Sophos Anti-Virus for Windows: best practice for using HIPS runtime analysis

  • Article ID: 50160
  • Rating:
  • 4 customers rated this article 2.3 out of 6
  • Updated: 05 Sep 2011

Before using HIPS runtime behavior analysis for the first time, pre-authorize the legitimate programs and files that are already on your network.

Legitimate programs may include installers and update tools. Legitimate files may include spreadsheets with macros enabled and other files that are commonly used to spread malware.

Introduce HIPS runtime behavior analysis to your existing software.

When using HIPS runtime behavior analysis for the first time it is important to use it in the Alert Only configuration for a few weeks in order to identify any software that may be causing unwanted detections on your network. During this period it is important to investigate all HIPS alerts in order to differentiate unwanted detections from genuine threats that may be present on company computers. For more information, please see: Sophos Anti-Virus: "false positives" and "unwanted detections".

For further information on managing HIPS alerts, please see: Sophos Anti-Virus: managing the detection of suspicious files and behavior.

When you are confident that all alerts have been addressed, turn the Alert Only configuration off so that processes are automatically blocked from performing suspicious behavior.

Have a small group of test machines for software installations.

Identify a small number of low-risk machines on your network and use them as a test bed for introducing new software to your network. When you need to deploy new software, configure HIPS runtime behavior analysis on these machines to the Alert Only setting and deploy the software to those machines first. If any alerts are encountered you should investigate and if found to be unwanted detections consider authorising the associated components for use by using the Sophos console. This way when you come to deploy the software to the rest of the network there should be no further alerts and you will not need to change your protection policy for the majority of your company computers.

Be cautious when downloading.

Whenever possible try to download package installers so that they can be inspected and run locally instead of running them directly from the internet browser. Download links may not point to the files that you expect.

Be clear about in-house software development.

When developing in-house software programs please attempt to be as clear as possible about the origins of the applications. Try to include well formed resource information wherever possible and resist using packing software commonly associated with malware.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent