Version 9.7 (and lower) Anti-Virus and HIPS settings: guide to on-access settings

  • Article ID: 63923
  • Rating:
  • 13 customers rated this article 4.4 out of 6
  • Updated: 04 Apr 2016

We recommend using the default scan settings in your Anti-Virus and HIPS policies, as they represent the best balance between protecting your network against threats and overall system performance. However, if performance weren't an issue, we would recommend that you switch on all settings to ensure the best protection. There may be other reasons why you would adjust the default settings.

Whenever you consider changing the default settings, use the following guide to understand what effect your changes would make on both system performance and your protection against threats.

Known to apply to the following Sophos product(s) and version(s)
Sophos Endpoint Security and Control 9.7

In this article, On-access settings:
Scanning tab | Extensions tab | Windows/Mac/Linux exclusions tabs | Cleanup tab | HIPS runtime behavior settings | Messaging settings | Web Scanning settings

For Scheduled scan settings, please see Anti-Virus and HIPS settings guide (scheduled scans).


These settings are configured in Enterprise Console, Anti-Virus and HIPS policy.

On-access scan settings

Setting name Default Comments
Enable on-access scanning Enabled We recommend that you always use on-access scanning. As you will see in the explanation of the on-access scan settings below, this feature is crucial to identifying and eliminating most modern threats before they can be executed on your system.

On-access scanning button

Scanning tab

Setting name Default Comments
Scan inside archive files (not recommended) Disabled

When you enable this setting, it adds the common archive file formats to the list of extensions that are checked by the on-access scanner.

We have disabled this setting because it is not usually necessary to perform on-access scans of archive files. If you use the default on-access scan settings that we have developed, any of the files within the archive will be scanned the moment they are opened or executed. Because scanning the archive itself is a memory-intensive process, and given that most archive files within an organisation are free from malware (they should be filtered out at the gateway by a product such as the Sophos Web Security and Control appliance), we feel that devoting extra processor time to archive scans is not worth the delays experienced by end-users on the endpoint.

Of course if you have many users connecting their personal USB flash drives and other removable media to your network, or you have a specific business need, you may consider switching this setting on for a subset of your users.

As an alternative to on-access scanning of archives, we suggest that you consider either:

  • instructing your users to always right-click archive files and select 'Scan with Sophos Anti-Virus' to scan them before opening them. That way, only archives that you want to open will be scanned when accessed. To check a group of archives, place them in a single folder and right-click the folder to scan it.
  • setting up a scheduled scan for archive files only. Because this scan will unpack each file, scan the contents and then pack it up again, it will take a long time to complete. This scan should run at a time of day when the computer will be switched on, but the scan won't interfere with the end-user's work. To create the scan, set up a new scheduled scan and add only the extensions that you want to scan to the list of extensions.

Archive and compressed files are decompressed to the following locations, where the Sophos Anti-Virus on-access scanner checks their contents:

In Windows it is as follows:

  • Windows operating systems, except Vista, C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Temp\d5ab0000.$$$
  • Windows Vista, C:\Program Data\Sophos\All Users\Application Data\Sophos\Sophos Anti-Virus\Temp\d5ab0000.$$$

In UNIX it is the /tmp file. The location of this can be changed by setting the SAV_TMP variable. e.g. export SAV_TMP to another directory.

Scan for Macintosh viruses

Disabled If you have Macs on your network, or you regularly exchange files that may be opened and edited in a Mac environment, you should enable this setting.

Scan system memory


If you enable Scan system memory, on-access will run hourly background scans of system memory. It allows us to detect malware hiding in system memory (kernel memory).

System Memory scanning reads/writes to and from areas of memory in response to requests from the virus engine. 

Scan for adware/PUA Disabled

Potentially Unwanted Applications (PUAs) are applications like PC surveillance software and joke applications. SophosLabs include detection for known PUAs in the threat detection data that's included in your Endpoint Security and Control updates.

This setting is disabled by default, as we recommend that you first authorize legitimate applications, such as administration tools. Do this by performing a scheduled scan of your network and identifying the legitimate applications and authorizing them, and then switch on on-access scanning to block unauthorized applications in the future. For more detailed instructions, see the Administrator's rollout guide for potentially unwanted application (PUA) protection.

