When Sophos Anti-Virus finds a suspicious file or program, it can only indicate that the file or behavior may be a threat. Looks into the file to determine if it needs to be blocked or authorized. In some cases, it may turn out to be a clean and legitimate file, and blocking it can prevent legitimate software from running correctly, but for others, it may be an unidentified malware.
This knowledge base article provides a decision-making process for deciding what action to take when you get an alert.
The following sections are covered:
If software was being installed or updated and the reported item looks like it is related to this action, then the alert may be an unwanted detection triggered by the install/update process.
Legitimate programs could include installers, scheduled updating programs and other update tools, and other programs that alter the registry, processes, or program and data files.
To avoid this happening again, Sophos advises to configure Suspicious Behaviour Monitoring to alert only mode for the duration of software installations/updates. If the software often updates, add it to the list of authorized programs instead.
Has it been there for years? If not, how did it get there? If you know the history of the file then there is less chance of it being a genuine threat.
Consult the Sophos website to read a description of the suspicious item. Is the behavior reasonable for the item reported? If an otherwise legitimate file starts to behave suspiciously, then it could be an indication that malware has infected the machine.
The same behavior alert being reported every second or two is a good indication of a possible malware infection — even if the reported item is believed to be legitimate!
Is the file in the internet cache folder? If so, have you recently downloaded any files? Did you download from a reputable website? If the reported item is in the internet cache folder and you have not knowingly downloaded any files then there is a greater chance of it being a genuine threat.
In some cases, Sophos may provide an update to the detection of the application that you have queried, in others it may not be appropriate. However, you have the flexibility at all times to either authorize or block any application, as is appropriate to the needs of your business.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.