This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is It Working?

Installed trial (endpoint/central) on Win7 x64 platform.  Suspended Norton Security indefinitely.

2 "policy violations blocked" noted within first 30 minutes of install but checking status over last 2 weeks, there have been no further detections.  Furthermore, I cannot tell what the policy violations were; it tells me there were two, but I cannot figure out where to find out what was flagged and/or what was done.

I expected the threat/violation counts to increase as this is supposed to be more thorough than Norton (signature based), but there were no changes to the threat/violation detection counts.  So, I reactivated Norton to see if it found anything that Sophos might have missed - and it proceeded to start flagging and quarantining every file on the HDD starting with the oldest and working forward.  Sadly, I didn't notice this at first - discovered just about 5gb of data had been removed when I checked back an hour later. 

I deactivated Norton again (to stop the purge), of course, but now I'm at a loss - did Norton quarantine these because Sophos let something through, or did Sophos somehow corrupt Norton and it simply went crazy?  Since I could not determine what went wrong,I uninstalled Sophos and reinstalled Norton (no further quarantining occured).

I'd expected the threat counts to increase because Norton was supposed to be ignoring the "under the radar" threats which endpoint protection was supposed to catch.  I did not expect there to be zero threats at all.  Since the configuration (Sophos central) site is a complete mess - unless you know Sophos at a programmer (developer) level, there is no way to tell what anything on it does or where to go to check/update settings - and, therefore, no way to know if you've configured it correctly (and could be why I'm not getting threat capture notices).  The reports are worthless as they evidently only show a device total, and none of the individual detection details.  NOTE: I installed Sophos endpoint and simply accepted default configuration, I did not customize any settings.

So, my question is; how do I test to see if Sophos is doing anything? Unless I can prove to myself this software is doing something, I cannot risk using it if it is in fact not.  What would a "normal" threat detection count be on, say, a weekly or monthly basis?  Zero just doesn't seem right.

 

 

 



This thread was automatically locked due to age.
Parents Reply Children
  • Well, the elcar tests worked.  The final (4th) file did download, but it was blocked when file access attempted.  Each of the 4 up tic'd the Malware count in dashboard.

    When I try to access http://sophostest.com/eicar/index.html I do not get a Sophos error - I get a "connection was reset" error in browser.  And, no threat counts increase on dashboard.  Don't know if that's the expected result, but ...

    http://sophostest.com/malware/index.html was blocked by Sophos as malicious both in OS notification pop-up and website notification page (and dashboard count up tic'd).

    However, all 4 of the files at http://sophostest.com/reputation/index.html downloaded with no errors, and running them didn't cause any visible issues, errors or warnings.  The dashboard, however, displayed 4 "controlled items".  What on earth does that mean?  I can't find anything online about what a "controlled item" is as the Sophos knowledgebase is just about worthless without a search, and there isn't a user manual - or not that I can find.   If "controlled" means quarantined, then why could I access them at all?

    So, it appears that it is working - I'm just invisible enough no-one has tried to break into my system.  I think I might be insulted.