Versions Compared

Version Old Version 2 New Version Current
Changes made by

Dennis H. Wiedeman

Dennis H. Wiedeman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

The policies that are established for workstations and laptops fall into two main categories:

  1. Anti-Virus Scan Time Policies -- You can determine what time and what actually gets scanned when you choose the Full Anti-Virus Management model.  At this time, workstations and laptops can be scanned every day, 7 days a week, 365 days a year at any of the following times (assuming the system is left at the time the anti-virus scan is initiated.  It's not that other times aren't available.  It's just no requests have been made for anti-virus scanning at any other times than the ones listed below:
    • 2:00 AM
    • 5:00 AM
    • 12:00 PM (noon)
    • 12:00 PM and 7:00PM
    • 4:00 PM
    • 6:00 PM
    • 7:00 PM
    • 8:00 PM
    • 10:00 PM
    • 11:00 PM
  2. Anti-Virus and Host Intrusion Prevention System Policies Components -- These characteristics for the Sophos product help to form the "policy" by which the anti-virus scanning, management and remediation take place.  By adjusting these components for groups of computers or servers, variations in how the product performs for that particular group can be achieved.  For example, you might want "On-access scanning" for workstations and laptops, but you wouldn't want it for servers as it may dramatically reduce the performance of a server.
    • Authorization -- Authorization or denial of applications to run on a system , based upon the following criteria:
    • Adware and Potentially Unwanted Applications (PUAs) -- Certain applications can be incorrectly identified as adware or PUAs.  This policy allows an administrator to "set" the application to be available to run or not run on a computer.
    • Buffer Overflow -- Again, the administrator can set or deny access to specific applications that seem to be misbehaving by overflow their memory buffers.  Sometimes this is a method used by hackers to gain access to your computer, but sometimes, buffer overflows can occur from a poorly written application that doesn't manage memory in an effective fashion.
    • Suspicious Files -- Some applications raise red flags by how they are named.  For example, infection.exe might be something you may or may not want to run on your computer.  Well, anti-virus programs don't know what to do with them, so they get flagged for review by support personnel.
    • Suspicious Behavior -- Sometimes, infected files are good files that have been rewritten to misbehave on a computer.  If a file begins to act in a suspicious fashion on a system, it can be allowed or denied on your system by support personnel.
      • Website Blocking -- Certain websites might be blocked by the anti-virus system, or they can be "opened" by a systems administrator to allow access to them.are based upon a number of criteria
    • Messaging -- Messages to the user can be set to go out (or not) through email. 
      • Desktop Messaging -- In order to minimize the need for user to get involved, desktop messaging has been turned off
      • Email Alerting -- This has been enabled, so Desktop Support personnel and Sophos Administrators can be notified of virus problems early in the detection process
      • SNMP Messaging -- Not in use at this time
      • Event Log -- We make extensive use of virus event logs so that follow-up can occur as to what happens during a virus outbreak on campus
    • Sophos Live Protection -- "Live Protection" provides the most up-to-date threat protection through an online lookup service at Sophos.com in real time. We have this enabled and automatically send sample files to Sophos for further forensic analysis.
    • Suspicious Behavior (HIPS) -- The "Host Intrusion Proection System" is setup on the Enterprise Console to detect suspicious behavior and buffer overflows.  There is an option for "Alert Only", but this has been turned off, so the system will remediate problems with suspicious files.
    • On-Access Scanning -- On-access scanning is at the heart of what we do to protect computers on campus. 
      • Scanning -- What to scan
        • Check Files Upon . . .  -- The anti-virus system has been set up to check files whenever a user "reads" a file.  We have options to also check them when they write or rename a file, but these are not turned on, currently.
        • Scan For -- The set-up currently provides for Adware and PUAs (Possible Undesirable Applications) and Suspicious Files.  We don't currently scan for Macintosh viruses, as this service currently is only deployed to IBM type PCs on campus.
        • Other Scanning Options -- There are options to allo access to drives with intecte boot sectors and to scan (or not scan) inside archive files (which is not recommended due to its high toll on performance).
      • Extensions -- Files with specific extensions to scan or not scan (e.g. .exe, .pdf, etc.).  We choose not to scan all files for performance reasons, but we do choose to scan files with no extnetions and other executable and/or vulnerable file types
      • Exclusions -- We can choose to select specific file types, application type files (like Thunderbird files), specific files or drive and folder designations.  For obvious reasons, we also choose not to scan remote files.
      • Mac Exclusions -- We can choose the same specific types of exclusions provided to Windows files for Macs
      • Linux/Unix Exclusions -- If we scan Linux/Unix systems, we can choose the same specific types of exclusions provided to Windows files and Mac files
      • Clean-Up -- We can choose what to do (or not do) automatically when viruses, suspicious files, spyware and other malware are found on a system.  Currently, we automatically clean up these items by deleting all viruses and spyware and denying access to suspicous files by moving them to a safe location on the hard drive.
    • Web Protection -- When users inadvertently or intentionally attempt to go to specific websites, we choose to block access to any malicious websites and provide on-access scanning in a similar fashion on content downloaded from a website
    • Scanning Schedule -- The Scanning Schedule allows us to choose what to scan (and not to scan), and schedule the scan to occur on specific days and at specific times
    • Extensions and Exclusions -- Just like "On-Acces Scanning", scheduled scans can be set to exclude or include specific file extensions and types