How to roll out an anti-virus and HIPS policy

We recommend that you roll out anti-virus and HIPS policy as follows:

  1. Create different policies for different groups.
  2. Set Sophos Live Protection options. This feature delivers the most up-to-date threat protection by using the Sophos online lookup service to instantly decide whether a suspicious file is a threat and to update your Sophos software in real time. Sophos Live Protection is required by the Malicious Traffic Detection and Download Reputation features.
    • Make sure that the Enable Live Protection for on-access scanning and Enable Live Protection for on-demand scanning options are selected. If the anti-virus scan on an endpoint computer has identified a file as suspicious, but cannot further identify it as either clean or malicious based on the threat identity (IDE) files stored on the computer, certain file's characteristics (such as its checksum and other attributes) are sent to Sophos to assist with further analysis. The Sophos online lookup service performs an instant lookup of a suspicious file in the SophosLabs database. If the file is identified as clean or malicious, the decision is sent back to the computer and the status of the file is automatically updated.
    • Select the Automatically send sample files to Sophos option. If a file is deemed potentially malicious but cannot be positively identified as malicious based on the file characteristics alone, Sophos Live Protection allows Sophos to request a sample of the file. When Live Protection is enabled, if the Automatically send sample files to Sophos option is enabled and Sophos does not already hold a sample of the file, the file will be submitted automatically. Submission of such file samples helps Sophos to continuously enhance detection of malware without the risk of false positives.
    Caution You must ensure that the Sophos domain to which the file data is sent is trusted in your web filtering solution. For details, see knowledge base article 62637. If you use a Sophos web filtering solution, such as the WS1000 Web Appliance, you do not need to do anything. Sophos domains are already trusted.
  3. Detect viruses and spyware.
    1. Ensure that on-access scanning is enabled or schedule a full system scan to detect viruses and spyware. On-access scanning is enabled by default.
    2. Select cleanup options for viruses/spyware.
  4. Detect suspicious files.
    Suspicious files contain certain characteristics that are common to malware but not sufficient for the file to be identified as a new piece of malware.
    1. Enable on-access scanning or schedule a full system scan to detect suspicious files.
    2. Select the Suspicious files option in the scanning settings.
    3. Select cleanup options for suspicious files.
    4. As appropriate, authorize any files that are allowed to run.
  5. Detect malicious and suspicious behavior, buffer overflows, and malicious traffic (behavior monitoring).

    These options monitor running processes continuously to determine if a program exhibits malicious or suspicious behavior. They are useful for stopping security flaws.

    1. Ensure that behavior monitoring for on-access scanning is enabled. It is enabled by default.
    2. Ensure that the Detect malicious traffic option is selected.
    3. Use the Alert only option to only detect suspicious behavior and buffer overflows. This option is enabled by default.
    4. Authorize any programs or files you want to continue to run in the future.
    5. Configure your policy to block programs and files that are detected by clearing the Alert only option.
    This approach avoids blocking programs and files that your users may need. For more information, see knowledge base article 50160.
  6. Detect adware and PUAs.

    When you first scan for adware and PUAs, the scan may generate large numbers of alerts for applications that are already running on your network. By initially running a scheduled scan, you can deal safely with applications that are already running on your network.

    1. Schedule a full system scan to detect all adware and PUAs.
    2. Authorize or uninstall any applications that are detected by the scan.
    3. Select the Adware and PUAs on-access scanning option to detect future adware and PUAs.
    For more information, see knowledge base article 13815.
  7. Detect threats in web pages.

    This option blocks sites that are known to host malicious content and scans downloads for malicious content.

    1. Ensure that the Block access to malicious websites option is set to On to ensure that malicious websites are blocked. This option is turned on by default.
    2. Set the Content scanning option to On or As on access to scan and block malicious downloaded data. As on access, which is the default setting, enables download scanning only when on-access scanning is enabled.
    3. As appropriate, authorize any websites that are allowed.
    4. Ensure that file reputation checking is enabled.
    Note In addition, you can use the web control policy to control user web surfing by filtering the websites in the top 14 most inappropriate site categories.

For more information about setting up anti-virus and HIPS policies, see the Sophos Enterprise Console help.