When Sophos Anti-Virus finds a suspicious file or program, it can only indicate that the file or behavior may be a threat. You must look at the file to determine whether you want it blocked, or whether you will authorize it. In some cases it may turn out to be a clean and legitimate file, and blocking it can prevent legitimate software from running correctly; in others, it may be unidentified malware. This article provides a decision-making process for deciding what action to take when you get an alert.
- What task was being performed at the time of the alert and what is the reported item?
If software was being installed or updated and the reported item looks like it is related to this action, the alert may be an unwanted detection triggered by the install/update process.
Legitimate programs could include installers, scheduled updating programs and other update tools, and other programs that alter the registry, processes, or program and data files.
To avoid this happening again, we advise that you configure Suspicious Behaviour Monitoring to 'alert only' mode for the duration of software installations/updates. If you have software that often updates itself, add this to the list of authorized programs instead. See Sophos Anti-Virus for Windows 2000+: authorizing suspicious items for instructions.
- Is the reported file new to the computer/network?
Has it been there for years? If not how did it get there? If you know the history of the file then there is less chance of it being a genuine threat.
- What behavior is the suspicious item showing?
Consult the Sophos website to read a description of the suspicious item. Is the behavior reasonable for the item reported? If an otherwise legitimate file starts to behave suspiciously it could be an indication that malware has infected the machine.
- How many alerts you have seen for that file and how frequently they are occurring?
The same behavior alert being reported every second or two is a good indication of a possible malware infection — even if the reported item is believed to be legitimate!
- What is the path to the reported item?
Is the file in the Internet cache folder? If so have you recently downloaded any files? Did you download from a reputable website? If the reported item is in the internet cache folder and you have not knowingly downloaded any files then there is a greater chance of it being a genuine threat.
- If, after reading this guide, you decide that the item is legitimate, authorize it. if an application is identified which you believe is fairly widely used, and you feel that the level of detection is too sensitive, please submit the file to SophosLabs and ask to have the application reviewed.
- If you decide that the item is suspicious and you are reluctant to authorize it, send it to SophosLabs for analysis.
See knowledgebase articles on Submitting samples of suspicious files to Sophos and Collecting samples blocked by on-access scanning for help on collecting and forwarding files to Sophos labs.
In some cases, Sophos may provide an update to the detection of the application that you have queried, in others it may not be appropriate. However, you have the flexibility at all times to either authorize or block any application, as is appropriate to the needs of your business.