Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 19 subscribers
  • Views 14748 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dealing with acceptable risks and false positives

Blood

Hello

Endpoint Security and Data Control.

One of the things I think is lacking when Sophos detects a threat is the option to ask the user if they want to ignore it.

The On-access scanning options for Anti-Virus policies in the Enterprise Console do not include 'Ask me what to do'.

I live in dread of a time that Sophos might detect a false positive and quarantine it (I don't delete at all), and it turns out to be a vital system file.

Admittedly, this has not happened to me yet. However, after reading one of the threads that appeared in the Endpoint Security and Data Control  I feel the option to ignore is something that should be considered in future releases.

The AV software I use on my home computer never automatically quarantines/deletes anything and always displays a list of any detections and asks what should be done with them. This gives the user time to check the detections and determine if they are false positives etc.

Any opinions on this?

:2087


This thread was automatically locked due to age.
Parents
  • 0

    Hi, Christian

    Thanks again for discussing this.

    With regards to your point about blocking - that's just it, I would prefer that nothing was blocked. If a detection is made I want the file/process to be left free until a domain administrator is available to check it out. If a file is quarantined or access to it is denied it can potentially affect a computer's performance. This is not such a problem for a client, but it can be a serious issue for a domain controller.

    As for ignore - there is no option to ignore a detection in Endpoint Security and Data Control that I can see. The only options are to clean-up, deny access, deny access and quarantine, or delete.

    Regards

    Mark

    :2096
Reply
  • 0

    Hi, Christian

    Thanks again for discussing this.

    With regards to your point about blocking - that's just it, I would prefer that nothing was blocked. If a detection is made I want the file/process to be left free until a domain administrator is available to check it out. If a file is quarantined or access to it is denied it can potentially affect a computer's performance. This is not such a problem for a client, but it can be a serious issue for a domain controller.

    As for ignore - there is no option to ignore a detection in Endpoint Security and Data Control that I can see. The only options are to clean-up, deny access, deny access and quarantine, or delete.

    Regards

    Mark

    :2096
Children
No Data
Unfiltered HTML