acknowledgements, what actually happens?

Hi Ritch,

You are correct in your assumption that acknowledging the alert simply clears the message from the console, it does not authorise the item, or clean it up.  If the threat is re-detected on the endpoint, you will see the alert message again.

Regards,

Stephen.

thanks Stephen

Good morning,

I am having exactly the same issue - and it is raising similar concerns.

Picture the following scenario (which is what I am going through)

1) Sophos, reports that a Virus/Spyware item has been found in a file on one of my servers

2) I have email alerting which tells me this

3) I log in to the Sophos Server and go to Resolve Alterts and Errors for that server

4) The item says not cleanable, I can only click Acknowledge

Now, from other posts/articles I have read (including this one), clicking Acknowledge simply removes the alert from view. It doesn't clean the virus out and the file is redetected at some point in the future.

So what does this mean? Why can't I clean the files? Why didn't Sophos clean/quarantine/delete the files? (My policy says to Delete any files that the automatic cleanup can't deal with). This does make any sense?

Can someone clear up the confusion for me because at the moment I have the belief that virus files are on my server, sophos has found them, but the only thing I'm allowed to do is ignore them......

Thanks in advance

Hello gratwick50,

So what does this mean? Why can't I clean the files? Why didn't Sophos clean/quarantine/delete the files? (My policy says to Delete any files that the automatic cleanup can't deal with). This does make any sense?

I wouldn't choose Delete if cleanup fails for a server (unless you are prepared to deal with the consequences).

Now, why doesn't it delete. "Jokes" for example are (no longer) cleanable. Files might be locked and therefore can neither be cleaned nor deleted or they might have been blocked by scan on write. For some items a full scan might be required (usually you are told). For others simple deletion might have unwanted side-effects.

You should check the Anti-Virus log if there are any details and/or errors. Also view the threat's (BTW: could you give an example?) description and look at the Action tab. The Quarantine Manager is a tool but not the "final authority".

Christian   

Fair point about the deleting of files - I'll have a look at the other options.

I understand all of your statements completely. But I don't think the main point has been addressed which I don't think I made clear.

Why does Sophos only give me the opportunity to ignore the alert? Why isn't there a button that says 'Delete', or 'Quarantine'?

Also, its worth pointing out that all these alerts come from a scheduled scan. Most of them appear to malware found in temp files or people's profiles.

Hi,

I think clean-up is only offered if the identity that detects the malware has a cleanup routine defined.  In some instances a full scan is required to dispose of the threat but this would be apparent in the message and in such a case the threat would have a clean-up routine.

An acknowledge action only really sets the threat as outstanding = 0 in the threats table in the database, it is then moved to the threatsarchive table later.  This really just serves to get it out of the way in the computer list view and move it to the history section in the computer details page.

What threats are being found on the machines with only an acknowledge action?  It could be that it's an old piece of malware for which a clean-up routine wasn't created or that a clean-up routine can't be performed easily or safely.

Jak 

But I don't think the main point has been addressed which I don't think I made clear

Re-reading your post I see that I didn't read it carefully enough. You're talking about SEC here and not the client.

Why isn't there a button that says 'Delete', or 'Quarantine'?

The item (if it still exists) is in quarantine. And - to avoid misconceptions - if it has been detected it will be again, quarantine or not. What might be the case is that a threat is detected in the image for a already running process (which has it locked) - because the IDE was published after the process has started or because it was excluded from on-access scanning. Another possibility are threats which were not detected when they were first scanned (e.g. the common IFrame and JS junk) but also failed to do any damage. A later scan will pick them up if they still reside in a TEMP or cache directory. Again - without any concrete examples of the threats found this discussion is more an academic exercise. Dealing with threats is best understood when talking about specific cases.

Perhaps contrary to your expectation the immediate action is only either block access to the object or none (i.e. just raise an alert) - whether on-access or on-demand/scheduled. A "special team" is "sent out" for further action. This includes applying a cleanup routine or scanning for related items. The team might fail, or it might fail to report back properly, or it might not report back at all. This is where we carbon-based entities step in. If deletion has failed it is either because the file no longer exists or it couldn't be deleted (even) by the LOCAL SYSTEM account. Whatever you do from SEC it will likely fail for the same reason.

