This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there really no more quarantine manager in the new version?

I recently upgraded my home mac to the new version of Sophos AV with the web based management console and when I ran a scan it picked up a few files that are expected false positives.   There appears to no longer be a quarantine manager and from what I can find in other posts seem to imply that there is no quarantine anymore, the product just permanently deletes the file - is this correct?    If so - can I upgrade my home computer to a business version to get the quarantine function back or is this gone from all of Sophos mac AV products?

 

I really like Sophos for my Macs but if there is no more quarantine then I can't use a product that just deletes files all willy-nilly.   If the quarantine really is gone then this is going to be a royal pain because it got the files on the local backup disk too and now I have to wait to restore these files until I can go pickup my offsite drive.     Thanks for any information you can provide!



This thread was automatically locked due to age.
Parents
  • Hello Jason Warren,

    sorry for the late reply, still catching up.
    Furthermore I'm neither a Home user nor a Mac specialist but perhaps I can give at least a partial answer. Home's concept is that one user centrally manages up to ten devices, his/her own and those of the "family" - more or less protecting them from themselves. And possibly they anyway don't have the knowledge/rights to deal with the threat so the QM wouldn't be of much use anyway.

    just permanently deletes the file
    whether a file is deleted or not doesn't depend on the presence or absence of the QM but on the AV settings. Can't say what's available in Home, I assume it's the recommended automatically cleanup failing this delete (but please note that it's not done in all cases - it doesn't just delete files all willy-nilly).
    As said, it's not a matter of QM. expected false positives should either be excluded but the better option to have them assessed (and the detection amended if necessary). Guess it's still possible to submit samples without entering a license ID. delete applies only to files which are very likely harmful - so what has been picked up as what (Mal/..., Troj/...)? Any anyway even with a "non-destructive" policy these files would get blocked and thus effectively be unusable. Again not a Home-specific problem, this applies to a business version as well - but maybe what you want is the ability to temporarily turn off scanning via the GUI.

    Christian       

Reply
  • Hello Jason Warren,

    sorry for the late reply, still catching up.
    Furthermore I'm neither a Home user nor a Mac specialist but perhaps I can give at least a partial answer. Home's concept is that one user centrally manages up to ten devices, his/her own and those of the "family" - more or less protecting them from themselves. And possibly they anyway don't have the knowledge/rights to deal with the threat so the QM wouldn't be of much use anyway.

    just permanently deletes the file
    whether a file is deleted or not doesn't depend on the presence or absence of the QM but on the AV settings. Can't say what's available in Home, I assume it's the recommended automatically cleanup failing this delete (but please note that it's not done in all cases - it doesn't just delete files all willy-nilly).
    As said, it's not a matter of QM. expected false positives should either be excluded but the better option to have them assessed (and the detection amended if necessary). Guess it's still possible to submit samples without entering a license ID. delete applies only to files which are very likely harmful - so what has been picked up as what (Mal/..., Troj/...)? Any anyway even with a "non-destructive" policy these files would get blocked and thus effectively be unusable. Again not a Home-specific problem, this applies to a business version as well - but maybe what you want is the ability to temporarily turn off scanning via the GUI.

    Christian       

Children
  • " And possibly they anyway don't have the knowledge/rights to deal with the threat so the QM wouldn't be of much use anyway."

    The central user and users of machine he/she manages may not have the knowledge to deal with the threat until more research is done on the threat.  So the conservative approach is to have the threat quarantined.

     

    So please re-consider the quarantine feature in Sophos Home.

    Thanks in advance,

    Patrick

  • Hello Patrick,

    [I'm not Sophos, BTW]
    until more research is done
    what would that more research be, could you describe the work flow you have in mind starting with the threat getting quarantined? When and based on what information would the central admin decide on what to do with the threat?

    If I understand you correctly it's not actually the Quarantine Manager that you want back but the ability to only block a threat instead of automatic cleanup kicking in, correct? From your posts in the "false positives" threat I conjecture that you're mainly worried about tools (or "tools") and their potential removal classified as PUA (there is, AFAIK, a separate setting anyway). Also please keep in mind that tech-savvy users likely aren't the intended audience for Home.

    Christian

  • I used to travel a lot for work and learned to have at least 2 of everything :) .  I typically download system utilities from the source or well known established sites.  So when I get a flag on a file as a threat by an antivirus/anti-malware utility here is my workflow. It's a "trust, but verify" approach and you don't need to be a tech savvy user to use it:

    - Identify directory location and file name as reported my the antivirus/anti-malware utility

    - Put it in quarantine or temporarily ignore until further research /evaluation.  If it's a windows system file I tend to temporarily ignore, i still want a working system for evaluation. A few months ago there was a false positive on a windows system file by an established antivirus vendor which affected systems.

    - Use MULTIPLE tools from another vendor to research/evaluate the threat: a) run an on-demand scanner on the computer such as Malwarebytes or from other established security vendors; b) submit file to one of these services which runs the file through at a minimum at least 19 scanners: VirusTotal.com (now owned by Google) ; metadefender.com ; virscan.org ; virusscan.jotti.org

    - Make an informed decision whether to consider a false positive by the utility which identified it as a threat.  I can decide to set an exception and roll back the file, OR delete.

    So based on my workflow i would prefer some sort of mechanism to temporary suspend deletion so I can further evaluate.  Having some sort of quarantine is the conservative way to go.

     

    Before trying out Sophos Home, my computer is running real time scanners from Webroot and Malwarebytes Pro for over 5 years keeping my system clean.  Sophos identified a few files that have been on there for a long time and I no longer cared for so I wanted to see what Sophos would do to "fix" it.  It identified and old version of a system information utility I no longer use but I've kept called System Information for Windows by Gabriel Topala.  I know I've run this version through VirusTotal in the past. Sophos also identified a file "awc.exe" in an Acer directory which is my laptop manufacturer. It appears to be related to an Acer Welcome Center screen.  This awc.exe file has never been flagged on prior deep scans or real time scans in the past from other security vendors. 

    I also use various Nirsoft utilities which sometimes are flagged as PUA. I see that Sophos has application categories for Nirsoft utilities.  I expected this so I set an exception.

    Even though Sophos Home is not intended for tech savvy users, doesn't having a central admin give that person a role in further evaluation on threats? They have the authority to set exceptions now.  Knowing which file to set an exception to implies the central admin knew the nature of that file either before the fact or after further evaluation.

    Patrick

  • Hello Patrick,

    you don't need to be a tech savvy user
    reading your workflow ... please do tell this to a non-tech-savvy user ... LOL ... [;)]
    Seriously, I agree with you to a certain extent, I've noticed - naw, can't say for sure, it seems that some PUAs are automatically dealt with (which in turn is reasonable for quite a lot but ...). BTW, some of the famous Sysinternals utilities are also PUAs.
    IMO (and from my experience even though it's from years ago) it's more a culture clash - it took me some time to get used to Sophos but their approach makes sense (this is not to say that I totally agree with them, or even in large part).

    Christian