Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 2603 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a way to block users from manually running Scans on client machines?

ChristopherGross

We have disables everything we can on the policy, but right-click scan is still an option for end users.The concern is that they could go into configure Anti-virus and HIPs, go into the clean-up settings and potentially delete system files on a scan.



This thread was automatically locked due to age.
  • 0

    Hello ChristopherGross,

    first of all, cleanup/delete is only performed on items which are definitely malicious. Thus the risk would exist only in the very rare case of a false positive on a system file.

    A scan and any potential action are performed in the user's security context. I've created a directory and put the EICAR test file and another into it. Security of the folder and its contents was set to Read for the general user. As user I've created a scan selecting Automatic cleanup and Delete. Here's the result:
    20160825 075158    Scan 'New scan' started.
    20160825 075219    File "C:\__XXX__\eicar.com" belongs to virus/spyware 'EICAR-AV-Test'.
    20160825 075225    Removal of File "C:\__XXX__\eicar.com" has been deferred.
    20160825 075225    An error occurred that caused the scan 'New scan' to stop prematurely. Some items may not have been scanned.
    20160825 075225    Scan 'New scan' aborted.
    20160825 075225    Summary of results for scan 'New scan':
                       Items scanned: 5
                       Errors: 1
                       Items quarantined: 1
                       Items dealt with: 0
    While the file is listed in the QM the user can't perform any action on it as SavMain.exe never elevates a user's privileges w.r.t. the OS, thus even if the user is a member of the SophosAdministrator group cleanup/delete will fail:
    20160825 075330    Scan 'New scan' started.
    20160825 075355    File "C:\__XXX__\eicar.com" belongs to virus/spyware 'EICAR-AV-Test'.
    20160825 075402    Removal of File "C:\__XXX__\eicar.com" has been deferred.
    20160825 075402    An error occurred that caused the scan 'New scan' to stop prematurely. Some items may not have been scanned.
    20160825 075402    Scan 'New scan' aborted.
    20160825 075402    Summary of results for scan 'New scan':
                       Items scanned: 5
                       Errors: 1
                       Items quarantined: 1
                       Items dealt with: 0
    Finally the results if the user (again only SophosUser) has Write access:
    20160825 075458    Scan 'New scan' started.
    20160825 075512    File "C:\__XXX__\eicar.com" belongs to virus/spyware 'EICAR-AV-Test'.
    20160825 075516    File "C:\__XXX__\eicar.com" has been cleaned up.
    20160825 075516    Virus/spyware 'EICAR-AV-Test' has been removed.
    20160825 075516    Scan 'New scan' completed.
    20160825 075516    Summary of results for scan 'New scan':
                       Items scanned: 5
                       Errors: 0
                       Items quarantined: 0
                       Items dealt with: 1
    Users should have the option the perform on-demand and right-click scans and configure them - even if you'd take cleanup/delete away they could still delete the file from Explorer. Note that a SophosUser can't cleanup/delete from QM.

    Christian

Unfiltered HTML