Sophos

Online support

Product maintenance

Contact support

Support services

Enterprise Console: managing console alerts after install or upgrade

When you first install Enterprise Console version 3 or above you may well see alerts in the console. These could be virus alerts, or they could be alerts for Potentially Unwanted Applications (PUAs) or suspicious files. These alerts are generated as workstations run files identified as potential threats.

Note: PUA and suspicious behavior alerts will only be generated by computers running Sophos Anti-Virus for Windows 2000+.

What to do

Deal with any existing threats before enabling new features.

1. Dealing with existing threats

You should deal with any alerts for viruses, Trojans, worms or spyware first. See Enterprise Console: removing viruses for details.

If you did not enable scanning for PUAs and adware when upgrading from Enterprise Console version 1, see the PUA rollout guide.

2. Enabling alert only mode on upgraded networks

Programs showing suspicious behavior will be detected (but not currently blocked) by fresh installations of Enterprise Console.

If you have upgraded, you should now enable alert only mode.

  1. If necessary, open Enterprise Console.
  2. In the Enterprise Console Policies pane, double-click 'Anti-virus and HIPS'.
  3. Double-click your policy.
  4. Click 'HIPS runtime behavior'.
  5. Select the following check boxes:
    • Detect suspicious behavior
    • Detect buffer overflows
    • Alert only
  6. Click 'OK' to close the dialog boxes and save your changes.

3. Monitoring programs showing suspicious behavior

Leave your computers running in alert only mode for at least a week.

  1. If you get a huge number of alerts, identify which programs are generating the majority of them and deal with those programs immediately. Then continue monitoring.
  2. Once you have a good understanding of which programs are involved, you can authorize those that you need.
  3. You should then monitor alerts for a further period to check that enabling blocking will not disrupt your network.

You can enable blocking once you are satisfied that this will cause no disruption.

For more details, see Sophos Anti-Virus for Windows 2000+: deciding whether to allow or block a file.

4. Enabling on-access scanning for suspicious files

On-access scanning will block the running of suspicious files and send a report to the console. Only enable it once you are confident that useful software will not be blocked, and that the console will not be sent vast numbers of alerts.

  1. If necessary, open Enterprise Console.
  2. In the Enterprise Console Policies pane, double-click 'Anti-virus and HIPS'.
  3. Double-click your policy.
  4. If on-access scanning for viruses is not already selected, select 'Enable on-access scanning'.
  5. Click 'On-access scanning'.
  6. In the 'On-access scan settings' dialog box, select 'Scan for suspicious files (HIPS)'.
  7. Click 'OK' in each dialog box to save your scan.

You can deal with the files reported using 'Cleanup', or a scheduled scan.

5. Setting automatic cleanup for scheduled scans

You can keep your network free of suspicious files by setting up scheduled scans to detect and remove files.

Note:

To set up a scheduled scan, do as follows.

  1. If necessary, open Enterprise Console.
  2. In the Enterprise Console Policies pane, double-click 'Anti-virus and HIPS'.
  3. Double-click your policy.
  4. In the 'Scheduled scanning' section, click 'Add'.
  5. Give the scan a name, and select a time for it to run.
    If you want to enable automatic removal, also do the following:
    • Click 'Configure'.
    • In the 'Scanning and cleanup settings' dialog box for your new scan, select the 'Cleanup' tab.
    • In the 'Suspicious files' section, select 'Delete' or one of the 'Move...' options.
  6. Click 'OK' in each dialog box to save your scan.

Related articles:

If you need more information or guidance, then please contact technical support.