Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 10027 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow user to scan and clean threats from USB stick

dluneau

A user needs to scan and clean up threats found on USB sticks that belong to students.  Adding the user to the SophosPowerUsers local group does not seem to work nor does adding the user to SophosAdministrators group.  When I say doesn't work, the perform action button is greyed out when box is checked next to threat that needs attention.

USB stick is inserted, Sophos detects threat Mal/Conficker-A

E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx

TIA

:51710


This thread was automatically locked due to age.
Parents
  • 0

    Hello dluneau,

    the supposed issue with QM (and user rights) first:

    the perform action button is greyed out when box is checked

    which actions are listed in the Available actions column? If there are none then Perform action won't become active. Note that the user must close/reopen the GUI for the group membership to become effective. The Current user rights can be checked by clicking the View product information link on the left.

    Or is the issue specifically with the Mal/Conficker-A detection?

    USB stick is inserted, Sophos detects threat Mal/Conficker-A

    Usually the Conficker-infected USB sticks contain the worm (detected as Mal/Conficker-A) and an autorun.inf to start it automatically. Depending on the autorun settings and how the drive is accessed first the autorun.inf will be detected as Mal/ConfInf-A and subsequently the worm in <drive:>\RECYCLER\. If the stick is writable the threats are dealt with according to the Cleanup settings - Automatic cleanup normally results in both items being cleaned/removed (no action by the user required) after some time (10+ seconds).

    Thus the first question is, what does the AV policy specify. Second, why are these sticks scanned/cleaned, i.e. how and where - on which computer - has the threat been detected?

    While to a sufficiently protected computer known detected items don't pose a genuine risk it's advisable to use a dedicated sheep-dip, perhaps with sufficiently "aggressive" settings to deal with the items mostly automatically.

    Christian

    :51716
Reply
  • 0

    Hello dluneau,

    the supposed issue with QM (and user rights) first:

    the perform action button is greyed out when box is checked

    which actions are listed in the Available actions column? If there are none then Perform action won't become active. Note that the user must close/reopen the GUI for the group membership to become effective. The Current user rights can be checked by clicking the View product information link on the left.

    Or is the issue specifically with the Mal/Conficker-A detection?

    USB stick is inserted, Sophos detects threat Mal/Conficker-A

    Usually the Conficker-infected USB sticks contain the worm (detected as Mal/Conficker-A) and an autorun.inf to start it automatically. Depending on the autorun settings and how the drive is accessed first the autorun.inf will be detected as Mal/ConfInf-A and subsequently the worm in <drive:>\RECYCLER\. If the stick is writable the threats are dealt with according to the Cleanup settings - Automatic cleanup normally results in both items being cleaned/removed (no action by the user required) after some time (10+ seconds).

    Thus the first question is, what does the AV policy specify. Second, why are these sticks scanned/cleaned, i.e. how and where - on which computer - has the threat been detected?

    While to a sufficiently protected computer known detected items don't pose a genuine risk it's advisable to use a dedicated sheep-dip, perhaps with sufficiently "aggressive" settings to deal with the items mostly automatically.

    Christian

    :51716
Children
No Data