Why Quarantine and how do I make it stop?

Hello dwilson,.

I've JUST started taking over Sophos management

climbed the ladder, eh? :smileyhappy:

Why does Sophos ONLY quarantine now

You've asked almost the same question in March. Now, first of all, the recommended (and therefore default) settings haven't changed for quite some time but versions up to 9.7 had different settings. If your university upgraded from a pre-5.x SEC version and the policies weren't amended then your settings will not be state-of-the-art. An upgrade adds items (with appropriate defaults) to the policies as necessary but doesn't change the values of existing items.

So, automatic cleanup is available, recommended, and the default. Keep in mind that it's not always possible and for certain threat types not available. Thus please check your policies.

Note: Sophos' quarantine is simply a list of detections which have not (yet) (successfully) been dealt with. Files are neither moved nor gelded thus if you turn off on-access you are not protected from them.

Since yesterday I've been getting a notice that something has been found

likely it didn't exist before (but it might as well be the updated detection, it seems to be rather new) and you should deal with it accordingly. An alert should, well, alert you that an attempt has been made to access a (potential) threat - it wouldn't be wise to suppress the alerts, be it for a certain time or count.

I truly find Sophos to be vastly over complicated

Perhaps it seems so because it doesn't work the way you expect it to do? It's definitely not vastly over, if complicated at all. Feel free to ask (please start separate threads for different topics, SEC has its own board).

Christian

Hello dwilson,.

I've JUST started taking over Sophos management

climbed the ladder, eh? :smileyhappy:

Why does Sophos ONLY quarantine now

You've asked almost the same question in March. Now, first of all, the recommended (and therefore default) settings haven't changed for quite some time but versions up to 9.7 had different settings. If your university upgraded from a pre-5.x SEC version and the policies weren't amended then your settings will not be state-of-the-art. An upgrade adds items (with appropriate defaults) to the policies as necessary but doesn't change the values of existing items.

So, automatic cleanup is available, recommended, and the default. Keep in mind that it's not always possible and for certain threat types not available. Thus please check your policies.

Note: Sophos' quarantine is simply a list of detections which have not (yet) (successfully) been dealt with. Files are neither moved nor gelded thus if you turn off on-access you are not protected from them.

Since yesterday I've been getting a notice that something has been found

likely it didn't exist before (but it might as well be the updated detection, it seems to be rather new) and you should deal with it accordingly. An alert should, well, alert you that an attempt has been made to access a (potential) threat - it wouldn't be wise to suppress the alerts, be it for a certain time or count.

I truly find Sophos to be vastly over complicated

Perhaps it seems so because it doesn't work the way you expect it to do? It's definitely not vastly over, if complicated at all. Feel free to ask (please start separate threads for different topics, SEC has its own board).

Christian