If you enable this setting without first setting up exclusions, your network may be flooded with alerts about PUA detections. You can work through the alerts that are generated and set up exclusions in Enterprise Console to clear them up. However, this may take some time. Note that you will have to run a scheduled scan to clean up any PUAs that are found.

The Labs review their PUA definitions periodically to ensure that new programs that have malicious or unethical intent can be blocked from your network. You can suggest new PUA at:

Scan for suspicious files (HIPS) Disabled

Suspicious files are files that contain code that is commonly used in malware. Because there is no way for an anti-virus scanner to know the context of a file (for instance, to know that file that's written by one of your software engineers is safe), we report on all possible suspicious files. This may lead to a few unwanted detections, but we feel that it's important to highlight all potentially dangerous files so that a human can then provide the context for them.

This setting is disabled by default, as we recommend that you first authorize legitimate files, such as those written by your employees. Do this by performing a scheduled scan of your network and identifying the legitimate files and authorizing them in Enterprise Console, and then switch on on-access scanning to detect suspicious files in the future.

For more information about HIPS, please see the following knowledgebase article: 48765

On access scanning:
On read

We recommend that you always use this setting when on-access scanning is switched on. On-read scanning ensures that any files that are accessed are scanned before being opened or used.

On access scanning:
On write
Disabled This setting is disabled by default because it can affect system performance. However, this is a very useful setting, especially on file servers, where there are many more writes than reads. If you can. we recommend enabling this setting to provide more protection than on-read scanning alone.
On access scanning:
On rename

On rename is useful in at least two (uncommon) situations.

The first is for detecting malicious files. When a malicious file is installed on your computer, it may have an extension that doesn't exist, such as .abc. When it is set to execute, the file may be renamed to .exe. Also, malware may write a file to a location and then save it to another location with a new name. This action is a 'rename' and would not be picked up by the on-read or on-write scans.

The second situation where on-rename scans are useful is for scanning downloaded files. Some browsers download a file with a temporary name that is not in the default extension list and later rename to the correct name when the download is complete. Thus a downloaded .exe might not be scanned even if on-write scanning is enabled.

Therefore, if you have reason to suspect that you have a malware infection on your network, you might want to switch this setting on in your policies temporarily.

Allow access to drives with infected boot sectors Disabled This setting is used to allow access to an infected bootable removable medium or device, such as a bootable disc, floppy disk, USB flash drive, etc. It should be used under the guidance of Sophos Technical Support only.


Extensions tab

Setting name Default Comments
Scan all files Disabled

As the other on-access scan settings prevent attack from file types that are known to be used to infect computers (including file types you can define yourself), it is advisable to keep the default setting (disabled) under most circumstances.

Scanning uninfectable files in the computer when they are accessed could have significant performance impacts. For example, many applications use their own file formats for temp files. When each of these items is accessed, it would be scanned. So a program that already takes a lot of memory, such as photo editing suites or financial software, will take even longer to process as the on-access scanner scans each of the temp files it is using. Even for regular network and computer activities, the performance delays introduced by this setting are not worth the very slim possibility that the on-access scanner would detect a malicious file that wasn't included in the list of executables that are scanned by default.

However, during (or directly after) a malware attack, you will want to ensure that all components of a virus have been removed after disinfection. This should normally be done under the instruction of Sophos Technical Support.

Of course, if you feel safer knowing that your virus scanner checks all files, we suggest that you schedule a weekly scan of all files instead. Just be sure to schedule it for a time when you rarely use your computer (such as Sunday afternoon).

Scan executable and infectable files Enabled

We recommend that you always enable this setting. When enabled, this scan will check all files with executable file extensions (eg. '.EXE', '.BAT', '.PIF') or files that have the possibility of being infected (eg. '.DOC', '.CHM', '.PDF'). It also quickly checks the structure of all files, and scans them if their format is that of an executable file.

If you want to scan extra file types, you can add those file type extensions to the list of file types to be scanned using the Add button.

Scan files with no extension Enabled As files with no extension could be malware, you should always enable on-access detection.

Windows exclusions tab

We recommend that you don't set any exclusions as many files are susceptible to being infected by malware. However, there are some applications that may behave unexpectedly in conjunction with the on-access scanner, such as Microsoft Exchange/Citrix servers. If you experience problems with an application when using the on-access scanner in Endpoint Security and Control, please contact the software vendor for more information about which files to exclude from scanning.