If you acknowledge a threat from SEC you just say - if it comes back later I'll deal with it then. It doesn't authorize something, it doesn't exclude an item from being scanned. If it has been blocked when it has been detected, it will be blocked again. If it has been permitted, it will be permitted again. If it has been found by a scheduled scan, the next will also find it.

All feedback appreciated

Christian

I have a similar issue with how Sophos works, and I just want to make sure I understadn what has been stated in this thread...

We're using the Sophos Enterpirse, and have about 8k machines protected with it (latest version, etc etc...)  We currently have about a thousand machines with quaratined items.  My Sophos admins tells me we cannot clean them from the console, and my users tell me they can;t delte the quaratined items.

We force a full scan every week, and the quarantined items remain.  Our users are not local administrators, and it seems to take a local administrator to clean the quaratined items.

This does nto seem cost effective to me.  I don;t care about quaratined items, and certainly don;t want to spend the $60 or so it costs to have a technician go out and clean the quarantined items.

What are we doing wrong?  Where can I suggest my Sophos guys look to fix this?

Thanks,

I found that the vast majority of detections occur in user's temp or temporary internet files. I added a shutdown script that clears the temp and temporary internet files from all profiles on the PC at shutdown. The next time SavMain.exe executes, the Console is updated to show that the detected/quarantined file is gone.

Hello,

there is no simple answer as it depends besides other things on the threats found. Although a thousand machines out of 8k might have accumulated over time the number is IMO way too high. I think there is room for improvement.

It's always a good idea to look up the threat's analysis and the suggested actions by following the link from the Computer details or entering the name on the Security analyses page. Most of the time you'll be referred to the general instructions for removing certain kinds of threats. The console gives you only so much information and it is advisable that your admins have access to the Anti-Virus logs (SAV.txt) on the clients.

Let's start with the "pathological cases" where visiting the client is required

"Proactive" detection is not perfect so as yet unknown threats could slip in and it might even be necessary to boot from an external drive or at least boot into safe mode to get rid of it (of course once an IDE has been issued) or use a custom tool (especially when a rootkit is involved). These cases are rare and shouldn't give you one out of eight.

Now to the normal situation

machines with quarantined items - to make sure, these are clients with outstanding alerts in SEC, right? You get a persistent alert when a detected threat is not cleaned up or deleted because:

1. the on-access or scan settings do not specify automatic cleanup and/or deletion
2. cleanup requires a full scan
3. cleanup failed
4. the particular threat type can't be cleaned

If you (1) don't use automatic cleanup many of the threats will be shown as cleanable and you just initiate cleanup from the console. Certain types and some adware or PUA will not be cleanable (for example generically detected threats or in case of the latter when an uninstall is needed - if users don't have the rights to install software you shouldn't see most of these). In case of on-access detection acknowledge the un-cleanable threats and run a full system scan - whatever has "disappeared" in the meantime (e.g. from a temp directory) will be removed also from quarantine, still existing threats will again trigger an alert and some of the threats might now also be cleanable. If there are still items remaining move the client temporarily to a group with "aggressive" cleanup settings and either wait for the threats to be cleaned/deleted upon access or schedule a scan.

(2) is self-evident

(3) in this case try to determine the reason. As on-access runs with the user's rights cleanup will fail if he has only read access. A scheduled scan will remove the threat, also accessing the file remotely with sufficient rights will trigger successful cleanup. Or - the file might no longer exist (often the case with temp or cache directories) in which case you simply acknowledge the alert. The file might be locked (I have seen such cases with "new" (i.e. undetected or partially detected) FakeAV where the running process locks the file) but is often deleted when the client is rebooted (provided that a "matching" IDE is already available). If you detect something "unknown" (whether by observation or through generic detection) please send in a sample (and try to include everything which might be related and looks fishy).

Locks can also occur with files in the cache (e.g. Content.IE5) - usually you can safely acknowledge them.

(4) Files exhibiting suspicious behavior are a special case. If they are legitimate you authorize them in SEC. The corresponding alerts will be removed once the clients apply the new policy and report back to the console. If you are not sure about the nature of the item send in a sample. In case it is clean it might get "whitelisted", in case it is malicious an IDE will be issued - if neither you'll either authorize it or simply acknowledge the alert. 

With some experimentation your Sophos admins might be able to bring it down to a few dozen remaining "cases" or less - but as I said, it depends. 

HTH

Christian