We have disables everything we can on the policy, but right-click scan is still an option for end users.The concern is that they could go into configure Anti-virus and HIPs, go into the clean-up settings and potentially delete system files on a scan.
Hello ChristopherGross,
first of all, cleanup/delete is only performed on items which are definitely malicious. Thus the risk would exist only in the very rare case of a false positive on a system file.
A scan and any potential action are performed in the user's security context. I've created a directory and put the EICAR test file and another into it. Security of the folder and its contents was set to Read for the general user. As user I've created a scan selecting Automatic cleanup and Delete. Here's the result:20160825 075158 Scan 'New scan' started.
20160825 075219 File "C:\__XXX__\eicar.com" belongs to virus/spyware 'EICAR-AV-Test'.
20160825 075225 Removal of File "C:\__XXX__\eicar.com" has been deferred.
20160825 075225 An error occurred that caused the scan 'New scan' to stop prematurely. Some items may not have been scanned.
20160825 075225 Scan 'New scan' aborted.
20160825 075225 Summary of results for scan 'New scan':
Items scanned: 5
Errors: 1
Items quarantined: 1
Items dealt with: 0
While the file is listed in the QM the user can't perform any action on it as SavMain.exe never elevates a user's privileges w.r.t. the OS, thus even if the user is a member of the SophosAdministrator group cleanup/delete will fail:20160825 075330 Scan 'New scan' started.
20160825 075355 File "C:\__XXX__\eicar.com" belongs to virus/spyware 'EICAR-AV-Test'.
20160825 075402 Removal of File "C:\__XXX__\eicar.com" has been deferred.
20160825 075402 An error occurred that caused the scan 'New scan' to stop prematurely. Some items may not have been scanned.
20160825 075402 Scan 'New scan' aborted.
20160825 075402 Summary of results for scan 'New scan':
Items scanned: 5
Errors: 1
Items quarantined: 1
Items dealt with: 0
Finally the results if the user (again only SophosUser) has Write access:20160825 075458 Scan 'New scan' started.
20160825 075512 File "C:\__XXX__\eicar.com" belongs to virus/spyware 'EICAR-AV-Test'.
20160825 075516 File "C:\__XXX__\eicar.com" has been cleaned up.
20160825 075516 Virus/spyware 'EICAR-AV-Test' has been removed.
20160825 075516 Scan 'New scan' completed.
20160825 075516 Summary of results for scan 'New scan':
Items scanned: 5
Errors: 0
Items quarantined: 0
Items dealt with: 1
Users should have the option the perform on-demand and right-click scans and configure them - even if you'd take cleanup/delete away they could still delete the file from Explorer. Note that a SophosUser can't cleanup/delete from QM.
Christian
Hello ChristopherGross,
first of all, cleanup/delete is only performed on items which are definitely malicious. Thus the risk would exist only in the very rare case of a false positive on a system file.
A scan and any potential action are performed in the user's security context. I've created a directory and put the EICAR test file and another into it. Security of the folder and its contents was set to Read for the general user. As user I've created a scan selecting Automatic cleanup and Delete. Here's the result:20160825 075158 Scan 'New scan' started.
20160825 075219 File "C:\__XXX__\eicar.com" belongs to virus/spyware 'EICAR-AV-Test'.
20160825 075225 Removal of File "C:\__XXX__\eicar.com" has been deferred.
20160825 075225 An error occurred that caused the scan 'New scan' to stop prematurely. Some items may not have been scanned.
20160825 075225 Scan 'New scan' aborted.
20160825 075225 Summary of results for scan 'New scan':
Items scanned: 5
Errors: 1
Items quarantined: 1
Items dealt with: 0
While the file is listed in the QM the user can't perform any action on it as SavMain.exe never elevates a user's privileges w.r.t. the OS, thus even if the user is a member of the SophosAdministrator group cleanup/delete will fail:20160825 075330 Scan 'New scan' started.
20160825 075355 File "C:\__XXX__\eicar.com" belongs to virus/spyware 'EICAR-AV-Test'.
20160825 075402 Removal of File "C:\__XXX__\eicar.com" has been deferred.
20160825 075402 An error occurred that caused the scan 'New scan' to stop prematurely. Some items may not have been scanned.
20160825 075402 Scan 'New scan' aborted.
20160825 075402 Summary of results for scan 'New scan':
Items scanned: 5
Errors: 1
Items quarantined: 1
Items dealt with: 0
Finally the results if the user (again only SophosUser) has Write access:20160825 075458 Scan 'New scan' started.
20160825 075512 File "C:\__XXX__\eicar.com" belongs to virus/spyware 'EICAR-AV-Test'.
20160825 075516 File "C:\__XXX__\eicar.com" has been cleaned up.
20160825 075516 Virus/spyware 'EICAR-AV-Test' has been removed.
20160825 075516 Scan 'New scan' completed.
20160825 075516 Summary of results for scan 'New scan':
Items scanned: 5
Errors: 0
Items quarantined: 0
Items dealt with: 1
Users should have the option the perform on-demand and right-click scans and configure them - even if you'd take cleanup/delete away they could still delete the file from Explorer. Note that a SophosUser can't cleanup/delete from QM.
Christian
