In normal use you should run Sophos Anti-Virus for Windows 2000+ with the default settings. The more items you check, particularly with on-access scanning, the more system resources will be taken up by scanning. This could, for example, cause high CPU usage when starting up.
Applies to the following Sophos product(s) and version(s)
Sophos Endpoint Security and Control 9.7
Note: For recommended on-access settings for Endpoint 10 please see article 114345.
The default scanning settings are
- on-read scanning 'on'
- on-write scanning 'off'
- on-rename scanning 'off'
- on-access scanning of archive files 'off'
- on-access scanning for potentially unwanted applications 'off'
- all files scanning 'off'.
In certain circumstances switching the above features 'on' may be useful, but they are not necessary in normal use.
This should be switched on in practically all circumstances. On-access scanning provides virus checking for your workstations. All files that are opened by the computer are checked before they are run.
On-write scanning is useful when tracking the source of infection on your network, or if infected files are being written from over the internet. Files written to your hard drive by your computer, or another computer, will be checked when they are created. This will prevent a virus from spreading infected files over all open shares on your network.
On-write scanning is not enabled by default in version 9.7 (and lower) as it can impact system resources. In version 10.x it is enabled by default due to improved scanner functionality.
You should not need to use on-write scanning for version 9.7 (or lower) if your network:
- is clear of infection
- is fully patched
- has up to date anti-virus software
- has a working firewall.
On-write scanning is particularly useful in tracing a virus that is spreading across network shares. In these circumstances you should implement on-write scanning, but you should also check the use of file sharing on your network, particularly the security of administrative shares.
On-rename scanning can be useful in similar circumstances to on-write scanning, except that the file involved will have been written as if it were a non-executable file, then renamed to make it executable. You should use on-rename scanning in the same circumstances as on-write scanning.
On-access scanning of archived files
On-access scanning of archived files consumes a lot of memory. If on-access scanning of archived files is in use, every time such a file is viewed in Windows Explorer the contents of that file will be fully checked. If the file is a self-extracting archive, the self-extractor component will be checked with the default on-access scanning settings. So checking the whole file, every time, with on-access scanning is unnecessary.
The increased memory and CPU usage caused by scanning archived files is wasted if the file is not then accessed. You should not need to use on-access scanning of archives on a workstation.
- If you need to check an archive before opening it, use a right-click scan. The contents of the file will be checked by on-access scanning anyway, before you run them.
- If you need to check a group of archived files, place them all in the same folder and right-click scan that folder.
- If you need to check archived files on a file server, use a scheduled scan.
On-access scanning of archived files could be useful where a server is checking files before forwarding them to client workstations, e.g. as part of through traffic. It should not be part of a standard network setup.
On-access scanning for potentially unwanted applications
Potentially unwanted applications (PUAs) are programs whose use should be carefully managed. Some of them (e.g. network access tools or instant messaging clients) may be useful to certain workers. If such a program is already in use on your network, and it is then added by Sophos to the list of potentially unwanted applications, it will be blocked immediately.
Use scheduled scans to manage PUAs in an office environment. You can then decide which applications to allow, and which ones to block, without disrupting activity on your network.
Scanning 'All files'
An 'All files' scan should be used to check that all components of a virus have been removed after disinfection, but it is not necessary in general use.
The standard 'Executables only' scan checks all files with executable file extensions (e.g. '.DOC', '.EXE', '.LNK', '.PIF'). It also quickly checks the structure of all files, and scans them if their format is that of an executable file.
- If you want to scan extra file types, you can add those file type extensions to the list of executables scanned.
- If you feel safer making an occasional check of all files on your computer, set up a weekly scheduled scan at a quiet time (e.g. Sunday afternoon).
When scanning all files on a computer, bear in mind:
- An 'all files' scan can take considerably longer than an executables only scan.
- You should rarely, if ever, need to remove a non-executable file.
- Take care when removing files with an 'all files' scan. You might remove mailboxes with one infected email in them, or archive files containing only one infected file among many others.