Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 11540 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

acknowledgements, what actually happens?

ReintjedeSophos

I found the sophos enterprise console to be less then stellar when it comes to reporting. So when a cleanup times out and I've performed a full scan via the console on a pc,  can't really be certain whether the pc is cleaned. So what happens if I then acknowledge the alert? Does that mean that the virus is reported as safe, and thereby free to execute? Or does it simply acknowledge the alert, until the local sophos agent rereports it as a virus?

I would assume the latter is the case, but I'd like be certain about that.

Sophos Enterprise console (version: 4.0.0.2362)

cheers,

Ritch

:2366


This thread was automatically locked due to age.
Parents
  • 0

    But I don't think the main point has been addressed which I don't think I made clear

    Re-reading your post I see that I didn't read it carefully enough. You're talking about SEC here and not the client.

    Why isn't there a button that says 'Delete', or 'Quarantine'?

    The item (if it still exists) is in quarantine. And - to avoid misconceptions - if it has been detected it will be again, quarantine or not. What might be the case is that a threat is detected in the image for a already running process (which has it locked) - because the IDE was published after the process has started or because it was excluded from on-access scanning. Another possibility are threats which were not detected when they were first scanned (e.g. the common IFrame and JS junk) but also failed to do any damage. A later scan will pick them up if they still reside in a TEMP or cache directory. Again - without any concrete examples of the threats found this discussion is more an academic exercise. Dealing with threats is best understood when talking about specific cases.

    Perhaps contrary to your expectation the immediate action is only either block access to the object or none (i.e. just raise an alert) - whether on-access or on-demand/scheduled. A "special team" is "sent out" for further action. This includes applying a cleanup routine or scanning for related items. The team might fail, or it might fail to report back properly, or it might not report back at all. This is where we carbon-based entities step in. If deletion has failed it is either because the file no longer exists or it couldn't be deleted (even) by the LOCAL SYSTEM account. Whatever you do from SEC it will likely fail for the same reason.

    If you acknowledge a threat from SEC you just say - if it comes back later I'll deal with it then. It doesn't authorize something, it doesn't exclude an item from being scanned. If it has been blocked when it has been detected, it will be blocked again. If it has been permitted, it will be permitted again. If it has been found by a scheduled scan, the next will also find it.

    All feedback appreciated

    Christian

    :6143
Reply
  • 0

    But I don't think the main point has been addressed which I don't think I made clear

    Re-reading your post I see that I didn't read it carefully enough. You're talking about SEC here and not the client.

    Why isn't there a button that says 'Delete', or 'Quarantine'?

    The item (if it still exists) is in quarantine. And - to avoid misconceptions - if it has been detected it will be again, quarantine or not. What might be the case is that a threat is detected in the image for a already running process (which has it locked) - because the IDE was published after the process has started or because it was excluded from on-access scanning. Another possibility are threats which were not detected when they were first scanned (e.g. the common IFrame and JS junk) but also failed to do any damage. A later scan will pick them up if they still reside in a TEMP or cache directory. Again - without any concrete examples of the threats found this discussion is more an academic exercise. Dealing with threats is best understood when talking about specific cases.

    Perhaps contrary to your expectation the immediate action is only either block access to the object or none (i.e. just raise an alert) - whether on-access or on-demand/scheduled. A "special team" is "sent out" for further action. This includes applying a cleanup routine or scanning for related items. The team might fail, or it might fail to report back properly, or it might not report back at all. This is where we carbon-based entities step in. If deletion has failed it is either because the file no longer exists or it couldn't be deleted (even) by the LOCAL SYSTEM account. Whatever you do from SEC it will likely fail for the same reason.

    If you acknowledge a threat from SEC you just say - if it comes back later I'll deal with it then. It doesn't authorize something, it doesn't exclude an item from being scanned. If it has been blocked when it has been detected, it will be blocked again. If it has been permitted, it will be permitted again. If it has been found by a scheduled scan, the next will also find it.

    All feedback appreciated

    Christian

    :6143
Children
No Data
Unfiltered HTML