In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Sophos Anti-Virus for Windows 2000+: deciding whether to allow or block a file

The suspicious file and behavior detection features in Sophos Anti-Virus for Windows 2000+ will only indicate that the file or behaviour may be a threat, as in some cases it may turn out to be a clean and legitimate file. You must look at the file and determine whether you want it blocked, or whether you will authorize it.

How you reach this decision will depend on the particular software that has been identified, and on your company's policy. For example, some installation programs and scheduled updating programs may trigger suspicious behavior detection.

• Legitimate installers (etc.) will need to be authorized.
• Send programs about which you are unsure to SophosLabs.

What to do

You will need to make your own decisions as to whether to authorize or block a program. These are guidelines as to how to go about it, not instructions on what to decide.

1. Screening for legitimate programs

To check your programs, do as follows:

1. Open Enterprise Console.
2. Look for suspicious behaviour alerts.
3. Right-click the computer in question.
4. Select Properties.
5. Scroll down the details list and see what program is causing the alert.
6. Check the program and its folder to find out if it is a known legitimate program.

Legitimate programs could include installers, scheduled updating programs and other update tools, and other programs that alter the registry, processes, or program and data files.

Authorizing programs:

• If you need to run an installer only once, temporarily set HIPS to alert only mode, run the installer, then fully enable HIPS again.
• If you need to allow a program to regularly upgrade itself, authorize it.

2. Forwarding files to SophosLabs

You can forward a file to SophosLabs:

• if you are unsure about its safety, and require advice on whether it is safe to authorize.
• if an application is identified which you believe is fairly widely used, and you feel that the level of detection is too sensitive.

See knowledgebase articles on Submitting samples of suspicious files to Sophos and Collecting samples blocked by on-access scanning for help on collecting and forwarding files to Sophos labs.

In some cases, Sophos may provide an update to the detection of the application that you have queried, in others it may not be appropriate. However, you have the flexibility at all times to either authorize or block any application, as is appropriate to the needs of your business.

If you need more information or guidance, then please contact technical support.

• Article ID: 25472
• Created: 21 May 2007
• Last updated: 13 Jun 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement