This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why Quarantine and how do I make it stop?

Apparently I asked this in the wrong group. Hopefully this is the right one.

Hey Guys, so I've JUST started taking over Sophos management at my university and I'ms till trying to find my feet. For the meantime, I wonder if I can ask a couple of questions. This is for what is showing as Sophos Endpoint Security and Control 10.3 and the corresponding Sophos Enterprise Console 5.2.2.

1) Why does Sophos ONLY quarantine now and not clean infections and Spyware? I find a lot of products are doing this and it's frustrating. I want things gone, not just put aside.

2) Since yesterday I've been getting a notice that something has been found and moved to quarantine. Is there a way for it to only tell me once or to set it so it only pops up once an hour instead of every few seconds?

I truly find Sophos to be vastly over complicated so if there's any place I can go to get things explained or shown in much simpler terms I'd be very grateful.

This thread was automatically locked due to age.

Parents

0 QC over 10 years ago

Hello dwilson,
quarantined and then cleaned once a week [...] manually initiated
not necessarily manually - if you open an Anti-Virus and HIPS Policy there's a pane titled Scheduled scanning in the lower half. Should be fairly obvious what it's for and that's what the guy probably meant. As said, up to 9.7 automatic cleanup wasn't the recommended default although it hasn't actually been very dangerous. The drawback of a scheduled scan is that it's missed when the endpoint is switched off at the scheduled time.
popping up a notice every 1-3 seconds
you shouldn't take this lightly. SAV intercepts (depending on your settings) open, close and rename operations. Now why would a legitimate and clean application repeatedly perform (and apparently retry) these? It's not AV with its alerts which is intrusive but the process trying to access the file(s). Is it always the same file which is flagged? Some Adware and PUA can have pretty nasty consequences (especially the type delivering all kinds of offers and ads - just the other day I had an endpoint which contracted ransomware in this way).
Again with the Anti-Virus and HIPS Policy, button Authorization ... you can authorize (i.e. whitelist) certain applications - though you should do so only if you are sure that this is safe (and there's actually a need to run this application).
Christian
:57657
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 QC over 10 years ago

Hello dwilson,
quarantined and then cleaned once a week [...] manually initiated
not necessarily manually - if you open an Anti-Virus and HIPS Policy there's a pane titled Scheduled scanning in the lower half. Should be fairly obvious what it's for and that's what the guy probably meant. As said, up to 9.7 automatic cleanup wasn't the recommended default although it hasn't actually been very dangerous. The drawback of a scheduled scan is that it's missed when the endpoint is switched off at the scheduled time.
popping up a notice every 1-3 seconds
you shouldn't take this lightly. SAV intercepts (depending on your settings) open, close and rename operations. Now why would a legitimate and clean application repeatedly perform (and apparently retry) these? It's not AV with its alerts which is intrusive but the process trying to access the file(s). Is it always the same file which is flagged? Some Adware and PUA can have pretty nasty consequences (especially the type delivering all kinds of offers and ads - just the other day I had an endpoint which contracted ransomware in this way).
Again with the Anti-Virus and HIPS Policy, button Authorization ... you can authorize (i.e. whitelist) certain applications - though you should do so only if you are sure that this is safe (and there's actually a need to run this application).
Christian
:57657
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data