This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint considering my software that I am currently compiling to be a PUA

I am developing a website in ASP.Net Core 2.2 Using Visual Studio 2017.  When I compile the site, Sophos Endpoint steps in and deletes the file I just created, calling it a potential PUA.

Why would Sophos Endpoint think that I don't want my own code?  How could my own program, that I just wrote, be considered "unwanted"?  No, it is not a PUA, nor a virus.

Is there any way to permanently fix Sophos Endpoint so freshly compiled code isn't considered a PUA?

No, I don't want to bother IT about this...AGAIN.  It needs to be fixed, and that's on you.

How can we make this happen so it won't ever be any issue again?



This thread was automatically locked due to age.
Parents
  • Hello there, 

    You can allow this PUA on your device by adding exclusions to it to avoid getting detected again. You may refer to this documentation for the steps. If your device is managed by your IT team then you need to reach with them as well as they are the ones who can perform these steps. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • It needs to be part of the base code.  If a user creates a dll, it is a fundamentally different act than installing one.  It must be handled by the AV in a completely different way.  

    This should have been a deal killer for any code you wrote.  If I create a DLL, it's not a virus. Period.  It should not be treated as one.

    How do we change Sophos' design philosophy to reflect this?

Reply
  • It needs to be part of the base code.  If a user creates a dll, it is a fundamentally different act than installing one.  It must be handled by the AV in a completely different way.  

    This should have been a deal killer for any code you wrote.  If I create a DLL, it's not a virus. Period.  It should not be treated as one.

    How do we change Sophos' design philosophy to reflect this?

Children
  • Hello Jim Oliver,

    first of all, this sounds like Intercept X and not the on-premise version. Intercept X is part of Central, its name implies a centralized concept You can't make permanent adjustments without bothering IT. Consequently unwanted is as seen from central administration, not an individual user.

    Even considering a "personal" AV your assessment and assumptions are at least partially wrong.
    my own code - how should AV know that you is really you and that your code is indeed your code?
    If I create a DLL, it's not a virus - how do you know? There's more than one way to sneak rogue code into a project. Consequently freshly compiled code is not necessarily clean
    If a user creates a dll, it is a fundamentally different act than installing one - apart from the inaccuracy that you don't install a DLL but at best register it, where's the fundamental difference? Or do you mean running code from the DLL?
    a user creates - already outlined above, (more or less "classic") AV can't tell who or what creates a file, nor can it ascertain the intent of the creation

    There's nothing that needs to be fixed, at least not on the AV's side - it has to be wary. You might want to read Sophos Central: Investigate and resolve a potential false positive or incorrect detection.

    Christian