This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is Auto Cleanup

We are currently running endpoint security 9.5 and are slowing modifying it to suit our environment.

Can someone explain the pros and cons for enabling auto cleanup under "On-Access scan settings"?  Are there any cons?

Thanks in advance.

Jason.

:22861


This thread was automatically locked due to age.
  • Hello Jason,

    to quote from Version 9.7 (and lower) Anti-Virus and HIPS settings: guide to on-access settings: Obviously, you may want to set this to automatically clean up any malware that is found, but we've left it to you to decide [...] When the on-access scanner automatically cleans up items that contain a virus or spyware, it will delete any items that are purely malware and it will try to disinfect any items that have been infected. These disinfected files should be considered permanently damaged, as the virus scanner cannot know what the file contained before it was damaged: it can only clean out the code that was injected by the virus.

    This has been reformulated in Recommended on-access scanning settings for 10.x: In Endpoint 10 the setting 'Automatically clean up items that contain a virus/spyware' for on-access scanning is enabled by default.  Having this option enabled means there is less administrative work in dealing with malware reported to the console [...]

    I've found it to be quite safe as the few false positives were all generic detections for which no automatic cleanup will be attempted. Please note that there's also the If you do not use automatic cleanup, or if automatic cleanup is not possible setting which affects the final outcome. This should be left Deny access only.

    There's an extra set of options if you also scan for suspicious files as they are never cleaned up automatically.

    Christian

    :22869
  • QC, thanks for taking time to respond.  It is appreciated.

    It is great to hear from someone obviously experienced with Sophos to indicate it is safe.  (Due to hands on experience over time rather than guessing.)

    I am very weary to apply anything in production without being very sure the results won't be disastrous.

    Can you elaborate as to what clean-up actually does?  My understanding clean-up tries to actually clean the issues within the file.  Is that the case?  And yes my plan was to use the Deny Access Only but good to hear.

    :22905
  • Hello munta,

    I am very weary to apply anything in production without being very sure the results won't be disastrous

    well, I won't hide the fact that there's always a slight chance of false positives (guess every vendor could tell a story or two) - and in the worst case it could cripple a computer (it has happened). If the false positive results in a vital system file to be deleted the machines nevertheless usually continue to run, only a subsequent reboot will fail (that's why most AV products don't kill running processes). As long as the machines run you can remediate the problem. Of course if this happens overnight when you wake up your machines to apply updates and reboot them ... OTOH, the last time something like this has happened it didn't make big headlines. As many software updates can cause similar issues you should be prepared anyway.  

    Thus if you are very weary just run with Deny access only for some time. Or maybe use this setting on one part of your network and automatic cleanup on the other to have a comparison. As they say: YMMV :smileywink:

    Some words to scanning for suspicious files and behaviour monitoring: Although it has a higher risk of false positives it is very useful for dealing with new or changing threats like FakeAV.  Malicious and suspicious behaviour always results in at most blocking and for suspicious files you'd just use Deny  access only (there were two or three times when we switched to Delete for the administration's network as some (otherwise reputable) sites frequently accessed by our users obviously have been poisoned with links to FakeAV).

    What Clean-up does depends on the nature of the threat: Malicious files are deleted, if necessary the clean-up hunts for related files and changes to the environment (e.g. registry and start-up items). Note that it this is not a total clean-up (e.g. when the original values of registry keys are not known no action is taken; keys which have no effective function once an executable is deleted are sometimes left). In case of changed files (PE infectors, macro viruses) clean-up tries to revert the changes and removes the injected code from the executable or document.   

    I hope all this is of some use

    Christian

    :22915
  • Accepted Solution promoted to Sophos customers via Twitter. Follow us @SophosSupport.

    :22923
  • It is of use and always appreciated. :-)
    :22989