This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is anyone actually enabling Automatic Cleanup in their policies?

In V9.7 it was recommended to deny access only, not cleanup automatically, in your On-Access Scan settings.  In 10, that was changed and it is now recommended to set it to cleanup automatically.  In case you weren't a Sophos customer in 2012, the Shh/Update-B false positive incident turned into a NIGHTMARE for anyone who had automatic cleanup enabled.  Basically, lots of legit files got deleted all over the place.  Read through the comments in that link if you weren't around for it.  I'm not knocking the incident, every A/V vendor has probably had a bad false positive incident.  But at the time, you were far better off if you didn't have automatic cleanup enabled.  The fact that that was the official policy recommendation seems to me like Sophos' biggest saving grace in that incident.  So I feel like Sophos is kind of saying "Hey we know that one time was a total disaster, but it shouldn't happen again, so go ahead and turn this on now."  I mean, so far so good, that was 5 1/2 years ago.  But I don't personally see what has fundamentally changed that makes it prudent to now use automatic cleanup when it's the only thing that saves you in a false positive scenario, regardless of who the vendor is.  Just seems like an accident waiting to happen.  Am I just being paranoid?



This thread was automatically locked due to age.
Parents
  • Hello Ben_1234,

    a NIGHTMARE for anyone who had automatic cleanup enabled
    this is not correct. Shh/Updater-B did not trigger automatic cleanup. Been around, we did have automatic cleanup enabled. As the article says it was the alternate action that wreaked havoc when set to Delete or Move. Can't remember that there was ever a recommendation to change it from the default Deny access only for normal operation but admittedly there also was no explicit recommendation (as there's now in How to configure automatic cleanup) and no warning of the potential consequences of changing it.
    It was night here when the bad IDE was released. When I came in in the morning I found hundreds of endpoints with alerts ... took me 10 minutes to get a coffee, search for and find the knowledgebase article, and set the required exclusions. Then I had only to watch as by and by the endpoints recovered. There was a not insignificant number of endpoints though that did not - even though they had complied with the AV policy before (therefore delete or move was not set) and after (the AutoUpdate components should have been released) I did set the exclusions. Some local admins had already dealt with the assumed attack in a rush, deleting all reported files with the help of the Quarantine Manager. Even three or four servers suffered this fate.

    what has fundamentally changed
    quite a lot but most of it under the hood. And at least system files are better protected from protection [forgive the bad pun]. Cleanup is sometimes more than just expurgating or deleting the one file. And with some threats a prompt reaction can be beneficial.  
    Apart from this, if there's a false positive on a critical system file it doesn't really matter whether it's blocked, cleaned, or deleted. The machine will go belly up, likely during startup, and that's it then.

    Christian

Reply
  • Hello Ben_1234,

    a NIGHTMARE for anyone who had automatic cleanup enabled
    this is not correct. Shh/Updater-B did not trigger automatic cleanup. Been around, we did have automatic cleanup enabled. As the article says it was the alternate action that wreaked havoc when set to Delete or Move. Can't remember that there was ever a recommendation to change it from the default Deny access only for normal operation but admittedly there also was no explicit recommendation (as there's now in How to configure automatic cleanup) and no warning of the potential consequences of changing it.
    It was night here when the bad IDE was released. When I came in in the morning I found hundreds of endpoints with alerts ... took me 10 minutes to get a coffee, search for and find the knowledgebase article, and set the required exclusions. Then I had only to watch as by and by the endpoints recovered. There was a not insignificant number of endpoints though that did not - even though they had complied with the AV policy before (therefore delete or move was not set) and after (the AutoUpdate components should have been released) I did set the exclusions. Some local admins had already dealt with the assumed attack in a rush, deleting all reported files with the help of the Quarantine Manager. Even three or four servers suffered this fate.

    what has fundamentally changed
    quite a lot but most of it under the hood. And at least system files are better protected from protection [forgive the bad pun]. Cleanup is sometimes more than just expurgating or deleting the one file. And with some threats a prompt reaction can be beneficial.  
    Apart from this, if there's a false positive on a critical system file it doesn't really matter whether it's blocked, cleaned, or deleted. The machine will go belly up, likely during startup, and that's it then.

    Christian

Children
  • Hi Christian,

    OK, I see now I had that wrong.  Our experience was pretty much like yours but I misunderstood why.  We didn't have automatic cleanup turned on, but our alternate action was set to Deny access only, so that's what saved us, not having automatic cleanup disabled.  Kind of hard to get an explanation of what automatic cleanup actually does from the documentation, about the only thing I seem to find is another post of yours.  I thought for the most part it deleted files / registry keys it identified, which is why I've been leery of it, but it sounds like it's a little more intelligent than that.  Still a little scary to me that it could one day try to expurgate something that's critical in the environment (third party stuff), but not protected from modification like a system file.  But it sounds like it should be pretty safe.  Is there no official documentation on the details of what automatic cleanup does in different scenarios, or am I just not finding it?

  • Hello Ben_1234,

    I'm not aware of any documentation. Might not be of much help anyway as all that can be said is that care is taken that a) an automatic cleanup routine is associated with a detection only when it's safe and b) the routine itself is safe.
    As for third party stuff: It's a question of the actual impact and how hard it is to recover from a deletion.

    Christian   

  • Yeah, that's kind of what I thought, but it would be nice to see at least that much.  It's pretty rare we even have a detection for this to be relevant, lots of other layers before the endpoint, but I'm getting tired of the policy evaluation tool nagging me that I'm not running recommended settings.  So I'll stop being an old lady about it and turn it on.  Thanks for the replies and setting me straight on the whole thing.

    Ben