Versions Compared

Version Old Version 5 New Version Current
Changes made by

Dennis H. Wiedeman

Dennis H. Wiedeman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

As with desktop computers, polcies policies can be established for servers, which may or may not match the policies for workstations:

...

  1. Anti-Virus Scan Time Policies -- You can determine what time and what actually gets scanned when you choose the Full Anti-Virus Management model for your serversfor servers.  At this time, servers can be scanned every day, 7 days a week, 365 days a year at any of the following times are scanned one to three times a week at the following times (assuming the system is left at the time the anti-virus scan is initiated).  It is not to say there can't be more polices to accommodate other times or days.  It's just that to this point in time, no one has requested scans at any other time than times or days than those listed below:
    • 12:00 AM midnight (Tues., Thurs., Sat.)
    • 1:00 AM (Tues., Thurs., Sat.) 
    • 2:00 AM (Tues., Thurs., Sat.)
    • 3:00 AM (Tues., Thurs., Sat.)
    • 4:00 AM (Tues., Thurs., Sat.)
    • 5:00 AM (Tues., Thurs., Sat.)
    • 6:00 AM (Tues., Thurs., Sat.)
    • 7:00 PM (Fridays)
    • 7:00 PM (Thursdays)
    • 9:00 PM (Mon., Wed., Fri.)
    • 10:00 PM (Mon., Wed., Fri.)
    • 11:00 PM (Mon., Wed., Fri.)
    • 11:00 PM (Tues., Thurs.)
  2. Anti-Virus and Host Intrusion Prevention System Policies *Components --   * These characteristics for the Sophos product help to form the "policy" by which the anti-virus scanning, management and malware remediation take place.  By adjusting these components for groups of computers or servers, variations in how the product performs for that particular group can be achieved.  For example, you might want "On-access scanning" for workstations and laptops, but you wouldn't want it for servers as it may dramatically reduce the performance of a server.
    • Authorization -- Authorization or denial of applications to run on a system are based upon a number of criteria
    • Messaging -- Messages to the user to Sophos administrators can be set to go out (or not) through email. 
      • Desktop Messaging -- In order to minimize the need for user to get involveduser involvement, desktop messaging has been turned off
      • Email Alerting -- This has been enabled, so Desktop Support personnel and Sophos Administrators can be notified of virus problems early in the detection process
      • SNMP Messaging -- Not in use at this time
      • Event Log -- We make extensive use of virus event logs so that follow-up can occur as to what happens during a virus outbreak on campus
    • Sophos Live Protection -- "Live Protection" provides the most up-to-date threat protection through an online lookup service at Sophos.com in real time. We have this enabled and automatically send sample files to Sophos for further forensic analysis.
    • Suspicious Behavior (HIPS) -- The "Host Intrusion Proection System" is setup set-up on the Enterprise Console to detect suspicious behavior and buffer overflows 
    • On-Access Scanning -- On-access scanning is at the heart of what we do to protect computers on campus. 
      • Scanning -- What to scan
        • Check Files Upon . . .  -- The anti-virus system has been set up to check files whenever a user "reads" a file.  We have options to also check them when they write or rename a file, but these are not turned on, currently.
        • Scan For -- The set-up currently provides for Adware and PUAs (Possible Undesirable Applications) and Suspicious Files.  We don't currently scan for Macintosh viruses, as this service currently is only deployed to IBM type PCs on campus.
        • Other Scanning Options -- There are options to allo access to drives with intecte boot sectors and to scan (or not scan) inside archive files (which is not recommended due to its high toll on performance).
      • Extensions -- Files with specific extensions to scan or not scan (e.g. .exe, .pdf, etc.).  We choose not to scan all files for performance reasons, but we do choose to scan files with no extnetions and other executable and/or vulnerable file types
      • Exclusions -- We can choose to select specific file types, application type files (like Thunderbird files), specific files or drive and folder designations.  For obvious reasons, we also choose not to scan remote files.
      • Mac Exclusions -- We can choose the same specific types of exclusions provided to Windows files for Macs
      • Linux/Unix Exclusions -- If we scan Linux/Unix systems, we can choose the same specific types of exclusions provided to Windows files and Mac files
      • Clean-Up -- We can choose what to do (or not do) automatically when viruses, suspicious files, spyware and other malware are found on a system.  Currently, we automatically clean up these items by deleting all viruses and spyware and denying access to suspicous files by moving them to a safe location on the hard drive.
    • overflows.  There is an option to "Alert Only" if it finds a file that is acting in a suspicious manner, but this has been turned off, so the system will try to deal with the suspicious file.
    • On-Access Scanning -- On-access scanning is disabled for servers for performance reasons
    • Web Protection -- When users inadvertently or intentionally attempt to go to specific websites, we choose to block access to any malicious websites and provide on-access scanning in a similar fashion on content downloaded from a website.  Usually, websites are not accessed on servers, but if they are, protection has been turned on in order to protect the system
    • Scanning Schedule -- The Scanning Schedule allows us to choose what to scan (and what not to scan), and schedule the scan to occur on specific days and at specific times
    • Extensions and Exclusions -- Just like "On-Acces Scanning", scheduled scans can be set to exclude or include specific file extensions and file types