Enterprise Console: configuring on-access scanning

From the Enterprise Console, you can configure on-access scanning for computers on your network so they will report and deal with virus infections. Settings are configured by group.

You can also configure on-access scanning behaviour locally on individual computers. Full details can be found in the Sophos Anti-Virus help.

By default, on-access scanning is installed and enabled on all computers. The default configuration for on-access scanning

• enables on-read scanning
• scans at 'Normal' level
• uses the default file extensions list
• does not either disinfect or delete files.

These settings can be changed.

Note: If you do not want on-access scanning to run on some servers (e.g. Microsoft Exchange servers), set up a group of such servers.

What to do

Editing your on-access scanning settings on Enterprise Console version 3

1. In the Policies pane, double-click the Anti-virus and HIPS policy that you want to edit.
2. If necessary, select 'Enable on-access scanning'.
3. Click 'On-access'.
4. Once you have finished editing your Anti-virus and HIPS policy, apply it to the appropriate groups.

The 'On-access scan settings' options are displayed in tabbed pages.

On-access scanning behavior

These options are available in the Scanning tab.

• On read
  To check files when they are opened, select 'On read'. This option should be used on all workstations and most other computers.
• On write
  To check files when they are written to a computer, either by that computer, or by another computer, select 'On write'. This option should be used where there is any danger of something spreading across shares in the network.
• On rename
  Where necessary, use this in conjunction with 'On write' scanning.

Disinfecting and removing files

These options are available for selection in the Cleanup tab. No confirmation is asked for before any of these actions is taken.

• Automatic disinfection
  Select 'Automatic disinfection' to implement on-access disinfection of macro viruses, and boot sector viruses on floppy disks, for Windows 95/98/Me/NT/2000/XP/2003 and Mac OS X computers. This will also disinfect some executable (program) file viruses on Windows NT/2000/XP/2003 computers. For Windows 95/98/Me, use a scheduled scan to disinfect executable files.
  If you regularly use on-access disinfection, you should check the logs for your computers and ensure that you are aware of any potential side-effects caused by the viruses that have been removed.
• Other actions against infected files
  You should usually use the 'Do nothing' option, as in some circumstances 'Remove' might delete a (multiply infected) file that could have been disinfected. These options are not available for Windows 95/98/Me.
  • During a worm outbreak, using 'Remove' in conjuction with 'On write' can prevent the worm spreading futher across network shares.
  • If infected files are moved, they can no longer be started by the operating system. However, you can still recover them and disinfect them. Some viruses will replace any of their files that have been deleted (e.g. W32/Sober-B).

Extensions and exclusions

For information on configuring the Extensions and Exclusions tabbed pages, see the Enterprise Console user manual.