Fairly new to Sophos Enterprise Management Console, and have few questions regarding the console, policies, and some more..
1. How does Sophos differentiate between Suspicious files and Suspicious behavior?
Are they both heuristically determined? If so, how are they technically different? Really the question is -- which one of these two could possibly have lower false (+)ves and be preferred over another for result efficiency purpose?
2. Default Policy vs Custom Policy: If both policies (differently configured) are enforced to a group, which policy overrides?
3. What does HIPS' "detect buffer overflow" do? By its name, one can infer that it detects overflow attempt -- but is there an use case or an example that clarifies its functions? 'Detect Suspicious behavior' is another option under HIPS settings; if it's behavior based, couldn't they both be bundled together? The goal is to determine whether there's an advantage in enabling this feature.
4. Under 'Anti-virus and HIPS policy' column, we have some systems that 'Differ from policy'. What causes this, and how can they be re-enforced with appropriate policies?
5. Under 'On-access' column, several systems are marked as 'Inactive'. The services seem to be running fine on them. What makes the On-access inactive? Does it happen when someone disables on-access scan? I tried reproducing that, but did not see any difference on my test machine's On-access status.
6. What are 'other errors' signify? Under Anti-virus and HIPS -> View/Edit Policy -> Messaging.
I tried to include a pdf with screenshots of the console, but didn't see an option to upload/attach documents within the forum.
Thanks in advance for any help/suggestions/advice.
This thread was automatically locked due to age.
