As part of an ongoing process, SophosLabs have been increasing the number of Windows system configuration options that are reset to default in the event of malware detection.
Note: This article does not apply to Sophos Cloud products.
Applies to the following Sophos products and versions Sophos Endpoint SecuritySophos Endpoint Security and Control
The evolution of Windows Operating Systems versions has seen an incremental increase in the security configuration options, with a number of them being enabled as default. These security settings are a barrier to malware authors, and increasingly it has been seen that when malware executes, it amends the Windows system configuration options, rendering the system less secure in the event of a further attack. In addition, malware often disables key tools and functionality (like task manager and registry editor) to make it more difficult for the user to manually re-mediate the threat.
As part of an ongoing process, SophosLabs have been increasing the number of Windows system configuration options that are reset to the default in the event of malware detection. This occurs when cleanup is enabled. The purpose of resetting the configuration options to their default settings is to return the system to a more secure and usable state after the malware cleanup action is complete.
Cleanup is performed when malware has been detected during an on-access or on-demand scan. Automatic cleanup can be configured 'On' or 'Off' (The default for new installs of SAV version 10 and above is 'On'.). It is not performed when malware is detected by Web Protection, in this instance, the malware will generally be blocked.
The Windows system configuration options which are returned to default when cleanup is performed are the same, whatever type of malware is cleaned up. This means that some configuration options which were intentionally set in compliance with your corporate IT policy may be changed back to the Windows default settings. Once cleanup has been completed, you may wish to amend the configuration options back to the settings that are compliant with your corporate IT policy. However, by changing these options you should take into account the level of security risk involved.
The following is a list of configuration options which may be reset to default during cleanup. These changes are continually reviewed by both SophosLabs and Global Support Services for their relevance in malware remediation and to minimize potentially adverse impact on customers. Where possible we have provided a link to further Microsoft information.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.