"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
We recommend using the default scan settings in your Anti-Virus and HIPS policies, as they represent the best balance between protecting your network against threats and overall system performance. However, if performance weren't an issue, we would recommend that you switch on all settings to ensure the best protection. There may be other reasons why you would adjust the default settings.
Whenever you consider changing the default settings, use the following guide to understand what effect your changes would make on both system performance and your protection against threats.
Note: For instructions on how to set up a scheduled scan see article 120722.
In this article: Scheduled scan settings | Configure scanning and cleanup settings | Extensions and exclusions
For on-access scan settings, please see Anti-Virus and HIPS settings guide (on-access scans).
M, T, W, Th, F
This setting uses the 24-hour clock.
When you enable this setting, it adds the common archive file formats to the list of extensions that are checked by the on-access scanner.
We don't recommend that you scan inside archive files during your weekly scans because it will add a significant amount of time to the scan. We recommend instead that you use on-access scans (on-read and on-write) to protect your network (without scanning inside archive files): any components of an unpacked archive that may be malware will be blocked by the on-read and on-write scanners when accessed.
If you would like to scan all archives on a few computers using a scheduled scan, we recommend that you set up an extra scan and add only the archive extensions to the list of extensions to be scanned (and ensure that scan all files is switched off). This will allow you to scan the archive files while making it as short a scan as possible.
Do be sure to set up a regular scheduled scan for the computers as well that will scan the executable and infectable file extensions.
Scan for Macintosh viruses
Scan system memory
If you enable Scan system memory, on-access scanning detect malware hiding in system memory (kernel memory).
System Memory scanning reads/writes to and from areas of memory in response to requests from the virus engine.
Run scan at lower priority
This option is only available on Windows Vista SP2 platforms and above. It will cause on-demand scans to take longer to complete.
Scan for Root kits
Allows automatic scanning for root kits.
Potentially Unwanted Applications (PUAs) are applications like PC surveillance software and joke applications. SophosLabs include detection for known PUAs in the threat detection data that's included in your Endpoint Security and Control updates.
We recommend that you first authorize legitimate applications, such as administration tools, by performing a scheduled scan of your network and identifying the legitimate applications and authorizing them in Enterprise Console. Then, we advise switching on on-access scanning to block unauthorized applications in the future. For more detailed instructions, see the Administrator's rollout guide for potentially unwanted application (PUA) protection.
Note that you will have to run a scheduled scan to clean up any PUAs that are found by the on-access scanner, so we recommend keeping this setting enabled.
The Labs review their PUA definitions periodically to ensure that new programs that have malicious or unethical intent can be blocked from your network.
Suspicious files are files that contain code that is commonly used in malware. Because there is no way for an anti-virus scanner to know the context of a file (for instance, to know that file that's written by one of your software engineers is safe), we report on all possible suspicious files. This may lead to a few unwanted detections, but we feel that it's important to highlight all potentially dangerous files so that a human can then provide the context for them.
This setting is enabled by default, as we recommend that you first authorize legitimate files, such as those written by your employees. Do this by performing a scheduled scan of your network and identifying the legitimate files and authorizing them in Enterprise Console, and then switch on on-access scanning to detect suspicious files in the future. Once on-access scans are switched on, you can either switch this setting off in your scheduled scans, or leave it on for maximum protection.
For more information about HIPS, please see the following knowledgebase article: http://www.sophos.com/support/knowledgebase/article/48765.html
Obviously, you may want to set this to automatically clean up any malware that is found, but we've left it to you to decide: you may have your own procedures for cleaning up malware, so we wouldn't want to perform actions without your express consent. For instance, you may prefer to leave detected items in quarantine until you can deal with them.
When the anti-virus scanner automatically cleans up items that contain a virus or spyware, it will delete any items that are purely malware and it will try to disinfect any items that have been infected. These disinfected files should be considered permanently damaged, as the virus scanner cannot know what the file contained before it was damaged: it can only clean out the code that was injected by the virus.
The default ‘Deny access only’ means that the virus scanner will ask you what to do before continuing. As long as you have the on-access scanner enabled, any item found in a scan will be blocked until you tell the virus scanner what to do.
The other options ‘Delete’ and ‘Deny access and move’ could be used in special circumstances, such as when Sophos Technical Support are helping you clean up malware on your network.
We don’t recommend that you allow the virus scanner to automatically delete infected files, as sometimes legitimate files can be detected. If you do enable this setting, you should check the logs regularly to ensure that you haven’t deleted any important files.
The default ‘Deny access only’ means that the virus scanner will ask you what to do before continuing. As long as you have the on-access scanner enabled, any item found in a scan will be blocked until you tell the virus scanner what to do. We recommend using the Deny access only setting, as that way you can authorize any legitimate programs from Enterprise Console.
It is recommended that you scan all files during a weekly scan. If you enable this setting, the other options in this section do not need to be enabled.
If you want to scan extra file types, you can add those file type extensions to the list of file types to be scanned using the Add button.
As files with no extension could be malware, you should always enable on-access detection.
No exclusion options are set by default.
The exclusions for this part are for files, folders and drives. Generally it's best not to exclude anything when running a full scan, to ensure that all your files, folders and drives are checked once a week.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.