Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 11959 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allowing users to add scanning exclusions?

tsachen

We are running Sophos Anti-Virus 9.1.8 for Mac, on OS 10.9.5.  We are looking for a way to setup a policy to allow our more advanced users to manipulate items in the quarantine, and I really have 2 main questions:

1.) Is it possible for a user to release something from the quarantine?  The least restrictive option I can find in the policy GUI is "deny access only", which still prevents the user from marking the item as safe.

2.) Is it possible to allow users to create their own custom exclusions?  We have found that this works if the user has the Tamper Protection password, but we'd prefer not to give them that as it would also allow them to stop the service completely or uninstall it.

Has anyone run into a situation like this or have any suggestions for best practice around this?

:55475


This thread was automatically locked due to age.
  • 0

    Hello tsachen,

    [users may ] create their own custom exclusions ... Tamper Protection [enabled]

    IMO this is (more than) somewhat contradictory - as you can effectively exclude everything so you might as well permit them to disable or uninstall the software.

    marking the item as safe

    Well, Macs don't (yet) scan for Adware and PUAs or feature Application Control where Authorization would apply thus marking the item as safe is not available and they'd have to be excluded. More important - rating a detected item as safe would be second-guessing the Labs - if you're sure your users can rightly do so they must be more than more, they must be pretty advanced :smileytongue:. Seriously - there'll always be false positives but the proper way to deal with them is to submit them to the Labs (and I wouldn't even temporarily exclude an item before it's confirmed as being clean).

    Do you also allow some of your Windows users to mark an item as safe? If not, what makes Mac users different?  

    Christian 

    :55489
  • 0

    Thanks for your reply, that helps confirm that what we are trying to do isn't available currently.

    As for the why, the teams in question are white hat hackers, pentesters, and malware researchers.  There are plenty of hacking-related tools that can be used for legitmate purposes but Sophos flags as dangerous or suspicious (ie, Metasploit, etc...).  We were looking to keep the machines still protected at a basic level while allowing the users to un-quarantine false positives, or, in some cases, samples that need to be researched.

    :55504
  • 0

    Hello tsachen,

    white hat hackers, pentesters, and malware researchers

    then why bother with tamper protection? What's the rationale? 

    Christian

    :55508
  • 0

    Because while you can have a written policy that tells users, "do not uninstall or disable antivirus", it carries more weight from an audit perspective if you have technical controls over it.

    :55532
  • 0

    Hello tsachen,

    sorry for the rant ... now if you'd only had mentioned audit perspective :smileyfrustrated: in your first post :smileywink:

    Christian 

    :55557