When Sophos Anti-Virus finds a suspicious file or program, it can only indicate that the file or behavior may be a threat. You must look at the file to determine whether you want it blocked, or whether you will authorize it. In some cases it may turn out to be a clean and legitimate file, and blocking it can prevent legitimate software from running correctly; in others, it may be unidentified malware. This article provides a decision-making process for deciding what action to take when you get an alert.
If software was being installed or updated and the reported item looks like it is related to this action, the alert may be an unwanted detection triggered by the install/update process.
Legitimate programs could include installers, scheduled updating programs and other update tools, and other programs that alter the registry, processes, or program and data files.
To avoid this happening again, we advise that you configure Suspicious Behaviour Monitoring to 'alert only' mode for the duration of software installations/updates. If you have software that often updates itself, add this to the list of authorized programs instead. See Sophos Anti-Virus for Windows 2000+: authorizing suspicious items for instructions.
Has it been there for years? If not how did it get there? If you know the history of the file then there is less chance of it being a genuine threat.
Consult the Sophos website to read a description of the suspicious item. Is the behavior reasonable for the item reported? If an otherwise legitimate file starts to behave suspiciously it could be an indication that malware has infected the machine.
The same behavior alert being reported every second or two is a good indication of a possible malware infection — even if the reported item is believed to be legitimate!
Is the file in the Internet cache folder? If so have you recently downloaded any files? Did you download from a reputable website? If the reported item is in the internet cache folder and you have not knowingly downloaded any files then there is a greater chance of it being a genuine threat.
See knowledgebase articles on Submitting samples of suspicious files to Sophos and Collecting samples blocked by on-access scanning for help on collecting and forwarding files to Sophos labs.
In some cases, Sophos may provide an update to the detection of the application that you have queried, in others it may not be appropriate. However, you have the flexibility at all times to either authorize or block any application, as is appropriate to the needs of your business.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.