Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 4179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safe files flagged and deleted

DMW004

Hi, I am having a problem with Sophos automatically deleting some of my files without any prompt or warning. The most common ones are .dll's in steam games that I have, but some are for non-steam games as well. I've tried going into application control and marking the entire folder as "ignore", and manually adding in each file to the known suspicious files list, saying that they are approved, but they keep getting deleted after some time. Some times they get deleted as soon as I launch the program, sometimes I can play for hours before it closes my game and deletes the file, and sometimes I can be finished, close the game and come back to it the next day only to find that the files were deleted overnight.

I have had no problems with Sophos before and am really happy with it, but this is getting ridiculous.


Is there a sure-fire way to tell Sophos to just ignore a specific file or folder without turning off On-Access Scanning? I really hesistate to do that, but it's keeping me from enjoying the games I want to play.

:43777


This thread was automatically locked due to age.
  • 0

    Hello DMW004,

    going into application control and marking the entire folder as "ignore"

    all that can be configured for application control on the endpoint (provided you have sufficient rights) is to globally enable or disable it. Furthermore, on SEC one can select which applications should be controlled and choose to either block or merely detect (and report) them. Application control never deletes any files.

    manually adding in each file to the known suspicious files list

    You can add a file to the Authorization manager's list using New entry ... only if it doesn't already trigger a detection. You can authorize Buffer overflow and Suspicious behavior "in advance" but you can't do so for Suspicious files (as they are scanned when you try to add them to the list) without triggering a detection. Anyway, what is added is not just a name or a location but the file's fingerprint - if the file changes even slightly it is not considered the same and thus the authorization will not apply.

    automatically deleting

    Only for certain detections automatic cleanup will delete the file. In addition the AV policy can request deletion of malware if cleanup fails or is unavailable and deletion of suspicious files (note this is not the recommended setting though). Suspicious behavior never results in deletion.

    Having said this, it's not best practice to assume these files are safe just because they belong to popular and allegedly innocuous games. The major question though us whether this is a stand-alone or a managed install. In the latter case all these changes will cause a policy non-compliance alert to be sent (and might be overridden at any time).

    Anyway, your site's Sophos administrator (unless it's you) should be the point of contact for this.

    Christian           

    :43781