Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 19 subscribers
  • Views 14746 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dealing with acceptable risks and false positives

Blood

Hello

Endpoint Security and Data Control.

One of the things I think is lacking when Sophos detects a threat is the option to ask the user if they want to ignore it.

The On-access scanning options for Anti-Virus policies in the Enterprise Console do not include 'Ask me what to do'.

I live in dread of a time that Sophos might detect a false positive and quarantine it (I don't delete at all), and it turns out to be a vital system file.

Admittedly, this has not happened to me yet. However, after reading one of the threads that appeared in the Endpoint Security and Data Control  I feel the option to ignore is something that should be considered in future releases.

The AV software I use on my home computer never automatically quarantines/deletes anything and always displays a list of any detections and asks what should be done with them. This gives the user time to check the detections and determine if they are false positives etc.

Any opinions on this?

:2087


This thread was automatically locked due to age.
Parents
  • 0

    Hello Blood,

    The domain controllers are only accessed by one other person (rarely) and myself. If a false positive is detected, I do not want any AV dealing with it without giving the option to ignore it.

    If no one is logged on when the item is detected there are basically two options: ignore or block. As wait for a decision can only mean block while waiting block has to be acceptable - and this option is available now. If you are logged on you can immediately deal with it using quarantine manager - it won't pull the rug out from under you.

    Christian

    :2094
Reply
  • 0

    Hello Blood,

    The domain controllers are only accessed by one other person (rarely) and myself. If a false positive is detected, I do not want any AV dealing with it without giving the option to ignore it.

    If no one is logged on when the item is detected there are basically two options: ignore or block. As wait for a decision can only mean block while waiting block has to be acceptable - and this option is available now. If you are logged on you can immediately deal with it using quarantine manager - it won't pull the rug out from under you.

    Christian

    :2094
Children
No Data
Unfiltered HTML