Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 0 subscribers
  • Views 5055 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprice Console 5.2.0 - Anti-Virus and HIPS Policy

IT_Ninja

Hello,

I am taking over mgmt duties for our Sophos Endpoint product. We are currently using the Enterprise Console version 5.2.0.x. I am reviewing the current setup for our Workstations and I want to get a feeling for this current setup. Suggestions are also welcome. Currently the devault AV plan is as follows

Enable On Access Scanning (Check) Configure... Check files only on Read and Scan System Memory is checked. There are no checks in Rename, Write, Scan for Adware and PUA’’’’s, or Suspicious files. On The clean up tab Deny access only is selected.

However there is a scheduled scan that runs each day and scans for Adware, Suspicious files, and  rootkits. I am guessing this is done since it is not enabled in the general on access policy.  Does this sound sufficient for user workstations?

Thanks,

:51902


This thread was automatically locked due to age.
Parents
  • 0

    Hello IT_Ninja,

    as far as "reasonable" settings are concerned the AV version is of primary interest, not SEC's (as the settings apply to the Endpoint software). The SEC version only determines the default settings (and potentially the ability to change the settings for new features in the endpoint product).

    Please see the articles for the Recommended settings, (linked from it) the Default Anti-virus and HIPS policy and settings, and the Overview for Adware and PUA. A daily scheduled scan is IMO an overkill, run the scan less frequently - if you think your exposure is high consider more aggressive on-access settings. Deny access only is fine as alternate action, but not using automatic cleanup will result in significantly more alerts sent to SEC and their corollary routine chores. 

    Whatever your settings - you should be prepared for the occasional malware slipping through.

    Christian

    :51930
Reply
  • 0

    Hello IT_Ninja,

    as far as "reasonable" settings are concerned the AV version is of primary interest, not SEC's (as the settings apply to the Endpoint software). The SEC version only determines the default settings (and potentially the ability to change the settings for new features in the endpoint product).

    Please see the articles for the Recommended settings, (linked from it) the Default Anti-virus and HIPS policy and settings, and the Overview for Adware and PUA. A daily scheduled scan is IMO an overkill, run the scan less frequently - if you think your exposure is high consider more aggressive on-access settings. Deny access only is fine as alternate action, but not using automatic cleanup will result in significantly more alerts sent to SEC and their corollary routine chores. 

    Whatever your settings - you should be prepared for the occasional malware slipping through.

    Christian

    :51930
Children
No Data
Unfiltered HTML