Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 19 subscribers
  • Views 14764 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dealing with acceptable risks and false positives

Blood

Hello

Endpoint Security and Data Control.

One of the things I think is lacking when Sophos detects a threat is the option to ask the user if they want to ignore it.

The On-access scanning options for Anti-Virus policies in the Enterprise Console do not include 'Ask me what to do'.

I live in dread of a time that Sophos might detect a false positive and quarantine it (I don't delete at all), and it turns out to be a vital system file.

Admittedly, this has not happened to me yet. However, after reading one of the threads that appeared in the Endpoint Security and Data Control  I feel the option to ignore is something that should be considered in future releases.

The AV software I use on my home computer never automatically quarantines/deletes anything and always displays a list of any detections and asks what should be done with them. This gives the user time to check the detections and determine if they are false positives etc.

Any opinions on this?

:2087


This thread was automatically locked due to age.
Parents
  • 0

    False positives are always a cause of concern and vendors of course struggle to avoid them while at the same time try to detect zero-day threats.

    An enterprise computer is not your home computer. You - as enterprise administrator - decide on the various options depending on your requirements and environment. If you ever dealt with a significant outbreak you don't think twice about permitting your users to "accept" a threat (I once had a case where a user turned off scanning three times within two weeks - and subsequently had to bring his computer in for disinfection - because "the attachment might have contained important information").

    Now it might be that an important file is falsely indicated (and that's why one doesn't use "delete" in quiet times) - but better safe than sorry. The upcoming release will contain a new feature which further reduces the risk of false positives.

    On your (home) computer you can use whatever settings you want. And if you get an alert the OS is still working and thus you can take whatever action you see fit.

    Christian

    :2090
Reply
  • 0

    False positives are always a cause of concern and vendors of course struggle to avoid them while at the same time try to detect zero-day threats.

    An enterprise computer is not your home computer. You - as enterprise administrator - decide on the various options depending on your requirements and environment. If you ever dealt with a significant outbreak you don't think twice about permitting your users to "accept" a threat (I once had a case where a user turned off scanning three times within two weeks - and subsequently had to bring his computer in for disinfection - because "the attachment might have contained important information").

    Now it might be that an important file is falsely indicated (and that's why one doesn't use "delete" in quiet times) - but better safe than sorry. The upcoming release will contain a new feature which further reduces the risk of false positives.

    On your (home) computer you can use whatever settings you want. And if you get an alert the OS is still working and thus you can take whatever action you see fit.

    Christian

    :2090
Children
No Data
Unfiltered HTML