The 'alert only' behavioral rule in Sophos Anti-Virus for Windows 2000+, version 7 and above, warns of files that are suspected to be malicious. However, as the identification has not been confirmed by a precise identity, the files are not automatically prevented from running, or automatically deleted.
Note: This only happens in 'alert only' mode. In all other modes, suspicious files will be blocked.
What to do
Alert only mode
- If you believe the file to be legitimate, or are not sure, please send us a sample.
- To remove files detected by alert only rules, do as follows.
- Open Sophos Anti-Virus.
- Open Quarantine Manager.
- Select the item in question.
- Delete or authorize it.
This can be deselected as follows:
- Open the Anti-Virus and HIPS policy
- Click the HIPS Runtime Behaviour button
- Deselect the ‘Alert Only’ Check box
This will block the execution of any application exhibiting suspicious behaviour that has not been authorized.
The 'alert only' rules scan all intercepted files, but if they trigger against a file, although an entry will be added to Quarantine Manager, the file will be allowed to continue running.