Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 7378 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can only clean up quarantine items if user has local admin rights

HunkIT

Hello

My test user is in the local "SophosPowerUser" group but does not have local admin rights on the computer.

If sophos dedects malware, i only see the option to "Authorize" the threat.

But why? sophos tells me i should have more rights if i am in this group.

Why cant i clean up this threat if i am a member of the "SophosPowerUser" group?

Sophos Groups
The installation of Sophos Anti-Virus includes the creation of the following Sophos Groups :

  • SophosUser - can use Sophos applications (for example) to run Sophos Anti-Virus
  • SophosPowerUser - as SophosUser, with cleanup privileges
  • SophosAdministrator - have complete, and unrestricted privileges to make changes to the configuration of applications

The only way i see the "clean up" option is to put the user in the "SophosAdministrator" group and the local "Administrators" group.

It is not even enough if i add the user to the "SophosAdministrator" group.

I dont understand this logic.

Can someone please explain me?

Kind reagrds,

Daniel



This thread was automatically locked due to age.
Parents
  • 0

    Hello Daniel,

    Sophos does not elevate a user's rights. Thus a user who doesn't have write access to an infected file can't request cleanup/delete even as member of the SophosAdministrator group.

    Christian

  • 0 in reply to QC

    Hello Christian

    But the infected file is located in the Appdata folder of the user.

    The user has write access to the folder where the file is located.

    Is that normal the behaviour also in this case?

    Can only a user with local admin rights clean up infected files?

    Kind regards,

    Daniel

  • 0 in reply to HunkIT

    Hello Daniel,

    thin ice, thin ice. Assuming On-Access detection here. The state in QM and the console (and whether an item ends up in QM) depends on a number of things, first and foremost the settings (automatic cleanup and alternate action). Cleanup is also not a simple scrub this file, it might involve an additional scan of parts of the filesystem and the registry and affect other items as well. I have not investigated whether it makes a difference if the on-access policy just blocks the file (and subsequently it's under QM's control) or the cleanup instructions require that cleanup has to be initiated by an administrator.
    If the On-Access policy specifies Automatic cleanup and the item is not cleaned up but Cleanable for an administrator then the cleanup could potentially affect items outside the user's "reach". To rephrase, if On-Access can deal with a detection it usually requires an administrator to make the "final decision".

    IMO Power User is a concept (by Microsoft) which never really took off. It's there in Sophos because it's there in Windows. AD restricts local administrators anyway. A Power Users may install programs - for all users, but this is not the point anyway.  Most application nowadays have "mobile" incarnations, so users use whatever they wish - whether a Power User has installed it or not.

    So - do you indeed have Power Users who should be able to cleanup/delete quarantined items in lieu of Administrators? To rephrase once more: If with appropriate cleanup settings an item can't be dealt with immediately in the user's context then it requires an administrator.

    Christian

Reply
  • 0 in reply to HunkIT

    Hello Daniel,

    thin ice, thin ice. Assuming On-Access detection here. The state in QM and the console (and whether an item ends up in QM) depends on a number of things, first and foremost the settings (automatic cleanup and alternate action). Cleanup is also not a simple scrub this file, it might involve an additional scan of parts of the filesystem and the registry and affect other items as well. I have not investigated whether it makes a difference if the on-access policy just blocks the file (and subsequently it's under QM's control) or the cleanup instructions require that cleanup has to be initiated by an administrator.
    If the On-Access policy specifies Automatic cleanup and the item is not cleaned up but Cleanable for an administrator then the cleanup could potentially affect items outside the user's "reach". To rephrase, if On-Access can deal with a detection it usually requires an administrator to make the "final decision".

    IMO Power User is a concept (by Microsoft) which never really took off. It's there in Sophos because it's there in Windows. AD restricts local administrators anyway. A Power Users may install programs - for all users, but this is not the point anyway.  Most application nowadays have "mobile" incarnations, so users use whatever they wish - whether a Power User has installed it or not.

    So - do you indeed have Power Users who should be able to cleanup/delete quarantined items in lieu of Administrators? To rephrase once more: If with appropriate cleanup settings an item can't be dealt with immediately in the user's context then it requires an administrator.

    Christian

Children
  • 0 in reply to QC

    Even I faced the same issue as I was not able to delete the file quarantined though I am an admin on my Laptop. I stopped Sophos Agent and Anti-Virus Service to delete the file.

  • 0 in reply to QC

    Hello Christian

    Okay, thanks for helping me figure it out.

    I asume you are right and we have to live with that.

    I first tought the Sophos console runs with an system service user (with admin-rights) and the user, if he has permission (SophosPowerUser),

    can cleanup infected files that way.

    Daniel

Unfiltered HTML