Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 19 subscribers
  • Views 14761 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dealing with acceptable risks and false positives

Blood

Hello

Endpoint Security and Data Control.

One of the things I think is lacking when Sophos detects a threat is the option to ask the user if they want to ignore it.

The On-access scanning options for Anti-Virus policies in the Enterprise Console do not include 'Ask me what to do'.

I live in dread of a time that Sophos might detect a false positive and quarantine it (I don't delete at all), and it turns out to be a vital system file.

Admittedly, this has not happened to me yet. However, after reading one of the threads that appeared in the Endpoint Security and Data Control  I feel the option to ignore is something that should be considered in future releases.

The AV software I use on my home computer never automatically quarantines/deletes anything and always displays a list of any detections and asks what should be done with them. This gives the user time to check the detections and determine if they are false positives etc.

Any opinions on this?

:2087


This thread was automatically locked due to age.
Parents
  • 0

    Hi, Christian

    Yes, I do agree with that. While I was typing I was thinking that I would not like to trust my users with that level of responsibility.

    However, I would still like to see the option present. For example, one of the groups in the Enterprise Console exists for our Windows domain controllers. These have a different set of exclusions to the domain clients and have scheduled scans set to run at different times as well as other differing policy configurations for data control etc.

    The domain controllers are only accessed by one other person (rarely) and myself. If a false positive is detected, I do not want any AV dealing with it without giving the option to ignore it.

    So, although I would not like to allow my users the option to ignore a detection, Network Administrators are qualified to troubleshoot/investigate detections.

    :2092
Reply
  • 0

    Hi, Christian

    Yes, I do agree with that. While I was typing I was thinking that I would not like to trust my users with that level of responsibility.

    However, I would still like to see the option present. For example, one of the groups in the Enterprise Console exists for our Windows domain controllers. These have a different set of exclusions to the domain clients and have scheduled scans set to run at different times as well as other differing policy configurations for data control etc.

    The domain controllers are only accessed by one other person (rarely) and myself. If a false positive is detected, I do not want any AV dealing with it without giving the option to ignore it.

    So, although I would not like to allow my users the option to ignore a detection, Network Administrators are qualified to troubleshoot/investigate detections.

    :2092
Children
No Data
Unfiltered HTML