Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 1572 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log Only, disable automatic cleanup

JPx

Hi,

I'm in the process of deploying sophos endpoint through the Enterprise Console, and I want to be able to set on-access detections and scheduled scans to just log and not clean up or deny access to files at all. The reasoning behind this is that I'm about to roll out to live servers, but I want to make absolutely sure that I didn't miss an exception before I turn on full functionality.

However, there doesn't appear to be a setting for this. Is there a workaround or a setting that i missed?

Thanks,

Jason

:44799


This thread was automatically locked due to age.
  • 0

    Hello Jason,

    I want to make absolutely sure that I didn't miss an exception

    this sounds like you are assuming fearing that "something" will be detected in vital areas and your servers are at risk unless you set some exceptions. Won't belabour the pros and cons of precautionary exceptions/exclusions, but (assuming your systems are clean) you shouldn't have any detections at all - thus the settings won't matter. They only come into play when

    • you have custom software which for whatever reason triggers a detection - unless you are absolutely sure that this code can't be subverted your shouldn't exclude it from scanning, instead the necessary steps should be taken that it comes out clean
    • Temporary data or an application's output triggers a detection - this is unlikely though not impossible but should anyway be investigated (with the help of Support/Labs)
    • a detection identity is issued which incorrectly considers a legitimate component as malware (false positive) - you can't test this (as the FP does not yet exist) and you don't need to test this (as the outcome is clear); the only solution is to exclude everything "vital" but then you might as well completely forgo scanning
    • you have a valid detection - for a pre-execution detection you wouldn't want that your AV just sits back, allows the malware to run and lets it do its work

    If OTOH you are worried about the performance impact of scanning then the cleanup settings won't, as noted above,  make any difference.

    So - there isn't a do nothing setting for basic On-Access scanning and HIPS/malicious behaviour. It wouldn't make sense and therefore block is the minimum action.

    In contrast block doesn't exist for an on-demand scan - there is no open request which could be blocked and if you look at the policies the corresponding action is -surprise! - called Log only. Thus you can safely deploy SESC with a policy where On-Access is turned off and schedule a scan with Automatic cleanup turned off and Log only as alternate action. Of course this wouldn't help you to assess a potential performance impact. It would assure thought that there is nothing the On-Access scanner would block once it's turned on.    

    HTH

    Christian

    :44803
  • 0

    Very helpful post! Thank you! Answers my question perfectly.

    I'm mainly trying to avoid a false positive on some applications. It's happened once before, and while Sophos had it resolved within the week, I had to re-deploy a couple applications.

    :44843