Sophos Anti-Virus for Windows 2000+, version 6.0 and above, provides protection from a wide range of common adware and potentially unwanted applications (PUAs). This includes detection of PUAs and the cleanup of files, registry entries and in-memory processes
Note that PUA scanning is not available for Windows NT/95/98/Me computers.
PUA is a term used to describe applications that, while not malicious, are generally considered unsuitable for business networks. The major PUA classifications are adware, dialer, non-malicious spyware, remote administration tool and hacking tool. However, certain applications that can fall into the PUA category might be considered useful by some users.
Sophos recommends deploying PUA protection in stages across your network. This will allow you the opportunity to assess the threat posed to your system, decide on appropriate action, and reduce the likelihood of disruption to users.
This article outlines a system for a phased deployment of PUA protection. However, it is intended to complement the user manual and online help provided with your console, and should not be seen as a replacement for product documentation.
Known to apply to the following Sophos product(s) and version(s)
Sophos Enterprise Manager 4.7.0
Enterprise Console 5.0.0
Enterprise Console 4.7.0
- Detection and removal of PUAs is configured in the Sophos Anti-Virus policy under the 'Policies' panel in the console. You can configure an existing or a new anti-virus policy as described in your console Help or other documentation.
- If you have not previously scanned your computers for PUAs and then removed them, it is very likely that you will find PUAs on your network. In some cases, a large number of these applications may be installed. Deploying scanning in stages will allow you to more easily deal with any PUAs detected.
- It is advisable to only enable on-access scanning for PUAs as the final step of a phased deployment such as that described here.
- Enabling PUA scanning and implementing cleanup on your network can have the following impact on network users:
- Users who have PUAs that they consider desirable may notice that applications have been removed from their computers without their consent.
- To complete the removal of an unwanted PUA, users may need to restart their computers.
- You must familiarize yourself with your organization's policy regarding PUAs and whether it is acceptable for some of these applications to be running on users computers.
- Descriptions of PUAs are given on the Sophos website. Your company may want to use the information provided there, to help decide whether to authorize a given PUA or to remove it.
- If your organization allows some PUAs to be on the network, you will need to configure your policies so that the specified PUAs are 'authorized'. This means that they are excluded from scanning and cleanup.
- If your organization does not allow these applications, you can regularly scan and clean your network without the need to authorize any of these PUAs.
Note: Sophos Technical Support cannot advise you on whether to remove or authorize an application.
- By carefully setting up and managing groups and policies, you can customize PUA scanning and cleanup to suit the requirements of a variety of users on your network. For example, for some users, you may want to detect and remove all PUAs, while for others you may want to authorize specified PUAs for their use, and remove others. You can achieve this by grouping together all users with similar requirements, and then applying an appropriate policy to each group.
PUA detection and cleanup
PUA detection must be enabled for both on-access and scheduled scans.
Scheduled scanning - you can use a scheduled scan to enable PUA scanning and to set up automatic cleanup. Removal of PUAs can either be carried out from your console, or you can configure a scheduled scan to remove them. Note that an affected computer may need a reboot for the complete removal of certain PUAs.
On-access scanning - On-access scanning can provide protection against PUAs by intercepting files as they are accessed, but does not provide cleanup. Some applications 'monitor' files and attempt to access them frequently. If you have on-access scanning enabled, it detects each access and displays alerts on the affected computer and also alerts your console.
If you initially enable on-access scanning for PUAs, (rather than following the phased deployment described here), users may see numbers of PUA alerts on their computers. This can cause concern if they have not previously seen PUA warnings, and could potentially generate numerous support calls to your company's IT support staff.
Therefore on-access scanning for PUAs should only be enabled as the final stage of a phased deployment process, after you have scanned your network and removed all unwanted software.
The following defaults exist:
- If you are installing Sophos Anti-Virus on a network that does not have an earlier version of Sophos Anti-Virus installed, PUA scanning is enabled by default for scheduled scans.
- If your network was previously upgraded from Sophos Anti-Virus version 5 or below, or Sophos Enterprise Console version 1.0, detection for PUAs may not be enabled for any scans.
- Detection for PUAs is not enabled in on-access scan settings.
Any potentially unwanted applications that are detected will be listed in Quarantine manager.
Setting up a phased deployment
Before you start, ensure that you are familiar with the procedures for setting up and using groups and policies, including how to apply policies to selected groups. Detailed procedural steps for these routine operations are not given in this article. They can be found in the relevant sections of your console Help or other documentation.
What to do
- Create group structure
- Create PUA policies
- Create a deployment plan
- Authorization and cleanup
- Completing deployment
1. Create group structure
Plan and create a group structure suitable for a phased deployment. You must decide what is a manageable size for the groups you create, so that you can easily process scanning and cleanup arrangements during this initial deployment.