Setting name Default Comments
Exclude remote files Disabled As the number of network storage worms increases, we recommend always keeping this option disabled (which ensures that remote files are scanned when they are accessed) to protect your network.

Mac and Linux exclusions tabs

These exclusions apply to networks that include any mix of operating systems.


Cleanup tab

Setting name Default Comments
Automatically clean up items that contain a virus/spyware Disabled

Obviously, you may want to set this to automatically clean up any malware that is found, but we've left it to you to decide: you may have your own procedures for cleaning up malware, so we wouldn't want to perform actions without your express consent. For instance, you may prefer to leave detected items in quarantine until you can deal with them.

When the on-access scanner automatically cleans up items that contain a virus or spyware, it will delete any items that are purely malware and it will try to disinfect any items that have been infected. These disinfected files should be considered permanently damaged, as the virus scanner cannot know what the file contained before it was damaged: it can only clean out the code that was injected by the virus.

Option if cleanup is not possible Deny access only

The default ‘Deny access only’ means that the virus scanner will ask you what to do before continuing. Any item it has found will stay blocked until you tell the virus scanner what to do.

The other options ‘Delete’ and ‘Deny access and move’ could be used in special circumstances (such as when Sophos Technical Support advises you to select this option).

We don’t recommend that you allow the virus scanner to automatically delete infected files, as sometimes legitimate files can be detected. If you do enable this setting, you should check the logs regularly to ensure that you haven’t deleted any important files.

Suspicious files - default action Deny access only The default ‘Deny access only’ means that the virus scanner will ask you what to do before continuing. Any items it has found will be blocked until you tell the virus scanner what to do.


HIPS Runtime Behavior settings

Setting name Default Comments
Detect suspicious behavior Enabled

This setting detects file operations as they are running. If it believes the concurrent or sets of operations that are currently running to be a threat, it will either alert you (if alert only is selected) or block the operation (if 'alert only' is disabled) .

We recommend that you use this setting in alert only mode at first and authorize any applications that are triggering unwanted detections. When you are familiar with the sorts of applications that are triggering the alerts and are confident that you've authorized the approved applications on your network, we recommend switching off 'alert only'.

Detect buffer overflow Enabled

This setting protects your computer from buffer overflow attack, and we recommend that you keep it enabled. It is crucial for detecting (and blocking, if 'alert only' is switched off) new malware from infecting your systems.

Because buffer overflows are not desirable in any circumstance, you should contact any software vendor whose application triggers a buffer overflow which you know is not malware. You should only authorize these applications if they are critical to your organization. If you encounter any suspicious buffer overflow, please contact Sophos Technical Support for help identifying and eliminating threats.

Alert only Enabled

Detecting suspicious behavior should take priority when you deploy a new Anti-Virus policy, as this alert only setting is shared with buffer overflow detection, which should be blocking possible attacks very soon after the policy is deployed. Therefore, once you have approved the legitimate programs that may be exhibiting suspicious behavior on your network, we recommend that you switch off 'alert only' without delay.


Messaging settings

We have enabled desktop messaging by default, but we have not enabled any other type of messaging. We recommend that you set up the messaging type of your choice before deploying your anti-virus and HIPS policies.

Setting name Default Comments
Enable desktop messaging Enabled

Whether or not you want to alert the end user on your computers is your choice.

This setting pops up a message on the endpoint stating what's been detected, where and how it's been dealt with. You can add your own message to be used for any event that you choose to alert the user to.

We recommend keeping this setting enabled so that the end user can contact your helpdesk in case there is a detection on their computer. You may want to add a custom message to communicate your organization's policy.

Authorization settings

This button opens a dialog that allows you to authorize the Adware and PUAs, Suspicious Files, applications exhibiting Suspicious Behavior and Buffer Overflow that have been discovered using Scheduled scans and HIPS alert only mode.

There are no pre-authorized applications or files in your anti-virus and HIPS policies.

Web scanning tab

Web content scanning scans websites for malicious content before your browser loads the page. When a web-based attack is discovered within the main web page or within a sub-element of it, the original content is blocked and replaced with a safe report page. A desktop message is generated for each piece of malicious content that is blocked. The malicious code is prevented from executing, so no clean up is necessary.

By default, the web scanning setting is set to the same as the on-access scanner. So, if on-access scanning is enabled in the policy, the web content scanning feature will also be enabled. You can set this to either be on all the time or off all the time as well.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent