This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Removable Media Scanning on insertion?

Hello,

I've looked though the forums and only really see the same two posts about this from 5 years ago.

Has this functionality been added to Sophos? I'm not finding it in the Management Console and am hoping that there is a way to do this now.

I look forward to your reply,

Thanks
Ryan



This thread was automatically locked due to age.
  • Hello Ryan,

    there are several of these requests (also newer ones) here and in ideas (here's one with a Declined response) as well.
    I'm often asking (can't remember that I ever got an answer) what the purpose of such a feature would be. If there's any immediate threat On-Access will catch it before the scan can even commence. If not - with today's storage sizes the device is perhaps ejected before the scan can complete. Or should the device be locked until the scan has finished?

    Christian

  • Hi Ryan Bell,

    The auto scan feature for removable media is not available as of now. As explained by  the real-time scan would be in place to protect you again the active threats in the drive. Also in the production environment if the scan commences everytime someone connects an external drive would delay the use of the drive(The more data it contains, the longer it would take to complete the scan).

    However, you can vote to the feature request External device Auto Scan.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hello,

    Thank you both for your replies. They have helped determine that we will use an alternative strategy to mitigate risk.

    Much appreciated

    Ryan

  • Hello Ryan,

    what risks are you thinking about? The automatic scan isn't more sensitive than On-Access scanning thus I don't see any advantage, i.e. additional protection, for everyday use.

    Christian

  • Hello Christian,

    Mainly the inherit risks that are associated with USB's. If we were able to have on insertion capabilities to be able to scan for autorun.infs and other potential threats and allow the USBs to be read only, then it could potentially be a viable option. As that doesn't seem the case, ( minus the read only ), we're better off continuing to block the capability all together.

  • Hello Ryan,

    autorun.inf is (as the other files potentially called by it) opened by standard means and thus subject to an on-access scan (apart from that autorun should be disabled anyway). As said, an automatic scan wouldn't be able to detect more than on-access. And consider the case that the threat couldn't be cleaned - unless the device is blocked until the scan finishes (this might be a serious impact on usability, there are already TByte devices) and is subsequently disabled the endpoint wouldn't be protected without on-access scanning being active. And, BTW, there's an automatic boot sector scan upon insertion to alert you of harmful bootable devices. Furthermore, that a device is R/W doesn't pose a threat (this is a consideration in conjunction with data leakage).

    IMO the desire for such an automatic scan is a relic of ancient times, the age of floppy discs, INT13h, and someone or somecompany who said isn't it cool that it runs on its own and all you have to do is slot it in?

    Christian