Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 13984 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ability to clean up PUA; or lack thereof

Greg Saunders

I've recently enabled scheduled scanning (deep scanning) from within Sophos Central, which has returned quite a few PUAs. Of the ~25 that appeared, I had the ability to select (maybe) 6 and choose the option to 'Clean PUA'. Doesn't  mean it would be successful of course, but I could monitor them on the Events page to see whether Sophos was able to perform the clean operation. The remainder of the PUAs don't offer the option to clean it up from within the console. I can only authorize it - which I don't want to do - or mark it as resolved - which I also don't want to do. Doesn't seem to matter what type of PUA it is, as some 'OpenCandy' ones (as an example) I can clean remotely and some I cannot.

 

Sophos indicates that the clean up option might not appear if the PUA was found on a network share because of lack-of-access issues; however, these PUAs all reside locally on C:

 

I have a case open with Sophos, but response time isn't exactly the greatest. Can anyone explain why the majority of the PUAs I'm seeing aren't able to be cleaned remotely? 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Greg Saunders,

    there are many reasons that cleanup is not available or fails.
    Some PUAs are stand-alone, cleanly installed, have no dependencies and thus it's possible to reliably remove them. Others are "bundled" with legitimate applications, integrated with them ("download experience enhancers" and the like in freely available software), or even rooted in the system. Or they are found as parts of complex archives. It might not be possible to assess the side-effects of remote removal. Please note that a certain PUA is not necessarily a specific application, as you can see from the analysis of OpenCandy.
    A "something" displaying ads or opening an "offers" page with the default browser could be compiled into a program, built into the (legitimate) .exe, loaded from a(n "alternate") DLL, or its own module. Even with actual threats remote cleanup isn't always performed because of potential "collateral damage" - more so with border cases and software that is not outright malicious (but there are cases where PUAs made it into the Mal/ or Troj/ categories). Last but not least the effort necessary for a reliable cleanup routine might simply be unjustifiable.

    Christian

  • 0 in reply to QC

    Hi Christian,

     

    Thanks for responding to the thread; much appreciated. A lot of good information in your post as well; definitely much more than I've been able to attain on my own thus far.

     

    While I understand what you're saying, it still would have been nice to have the option to remotely (attempt to) clean all PUAs. As I mentioned in my original post, I fully realize that even when choosing this option it doesn't necessarily mean the PUA is successfully cleaned. Monitoring or follow up is required afterwards to confirm what exactly happened (or didn't happen). We have 3 sites in total; 2 of which are in different geographic locations that make travel not feasible. Certainly not for anything Sophos related of course. We also don't have dedicated boots-on-the-ground there either. Being able to remotely administer these endpoints is key to securing our environment rather than relying on user intervention, who, in many cases, are responsible for the PUA detection in the first place.

     

    Ultimately, if the option to at least attempt cleaning it remotely isn't present, does that render on-site or local presence as a requirement to mitigate the issue? I realize that might be a rhetorical question...

     

    Greg

  • 0 in reply to Greg Saunders

    Hello Greg,

    the decision whether cleanup can (reasonably) be attempted is made by the scanner during detection based on the detection identity (i.e. whether the instructions leading to the detection have an associated cleanup routine) and the circumstances (i.e. whether the location is R/O or the threat "buried" deep inside a file).
    As PUAs aren't threats working on sophisticated cleanup routines isn't "economical" (just an assumption, I'm not Sophos).

    As for remote management - there was a short questionnaire that IIRC included among other things remote management and asset management. Perhaps they didn't get enough votes but apparently the decision was made not to interfere with the endpoints or extend management beyond the existing features (e.g. transfer of the endpoint's logs, directly controlling at least Sophos services).

    to mitigate the issue
    if protection settings can not be changed on the endpoints the issue is actually just the alert - the PUA is blocked (if the settings request it) regardless of how often a user attempts to run it. Admittedly annoying but no threat. Keep in mind, if a user wants to run some PUA and it's deleted instead of just blocked he will simply try to download it again. And part of Sophos' culture is promoting education and awareness training for the users instead of fighting against them.

    Christian

Reply
  • 0 in reply to Greg Saunders

    Hello Greg,

    the decision whether cleanup can (reasonably) be attempted is made by the scanner during detection based on the detection identity (i.e. whether the instructions leading to the detection have an associated cleanup routine) and the circumstances (i.e. whether the location is R/O or the threat "buried" deep inside a file).
    As PUAs aren't threats working on sophisticated cleanup routines isn't "economical" (just an assumption, I'm not Sophos).

    As for remote management - there was a short questionnaire that IIRC included among other things remote management and asset management. Perhaps they didn't get enough votes but apparently the decision was made not to interfere with the endpoints or extend management beyond the existing features (e.g. transfer of the endpoint's logs, directly controlling at least Sophos services).

    to mitigate the issue
    if protection settings can not be changed on the endpoints the issue is actually just the alert - the PUA is blocked (if the settings request it) regardless of how often a user attempts to run it. Admittedly annoying but no threat. Keep in mind, if a user wants to run some PUA and it's deleted instead of just blocked he will simply try to download it again. And part of Sophos' culture is promoting education and awareness training for the users instead of fighting against them.

    Christian

Children
Unfiltered HTML