i.e. whitelist) certain applications - though you should do so only if you are sure that this is safe (and there's actually a need to run this application).

    Christian

    :57657
  • 0

    Thanks for the info Christian. While it was the same file constantly popping up I assumed it was Sophos just being very insistent that I deal with it. I didn't consider it was reporting every instance of the same thing performing a different attack or access attempt.

    I'll take a look at that Policy stuff.

    :57686