Configure on-access scanning

If you use role-based administration:

  • You must have the Policy setting - anti-virus and HIPS right to perform this task.
  • You cannot edit a policy if it is applied outside your active sub-estate.
Caution On-access scanning may not detect viruses if certain encryption software is installed. Change the startup processes to ensure that files are decrypted when on-access scanning begins. For more information on how to use anti-virus and HIPS policy with encryption software, see knowledge base article 12790.

To configure on-access scanning:

  1. Check which anti-virus and HIPS policy is used by the groups of computers you want to configure.
  2. In the Policies pane, double-click Anti-virus and HIPS.
  3. Double-click the policy you want to change.
    The Anti-Virus and HIPS Policy dialog box is displayed.
  4. In the On-access scanning panel, beside Enable on-access scanning, click Configure.
  5. To change when on-access scanning occurs, under Check files on, set the options as described below.

    Option

    Description

    Read

    • Scan files when they are copied, moved, or opened.
    • Scan programs when they are started.

    Rename

    Scan files when they are renamed.

    Write

    Scan files when they are saved or created.

  6. Under Scan for, set the options as described below.

    Option

    Description

    Adware and PUAs

    • Adware displays advertising (for example, pop-up messages) that may affect user productivity and system efficiency.
    • PUAs (Potentially Unwanted Applications) are not malicious, but are generally considered unsuitable for business networks.

    Suspicious files

    Suspicious files display certain characteristics (for example, dynamic decompression code) that are commonly, but not exclusively, found in malware. However, these characteristics are not sufficiently strong for the file to be identified as a new piece of malware.

    This option applies only to Sophos Endpoint Security and Control for Windows.

  7. Under Other scanning options, set the options as described below.

    Option

    Description

    Allow access to drives with infected boot sectors

    Allow access to an infected bootable removable medium or device such as a bootable CD, floppy disk, or USB flash drive.

    Use this option only if advised to by Sophos technical support.

    Scan inside archive files

    Scan the contents of archives or compressed files before they are downloaded or emailed from managed computers.

    We recommend that you leave this option turned off, as it makes scanning significantly slower.

    Users will still be protected against any threats in archives or compressed files, as any components of an archive or compressed file that may be malware will be blocked by on-access scanning:

    • When users open a file extracted from the archive file, the extracted file is scanned.
    • Files compressed with dynamic compression utilities such as PKLite, LZEXE, and Diet are scanned.

    Scan system memory

    Run an hourly background scan that detects malware hiding in the computer's system memory (the memory that is used by the operating system).