Is there really no more quarantine manager in the new version?

Hello Jason Warren,

sorry for the late reply, still catching up.
Furthermore I'm neither a Home user nor a Mac specialist but perhaps I can give at least a partial answer. Home's concept is that one user centrally manages up to ten devices, his/her own and those of the "family" - more or less protecting them from themselves. And possibly they anyway don't have the knowledge/rights to deal with the threat so the QM wouldn't be of much use anyway.

just permanently deletes the file
whether a file is deleted or not doesn't depend on the presence or absence of the QM but on the AV settings. Can't say what's available in Home, I assume it's the recommended automatically cleanup failing this delete (but please note that it's not done in all cases - it doesn't just delete files all willy-nilly).
As said, it's not a matter of QM. expected false positives should either be excluded but the better option to have them assessed (and the detection amended if necessary). Guess it's still possible to submit samples without entering a license ID. delete applies only to files which are very likely harmful - so what has been picked up as what (Mal/..., Troj/...)? Any anyway even with a "non-destructive" policy these files would get blocked and thus effectively be unusable. Again not a Home-specific problem, this applies to a business version as well - but maybe what you want is the ability to temporarily turn off scanning via the GUI.

Christian       

" And possibly they anyway don't have the knowledge/rights to deal with the threat so the QM wouldn't be of much use anyway."

The central user and users of machine he/she manages may not have the knowledge to deal with the threat until more research is done on the threat.  So the conservative approach is to have the threat quarantined.

So please re-consider the quarantine feature in Sophos Home.

Thanks in advance,

Patrick

Hello Patrick,

[I'm not Sophos, BTW]
until more research is done
what would that more research be, could you describe the work flow you have in mind starting with the threat getting quarantined? When and based on what information would the central admin decide on what to do with the threat?

If I understand you correctly it's not actually the Quarantine Manager that you want back but the ability to only block a threat instead of automatic cleanup kicking in, correct? From your posts in the "false positives" threat I conjecture that you're mainly worried about tools (or "tools") and their potential removal classified as PUA (there is, AFAIK, a separate setting anyway). Also please keep in mind that tech-savvy users likely aren't the intended audience for Home.

Christian

I used to travel a lot for work and learned to have at least 2 of everything :) .  I typically download system utilities from the source or well known established sites.  So when I get a flag on a file as a threat by an antivirus/anti-malware utility here is my workflow. It's a "trust, but verify" approach and you don't need to be a tech savvy user to use it:

- Identify directory location and file name as reported my the antivirus/anti-malware utility

- Put it in quarantine or temporarily ignore until further research /evaluation.  If it's a windows system file I tend to temporarily ignore, i still want a working system for evaluation. A few months ago there was a false positive on a windows system file by an established antivirus vendor which affected systems.

- Use MULTIPLE tools from another vendor to research/evaluate the threat: a) run an on-demand scanner on the computer such as Malwarebytes or from other established security vendors; b) submit file to one of these services which runs the file through at a minimum at least 19 scanners: VirusTotal.com (now owned by Google) ; metadefender.com ; virscan.org ; virusscan.jotti.org

- Make an informed decision whether to consider a false positive by the utility which identified it as a threat.  I can decide to set an exception and roll back the file, OR delete.

So based on my workflow i would prefer some sort of mechanism to temporary suspend deletion so I can further evaluate.  Having some sort of quarantine is the conservative way to go.

Before trying out Sophos Home, my computer is running real time scanners from Webroot and Malwarebytes Pro for over 5 years keeping my system clean.  Sophos identified a few files that have been on there for a long time and I no longer cared for so I wanted to see what Sophos would do to "fix" it.  It identified and old version of a system information utility I no longer use but I've kept called System Information for Windows by Gabriel Topala.  I know I've run this version through VirusTotal in the past. Sophos also identified a file "awc.exe" in an Acer directory which is my laptop manufacturer. It appears to be related to an Acer Welcome Center screen.  This awc.exe file has never been flagged on prior deep scans or real time scans in the past from other security vendors. 

I also use various Nirsoft utilities which sometimes are flagged as PUA. I see that Sophos has application categories for Nirsoft utilities.  I expected this so I set an exception.

Even though Sophos Home is not intended for tech savvy users, doesn't having a central admin give that person a role in further evaluation on threats? They have the authority to set exceptions now.  Knowing which file to set an exception to implies the central admin knew the nature of that file either before the fact or after further evaluation.

Patrick

Hello Patrick,

you don't need to be a tech savvy user
reading your workflow ... please do tell this to a non-tech-savvy user ... LOL ... [;)]
Seriously, I agree with you to a certain extent, I've noticed - naw, can't say for sure, it seems that some PUAs are automatically dealt with (which in turn is reasonable for quite a lot but ...). BTW, some of the famous Sysinternals utilities are also PUAs.
IMO (and from my experience even though it's from years ago) it's more a culture clash - it took me some time to get used to Sophos but their approach makes sense (this is not to say that I totally agree with them, or even in large part).

Christian

Hello Patrick,

you don't need to be a tech savvy user
reading your workflow ... please do tell this to a non-tech-savvy user ... LOL ... [;)]
Seriously, I agree with you to a certain extent, I've noticed - naw, can't say for sure, it seems that some PUAs are automatically dealt with (which in turn is reasonable for quite a lot but ...). BTW, some of the famous Sysinternals utilities are also PUAs.
IMO (and from my experience even though it's from years ago) it's more a culture clash - it took me some time to get used to Sophos but their approach makes sense (this is not to say that I totally agree with them, or even in large part).

Christian