Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 4118 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing Sophos potential false positive

Sophos_User

I wanted to get some ideas on how we can prevent a potential issue like that recently discovered with MacAfee’’’’s false positive.

I will list below what I am doing and would like to get feedback on what others are doing. 

1)  I have multiple groups within the Sophos console containing pilot and production machines. 

2)  I have multiple polices that I keep in sync except for AV version. 

3)  I keep the pilot machines on the "recommended" setting in the policy. 

4)  The production machines stay 1 version behind which at this time is 9.0.5 VDL4.52 for at least 1 week.  

5)   If nothing happens to my pilot machines, nothing is reported in the news  and there is nothing in posted in this user community I rollout the latest version to production.

Can anybody post their processes or comment on my processes?

thanks

:2590


This thread was automatically locked due to age.
Parents
  • 0

    Hi Everyone,

    When I went to Sophos 4 years ago I planned for false positives by using Sophos' quarantine in place settings in the AV policy. This has helped in many cases. The largest of which was last year's Dec 2009 IDE release from Sophos that flagged 1,000s of pdfs as viruses across our enterprise. This was resolved within 2 hours without a need to restore or move the pdfs back to there original places.

    The above solution would not have prevented the McAfee issue since their false positive took down systems. But it would have helped in restoring systems faster because the files would have still been in their original locations. (There may have even been a way to work around the problems but thankfully we have not seen first hand.)

    We are still on the EM Library but use Recommended and Previous versions:

    We use previous version on Servers and labs to reduce engine change issues from occurring to areas we can control. There is a 2 week delay used before moving the previous version up to the recommended fixed version.

    The recommended version is used across all other systems which allows us a chance to see if issues will occur. There have been a few times the engine version change has crashed our NetWare servers or caused issues with our Windows servers but over all things are pretty good.

    I hope this helps.

    Thannks,

    VCU

    :4712
Reply
  • 0

    Hi Everyone,

    When I went to Sophos 4 years ago I planned for false positives by using Sophos' quarantine in place settings in the AV policy. This has helped in many cases. The largest of which was last year's Dec 2009 IDE release from Sophos that flagged 1,000s of pdfs as viruses across our enterprise. This was resolved within 2 hours without a need to restore or move the pdfs back to there original places.

    The above solution would not have prevented the McAfee issue since their false positive took down systems. But it would have helped in restoring systems faster because the files would have still been in their original locations. (There may have even been a way to work around the problems but thankfully we have not seen first hand.)

    We are still on the EM Library but use Recommended and Previous versions:

    We use previous version on Servers and labs to reduce engine change issues from occurring to areas we can control. There is a 2 week delay used before moving the previous version up to the recommended fixed version.

    The recommended version is used across all other systems which allows us a chance to see if issues will occur. There have been a few times the engine version change has crashed our NetWare servers or caused issues with our Windows servers but over all things are pretty good.

    I hope this helps.

    Thannks,

    VCU

    :4712
Children
No Data
Unfiltered HTML