This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Values \ Status - Can anyone explain what they mean \ their definition ?

Good Morning Sophos Community

 

Thank you for your time looking at my question, I am new to this community and relatively new to Sophos.

We as a business are currently running "Sophos Endpoint Security and Control" on about 2000 laptops \ Desktops.

I am to produce reports fro Quarterly management meetings on what has been detected by Sophos and how the software dealt with what if found.

Is there a document anywhere which can clearly explain the thinking behind the classifications ?

 

1- Action Taken = "Cleaned Up", "Blocked" "None" "Acknowledged" "Authorized" " Cleared from the end point QM" "No longer Present"

2- Status = "Resolved", "Cleanable", "Threat Type Not Cleanable"

 

If I go to this meeting then these categories will create more questions "What does "No longer Present" mean ????

As long as I can explain what each category means then that will be fine.

 

If anyone can help point me to a document or explain I would be very grateful.

Many Thanks

D

 

 

 

 

 



This thread was automatically locked due to age.
Parents
  • Hello D,

    I'm not sure whether I've moved this to the correct group as I'm using SESC but I never came across Cleared from the end point QM (but maybe you haven't quoted the exact message).

    One should be careful when interpreting the terms as the actual meaning is not always independent of the context. In addition to the doc Karlos mentioned some details:
    Cleaned Up means that the offending file has been cleaned (i.e. sanitized or deleted) and potential additional actions haven been performed (like modified registry values set to the default). Sometimes it's partially removed, e.g. when processes (might) have loaded a malicious DLL and complete cleanup requires them to be restarted.
    Blocked is the "minimum" action when a threat has been detected on a file open. Access to the file is denied. A scan might also be performed on close-write, a block is not possible in this case so the initial action is NoneNone is also seen with scheduled scans as there's nothing to block.
    No longer Present means that a threat has been detected, a subsequent cleanup (whether automatic or requested) didn't find the file though. E.g. a file might have meanwhile been deleted from a cache.
    Acknowledged means that the alert has been cleared - until recently it was just that, with CryptoGuard (ransomware protection) it also unblocks the process.
    When a user (local admin) clears an alert from QM you'll see Removed from quarantine list. Under certain circumstances the cleanup routine might do it and the user displayed is SYSTEM (as far as I could see the threat is no longer present).

    I hope this isn't confusing. I assume there are several reasons why it is not as clear as one might wish - architecture of the Sophos software (Endpoint and Management) which should give consistent results (regardless of endpoint, management, and platform versions) as far as this is possible, changes in the OS architecture that result in new engine strategies that can't completely and unambiguously be represented in the existing architecture, last but not least that complex results would rather obscure the big picture than give more insight.

    Christian

Reply
  • Hello D,

    I'm not sure whether I've moved this to the correct group as I'm using SESC but I never came across Cleared from the end point QM (but maybe you haven't quoted the exact message).

    One should be careful when interpreting the terms as the actual meaning is not always independent of the context. In addition to the doc Karlos mentioned some details:
    Cleaned Up means that the offending file has been cleaned (i.e. sanitized or deleted) and potential additional actions haven been performed (like modified registry values set to the default). Sometimes it's partially removed, e.g. when processes (might) have loaded a malicious DLL and complete cleanup requires them to be restarted.
    Blocked is the "minimum" action when a threat has been detected on a file open. Access to the file is denied. A scan might also be performed on close-write, a block is not possible in this case so the initial action is NoneNone is also seen with scheduled scans as there's nothing to block.
    No longer Present means that a threat has been detected, a subsequent cleanup (whether automatic or requested) didn't find the file though. E.g. a file might have meanwhile been deleted from a cache.
    Acknowledged means that the alert has been cleared - until recently it was just that, with CryptoGuard (ransomware protection) it also unblocks the process.
    When a user (local admin) clears an alert from QM you'll see Removed from quarantine list. Under certain circumstances the cleanup routine might do it and the user displayed is SYSTEM (as far as I could see the threat is no longer present).

    I hope this isn't confusing. I assume there are several reasons why it is not as clear as one might wish - architecture of the Sophos software (Endpoint and Management) which should give consistent results (regardless of endpoint, management, and platform versions) as far as this is possible, changes in the OS architecture that result in new engine strategies that can't completely and unambiguously be represented in the existing architecture, last but not least that complex results would rather obscure the big picture than give more insight.

    Christian

Children
  • Thanks v much Christian

    I need to have the meanings for a non tech audience who are going to ask me what "Acknowledged" actually means etc.

    Thanks for taking the time to answer my question so clearly.

    I really appreciate your time with this.

    Thanks again

    David