Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 19 subscribers
  • Views 14746 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dealing with acceptable risks and false positives

Blood

Hello

Endpoint Security and Data Control.

One of the things I think is lacking when Sophos detects a threat is the option to ask the user if they want to ignore it.

The On-access scanning options for Anti-Virus policies in the Enterprise Console do not include 'Ask me what to do'.

I live in dread of a time that Sophos might detect a false positive and quarantine it (I don't delete at all), and it turns out to be a vital system file.

Admittedly, this has not happened to me yet. However, after reading one of the threads that appeared in the Endpoint Security and Data Control  I feel the option to ignore is something that should be considered in future releases.

The AV software I use on my home computer never automatically quarantines/deletes anything and always displays a list of any detections and asks what should be done with them. This gives the user time to check the detections and determine if they are false positives etc.

Any opinions on this?

:2087


This thread was automatically locked due to age.
Parents
  • 0

    Hello Mark,

    there's always the option of limiting on-access scanning (that's what we're talking about) to certain areas. You could exclude the entire system drive - as you don't want detection to interfere the result is the same. Of course you'd lose alerting but then it'd be too late anyway (it might save you from continuing embarrassing activity by the server but this may not be your primary problem). 

    If the servers are patched, if they operate behind a firewall, if your clients are also up to date and protected and if you don't use them as workstation the risk of turning off on-access checking for the system volume is very low.

    Ignore is the hypothetical alternative option to blocking while waiting.

    Christian

    :2102
Reply
  • 0

    Hello Mark,

    there's always the option of limiting on-access scanning (that's what we're talking about) to certain areas. You could exclude the entire system drive - as you don't want detection to interfere the result is the same. Of course you'd lose alerting but then it'd be too late anyway (it might save you from continuing embarrassing activity by the server but this may not be your primary problem). 

    If the servers are patched, if they operate behind a firewall, if your clients are also up to date and protected and if you don't use them as workstation the risk of turning off on-access checking for the system volume is very low.

    Ignore is the hypothetical alternative option to blocking while waiting.

    Christian

    :2102
Children
No Data
Unfiltered HTML