At the heart of the SophosLabs ethos is the concept of "Best Protection". Best Protection does not simply mean detecting all possible threats. It also encompasses the view that false positives and unwanted detections should be minimized in order to ensure that the management overhead from running Sophos products is kept low.
Applies to the following Sophos product(s) and version(s)
Sophos Web Appliance
Sophos Endpoint Security and Control
Sophos Email Appliance
Before releasing new virus identity (IDE) files (containing the identities of new malicious or suspicious files and HIPS rules), SophosLabs runs them across our False Positive collection. This collection contains over 1 terabyte of clean files and is used to judge whether identities are likely to raise false positives. This allows us to minimize the number of false positives and unwanted detections you encounter when using the latest virus identity (IDE) files with Sophos Anti-Virus.
However, different scan options in Sophos Anti-Virus have different inherent levels of false positives or unwanted detections:
Malware detection - All scheduled and on-demand scans in Sophos Anti-Virus detect malware if it is present on the computer. False positive malware detections are very rare. When Sophos Anti-Virus detects a malware file (with the prefix W32/, /Troj, /Mal/, etc.) you should treat it as a real threat unless you are absolutely sure that the file is safe.
If you know that the file detected is not malware, please submit the file to SophosLabs (see below for details). Sophos will then analyse the situation and quickly update the identity or, in some cases, issue a "clean identity" so that it is no longer recognised as a threat.
Suspicious File Detection - Sophos Anti-Virus' Suspicious File Detection examines the characteristics of a file before it executes. The program flags the file as "Suspicious" (prefix Sus/) if it contains a combination of characteristics commonly, but not exclusively, found in malware. It is correct to describe such files as "suspicious" and therefore, should a clean file be flagged as "suspicious", we term this as an "unwanted detection" rather than a "false positive". We aim to minimize unwanted detections and in the majority of cases a "suspicious file" will be malicious. However, you should expect to see unwanted detections on occasion. If you are unsure of whether or not a "suspicious file" is clean or malicious we suggest that you read the following guidance in article 23949.
Any unwanted detections should be submitted to SophosLabs. These submissions are used to improve the detection provided, although we do not guarantee to update a suspicious file identity in this situation as we have to balance the risk of unwanted detections against the benefit of detecting more zero-day threats.
HIPS Runtime Behavior Analysis - Covering two different technologies, Buffer Overflow Protection and Suspicious Behavior Detection, this scan option examines the behavior of files as they execute and looks for behavior that is common in malware. Runtime Behavior analysis is effective at preventing a significant proportion of zero-day threats, however, you should expect to see unwanted detections on occasion.
SophosLabs attempts to minimise unwanted detections; therefore, Sophos Anti-Virus only alerts on processes that are commonly run by malware. Because of the problem of recognizing legitimate behavior, the default setting for HIPS Runtime Behavior Analysis is "alert only" rather than "block". We recommend spending a period of time monitoring these alerts and authorizing legitimate applications and processes before blocking all suspicious behavior.
Any unwanted detections should be submitted to SophosLabs. These submissions are used to improve the HIPS rules used by Sophos Anti-Virus, although we do not guarantee to update them as we have to balance the risk of unwanted detections against the benefit of detecting more zero-day threats.
Submitting suspicious files, unwanted detections and false positives
Please use the following form to send samples to SophosLabs. On the second page, you will be asked to enter the reason for submitting the sample (e.g. false positive) along with any further information such as the identity/HIPS rule alerted on: http://www.sophos.com/support/samples/.
For instructions for collecting samples blocked by on-access scanning see article 17327.