Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 19 subscribers
  • Views 14745 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dealing with acceptable risks and false positives

Blood

Hello

Endpoint Security and Data Control.

One of the things I think is lacking when Sophos detects a threat is the option to ask the user if they want to ignore it.

The On-access scanning options for Anti-Virus policies in the Enterprise Console do not include 'Ask me what to do'.

I live in dread of a time that Sophos might detect a false positive and quarantine it (I don't delete at all), and it turns out to be a vital system file.

Admittedly, this has not happened to me yet. However, after reading one of the threads that appeared in the Endpoint Security and Data Control  I feel the option to ignore is something that should be considered in future releases.

The AV software I use on my home computer never automatically quarantines/deletes anything and always displays a list of any detections and asks what should be done with them. This gives the user time to check the detections and determine if they are false positives etc.

Any opinions on this?

:2087


This thread was automatically locked due to age.
  • 0

    False positives are always a cause of concern and vendors of course struggle to avoid them while at the same time try to detect zero-day threats.

    An enterprise computer is not your home computer. You - as enterprise administrator - decide on the various options depending on your requirements and environment. If you ever dealt with a significant outbreak you don't think twice about permitting your users to "accept" a threat (I once had a case where a user turned off scanning three times within two weeks - and subsequently had to bring his computer in for disinfection - because "the attachment might have contained important information").

    Now it might be that an important file is falsely indicated (and that's why one doesn't use "delete" in quiet times) - but better safe than sorry. The upcoming release will contain a new feature which further reduces the risk of false positives.

    On your (home) computer you can use whatever settings you want. And if you get an alert the OS is still working and thus you can take whatever action you see fit.

    Christian

    :2090
  • 0

    Hi, Christian

    Yes, I do agree with that. While I was typing I was thinking that I would not like to trust my users with that level of responsibility.

    However, I would still like to see the option present. For example, one of the groups in the Enterprise Console exists for our Windows domain controllers. These have a different set of exclusions to the domain clients and have scheduled scans set to run at different times as well as other differing policy configurations for data control etc.

    The domain controllers are only accessed by one other person (rarely) and myself. If a false positive is detected, I do not want any AV dealing with it without giving the option to ignore it.

    So, although I would not like to allow my users the option to ignore a detection, Network Administrators are qualified to troubleshoot/investigate detections.

    :2092
  • 0

    Hello Blood,

    The domain controllers are only accessed by one other person (rarely) and myself. If a false positive is detected, I do not want any AV dealing with it without giving the option to ignore it.

    If no one is logged on when the item is detected there are basically two options: ignore or block. As wait for a decision can only mean block while waiting block has to be acceptable - and this option is available now. If you are logged on you can immediately deal with it using quarantine manager - it won't pull the rug out from under you.

    Christian

    :2094
  • 0

    Hi, Christian

    Thanks again for discussing this.

    With regards to your point about blocking - that's just it, I would prefer that nothing was blocked. If a detection is made I want the file/process to be left free until a domain administrator is available to check it out. If a file is quarantined or access to it is denied it can potentially affect a computer's performance. This is not such a problem for a client, but it can be a serious issue for a domain controller.

    As for ignore - there is no option to ignore a detection in Endpoint Security and Data Control that I can see. The only options are to clean-up, deny access, deny access and quarantine, or delete.

    Regards

    Mark

    :2096
  • 0

    Hello Mark,

    there's always the option of limiting on-access scanning (that's what we're talking about) to certain areas. You could exclude the entire system drive - as you don't want detection to interfere the result is the same. Of course you'd lose alerting but then it'd be too late anyway (it might save you from continuing embarrassing activity by the server but this may not be your primary problem). 

    If the servers are patched, if they operate behind a firewall, if your clients are also up to date and protected and if you don't use them as workstation the risk of turning off on-access checking for the system volume is very low.

    Ignore is the hypothetical alternative option to blocking while waiting.

    Christian

    :2102
  • 0

    Hi, Christian

    Thanks again for your reply.

    All the 'if's' are ticked, but I wouldn't take that route - I'm not brave enough, and murphy's law would kick in and kapow!

    I don't have any problem with my present Sophos setup. It is configured not to cleanup files, and to deny access only. Alerting is instant and I receive all email alerts at home as well as at work so I would know pretty quickly if anything had been detected.

    I just suggested it as a consideration for the general wish-list. If others feel that it is not needed I am happy to go with the flow. Because I have not had a detection on any of our servers I have no experience of what would happen. 

    Thanks for your thoughts on this. I appreciate you taking the time to respond.

    Regards

    Mark

    :2104
Unfiltered HTML