"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Sophos Anti-Virus for Windows 2000+, version 6.0 and above, provides protection from a wide range of common adware and potentially unwanted applications (PUAs). This includes detection of PUAs and the cleanup of files, registry entries and in-memory processes
Note that PUA scanning is not available for Windows NT/95/98/Me computers.
PUA is a term used to describe applications that, while not malicious, are generally considered unsuitable for business networks. The major PUA classifications are adware, dialer, non-malicious spyware, remote administration tool and hacking tool. However, certain applications that can fall into the PUA category might be considered useful by some users.
Sophos recommends deploying PUA protection in stages across your network. This will allow you the opportunity to assess the threat posed to your system, decide on appropriate action, and reduce the likelihood of disruption to users.
This article outlines a system for a phased deployment of PUA protection. However, it is intended to complement the user manual and online help provided with your console, and should not be seen as a replacement for product documentation.
Applies to the following Sophos product(s) and version(s) Enterprise Console 4.7.0Enterprise Console 5.0.0Sophos Enterprise Manager 4.7.0
Note: Sophos Technical Support cannot advise you on whether to remove or authorize an application.
PUA detection must be enabled for both on-access and scheduled scans.
Scheduled scanning - you can use a scheduled scan to enable PUA scanning and to set up automatic cleanup. Removal of PUAs can either be carried out from your console, or you can configure a scheduled scan to remove them. Note that an affected computer may need a reboot for the complete removal of certain PUAs.
On-access scanning - On-access scanning can provide protection against PUAs by intercepting files as they are accessed, but does not provide cleanup. Some applications 'monitor' files and attempt to access them frequently. If you have on-access scanning enabled, it detects each access and displays alerts on the affected computer and also alerts your console.
Note: If you initially enable on-access scanning for PUAs, (rather than following the phased deployment described here), users may see numbers of PUA alerts on their computers. This can cause concern if they have not previously seen PUA warnings, and could potentially generate numerous support calls to your company's IT support staff. Therefore on-access scanning for PUAs should only be enabled as the final stage of a phased deployment process, after you have scanned your network and removed all unwanted software.
The following defaults exist:
Any potentially unwanted applications that are detected will be listed in Quarantine manager.
Before you start, ensure that you are familiar with the procedures for setting up and using groups and policies, including how to apply policies to selected groups. Detailed procedural steps for these routine operations are not given in this article. They can be found in the relevant sections of your console Help or other documentation.
Plan and create a group structure suitable for a phased deployment. You must decide what is a manageable size for the groups you create, so that you can easily process scanning and cleanup arrangements during this initial deployment.
Groups can be divided into sub-groups and a specific PUA policy can be applied to each group or subgroup. Users should be assigned to each group on the basis of their individual requirements. For example, if certain users want to keep a specified PUA on their computer, these users should all be placed in one group.
Create one or more PUA policies to satisfy the requirements of each of the groups you have created. These policies may include setting up scheduled scans and creating authorized lists.
Plan out when you will apply the policies to given groups. Arrange to do this in phases, working with just a few groups at a time.
If you have large groups, you may want to break them down into smaller groups, sharing the same policy, but applying the policy at different times. This spreads the scanning over a period of time and allows you sufficient time to view the results of the scan on that group, and to implement your chosen policy of cleanup and/or authorization.
If the cleanup process
Repeat the procedures in the previous two sections Deployment and Authorization and cleanup, with your second and subsequent groups, until all the computers on your network have had an initial scan and authorization or cleanup.
After you have completed the deployment of PUA scanning to all the computers on your network, the status of your network with regard to PUAs should be as follows:
You must now implement a policy to ensure that your network is kept clear of PUAs. It is recommended that a scheduled scan with PUA scanning enabled is run on all computers once per day.
Automatic cleanup of PUAs is available for a scheduled scan, but controlling the cleaning in Enterprise Console is recommended.
Sophos recommends that you now enable PUA scanning for on-access scanning. If a PUA is detected, by default the user of the infected computer will receive an alert. The alert will also be displayed in Enterprise Console.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.