Groups can be divided into sub-groups and a specific PUA policy can be applied to each group or subgroup. Users should be assigned to each group on the basis of their individual requirements. For example, if certain users want to keep a specified PUA on their computer, these users should all be placed in one group.
2. Create PUA policies
Create one or more PUA policies to satisfy the requirements of each of the groups you have created. These policies may include setting up scheduled scans and creating authorized lists.
- Open an existing anti-virus policy, or create a new one, in order to configure the required anti-virus policy.
- In the 'Scheduled scanning' panel, either create a new scan or choose to edit an existing one. Ensure that the time you choose to run the scheduled scans fits in with the overall deployment plan you create.
- Under 'Configure...' on the Scanning tab, in the 'Scan files for' panel, select 'Adware and PUAs'. Click OK.
3. Create a deployment plan
Plan out when you will apply the policies to given groups. Arrange to do this in phases, working with just a few groups at a time.
If you have large groups, you may want to break them down into smaller groups, sharing the same policy, but applying the policy at different times. This spreads the scanning over a period of time and allows you sufficient time to view the results of the scan on that group, and to implement your chosen policy of cleanup and/or authorization.
- In accordance with your plan of deployment, apply the first of your policies to the first of your groups. The scan will run as scheduled. It may take some time to complete.
- In the console, double-click the computers in the group to display the 'Computer details' window.
- Check the date and time against the 'Last Scheduled scan completed' status (available from the computer details dialog or the 'Anti-Virus Details' tab in the main console view), to ensure it has run correctly.
- Following the scan, the console displays the current status of each computer. If a PUA has been detected, an alert is displayed in the 'Outstanding Alerts' section. This lists when the PUA was first detected, its name, and the application type.
- Threats are listed hierarchically. A virus threat will override a PUA threat. It is advisable to clean up virus threats before PUAs. Refer to the section on cleaning computers in your console manual and the knowledgebase article 'Sophos Anti-Virus: removing viruses on the local computer' for guidance on cleanup for viruses.
- After the scheduled scan has finished on all the computers in the group, open the policy you applied to that group. In the 'Anti-Virus and HIPS Policy' dialog box, click the 'Authorization...' button and select the 'Adware and PUAs' tab.
- In the 'Authorization Manager' dialog box, all the PUAs that were detected by the scan are displayed in the 'Known adware and PUAs' list. When subsequent scans detect additional PUAs, they are added to this list. You should view this list even if you are planning to protect against all PUAs. It may contain applications that you do not regard as PUAs, or it may contain applications about which you need more information before deciding on how to handle them.
- From here you can select any PUAs you want to authorize and move them to the 'Authorized adware and PUAs' list. When you authorize an application, all computers in the group which have that policy applied can run the application without any restrictions (i.e. it will not be detected or removed).
- To clean up the remaining unwanted applications right-click an individual computer or group of computers and select 'Resolve Alerts and Errors...'.
- From the 'Alerts' tab you can filter the results from the 'Show:' dropdown menu for just 'Adware and PUAs'
- Select the items you want to clean up and select 'Cleanup'. Any items you want to ignore can be cleared with the 'Acknowledge' button. Threats are listed by computer and application. If desired, the 'Select all' option may be chosen.
- From here you can see that once you have taken an action against a PUA that was listed in the 'Outstanding Alerts' section, it is moved to the 'History' section of the 'Computer details' window. An updated status is shown and the action that was taken is listed against each named PUA.
View image .
If the cleanup process
- requires a reboot to complete, a 'Restart the computer' alert is displayed in the 'Computer details' section of Enterprise Console.
- is not available for a particular threat, or the cleanup attempt failed, the threat will continue to be listed in the 'Outstanding alerts' section in the 'Computer details' screen. In this case, refer to the PUA analysis pages on the Sophos website, for more information on removal of a specific unwanted application.
Repeat the procedures in the previous two sections Deployment and Authorization and cleanup, with your second and subsequent groups, until all the computers on your network have had an initial scan and authorization or cleanup.
After you have completed the deployment of PUA scanning to all the computers on your network, the status of your network with regard to PUAs should be as follows:
- all the computers on your network have been scanned,
- all PUAs detected are listed in 'Known applications',
- where necessary, you have authorized selected PUAs so that they are excluded from future scans
- all unwanted PUAs have been cleaned from your network.
You must now implement a policy to ensure that your network is kept clear of PUAs. It is recommended that a scheduled scan with PUA scanning enabled is run on all computers once per day.
Automatic cleanup of PUAs is available for a scheduled scan, but controlling the cleaning in Enterprise Console is recommended.
Sophos recommends that you now enable PUA scanning for on-access scanning. If a PUA is detected, by default the user of the infected computer will receive an alert. The alert will also be displayed in Enterprise Console.