Recommended settings for Anti-Virus and HIPS

  • Artikel-ID: 114345
  • Bewertung:
  • Der Artikel wurde von 34 Kunden mit 4.1 von 6 bewertet
  • Aktualisiert: 22 Mrz 2016

The recommended Anti-Virus and HIPS settings, which are also set as the default for a new policy in a fresh installation of the console, are configured to provide best protection as recommended by SophosLabs.

In normal use, Sophos recommends you run Anti-Virus and HIPS with the default settings. If additional on-access scanning is enabled, more system resources may be consumed, which could increase CPU usage when starting up.

Applies to the following Sophos product(s) and version(s)
Sophos Endpoint Security and Control 10.0
Enterprise Console


Sophos Anti-Virus and HIPS recommended settings

Feature Recommended Setting Guide
On-access scanning  Enabled

How to enable Sophos On-access Scanning

How to configure Sophos On-access Scanning

Check files on - Read  Enabled
Check files on - Rename  Enabled
Check files on - Write  Enabled
Adware and PUAs  Enabled
Scan inside archive files  Disabled
Scan system memory  Enabled
Scan only executable and other vulnerable files  Enabled How to configure Sophos On-access Extensions
Automatically clean up items that contain a virus/spyware  Enabled How to configure automatic cleanup for on-access scanning
If cleanup is not possible - Deny access only  Enabled
Web Protection
Block access to malicious websites  On How to configure Web Protection
Download scanning  As on-access scanning
Behavior Monitoring
Behavior Monitoring  Enabled

How to enable Behavior Monitoring (HIPS)

How to configure Behavior Monitoring (HIPS)

Detect malicious behavior  Enabled
Detect malicious traffic  Enabled
Detect suspicious behavior  Enabled 
Alert only, do not block suspicious behavior  Enabled
Detect buffer overflows  Enabled
Alert only, do not block  Disabled
Live Protection
Live Protection  Enabled
How to configure Live Protection
Automatically send sample files to Sophos  Enabled

Important: Please refer to Knowledgebase article Default Anti-virus and HIPS policy and settings for full details of our latest recommended protection settings. These are set by default for all fresh installs.  


TIP: You can use the Policy Evaluation Tool (PET) to check if your existing Anti-Virus and HIPS policies are using recommended settings or not. For more information see article: Sophos Enterprise Console - Sophos Policy Evaluation Tool


Related information


The information below is provided to explain the main settings.

On-read scanning

This should be switched on in practically all circumstances. On-access scanning provides virus checking for your workstations. All files that are opened by the computer are checked before they are run.

On-write scanning

On-write scanning is useful when tracking the source of infection on your network, or if infected files are being written from over the internet. Files written to your hard drive by your computer, or another computer, will be checked when they are created. This will prevent a virus from spreading infected files over all open shares on your network.

On-write scanning is particularly useful in tracing a virus that is spreading across network shares, but you should also check the use of file sharing on your network, particularly the security of administrative shares.

On-rename scanning

On-rename scanning can be useful in similar circumstances to on-write scanning, except that the file involved will have been written as if it were a non-executable file, then renamed to make it executable. You should use on-rename scanning in the same circumstances as on-write scanning.

On-access scanning of archived files

On-access scanning of archived files consumes a lot of memory. If on-access scanning of archived files is in use, every time such a file is viewed in Windows Explorer the contents of that file will be fully checked. If the file is a self-extracting archive, the self-extractor component will be checked with the default on-access scanning settings. So checking the whole file, every time, with on-access scanning is unnecessary.

The increased memory and CPU usage caused by scanning archived files is wasted if the file is not then accessed. You should not need to use on-access scanning of archives on a workstation.

  • If you need to check an archive before opening it, use a right-click scan. The contents of the file will be checked by on-access scanning anyway, before you run them.
  • If you need to check a group of archived files, place them all in the same folder and right-click scan that folder.
  • If you need to check archived files on a file server, use a scheduled scan.

On-access scanning of archived files could be useful where a server is checking files before forwarding them to client workstations, e.g. as part of through traffic. It should not be part of a standard network setup.

On-access scanning for potentially unwanted applications

Potentially unwanted applications (PUAs) are programs whose use should be carefully managed. Some of them (e.g. network access tools or instant messaging clients) may be useful to certain workers. If such a program is already in use on your network, and it is then added by Sophos to the list of potentially unwanted applications, it will be blocked immediately.

Use scheduled scans to manage PUAs in an office environment. You can then decide which applications to allow, and which ones to block, without disrupting activity on your network.

Scanning 'All files'

An 'All files' scan should be used to check that all components of a virus have been removed after disinfection, but it is not necessary in general use.

The standard 'Executables only' scan checks all files with executable file extensions (e.g. '.DOC', '.EXE', '.LNK', '.PIF'). It also quickly checks the structure of all files, and scans them if their format is that of an executable file.

  • If you want to scan extra file types, you can add those file type extensions to the list of executables scanned.
  • If you feel safer making an occasional check of all files on your computer, set up a weekly scheduled scan at a quiet time (e.g. Sunday afternoon).

When scanning all files on a computer, bear in mind:

  • An 'all files' scan can take considerably longer than an executables only scan.
  • You should rarely, if ever, need to remove a non-executable file.
  • Take care when removing files with an 'all files' scan. You might remove mailboxes with one infected email in them, or archive files containing only one infected file among many others.

Automatically clean up items that contain a virus/spyware

In Endpoint 10 the setting 'Automatically clean up items that contain a virus/spyware' for on-access scanning is enabled by default.  Having this option enabled means there is less administrative work in dealing with malware reported to the console.  This option also means you will not see items alerted in the Dashboard and/ or against the client computer's name in the console as the item of malware has been successfully dealt with.  The alert history and reporting will include all events of malware detection though.

We strongly recommend that you leave the follow up action as 'Deny access only'.

Detect malicious behavior

Malicious behavior has to be enabled for HIPs protection and is the parent option to suspicious behavior.  Disabling malicious behavior switches HIPs off completely.  We recommend you keep this option checked.

Detect suspicious behavior

Suspicious behavior detects items that behave like malware but can be authorized if you recognize the file/ program.  By default the option is enabled but the pass-through option of 'Alert only' means the files will not be blocked.

If you are upgrading to Endpoint 10 and would like to know more about how your settings are migrated please see article 114528.

Detect buffer overflows

Buffer overflow attacks can be a risk. However, as with suspicious behavior, if you recognize the file/ process that is running, then you can authorize the item.

Live Protection

Sophos Live Protection improves detection of new malware without the risk of unwanted detections. This is achieved by doing an instant lookup against the very latest known malware. When new malware is identified, Sophos can send out updates within seconds. In order to get this high level of protection, you should retain the default setting of 'Enabled'.

For more information, see article 110921.

Further best protection settings in version 10.0

The following best protection settings have also been included in version 10.0.

  • Automatic cleanup for scheduled scan detections.

Wenn Sie weitere Informationen oder Unterstützung benötigen, wenden Sie sich bitte an den technischen Support.

Artikel bewerten

Ungenügend Hervorragend