In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Sophos Anti-Virus SBE: administrator guidelines for PUA detection

Sophos Anti-Virus Small Business Edition (SBE) for Windows 2000/XP/2003, version 6.0 and above, provides protection from a wide range of common adware and potentially unwanted applications (PUAs). This includes the detection and cleanup of PUAs.

Note:

• PUA scanning is not available for Windows 98 or Windows Me computers.
• Application Control, as used with Sophos enterprise solutions, is not available for Sophos small business solutions.

PUA is a term used to describe applications that, while not malicious, are generally considered unsuitable for business networks. The major PUA classifications are adware, dialer, non-malicious spyware, remote administration tool and hacking tool. However, certain applications that can fall into the PUA category might be considered useful by some users.

For more information about PUAs refer to the knowledgebase article Potentially unwanted applications: overview.

This article outlines a system for managing PUAs on your network. It describes how to:

• detect PUAs
• clean (remove) or authorize PUAs
• maintain PUA detection on your network.

The actual details of how to perform the individual steps described here, can be found in the Sophos Control Center user manual and the on-line help.

Overview

• Detection and removal of PUAs can be configured in the Sophos Control Center. Full details are provided in the Sophos Control Center user manual and the on-line help.
• If you have not previously scanned your computers for PUAs and removed them, it is very likely that you will find PUAs on your network. In some cases, a large number of these applications may be present.
• It is advisable to only enable on-access scanning for PUAs as the final step of this procedure. This is because
  • when on-access scanning detects a PUA, alerts are displayed on affected computers. This can cause concern if users have not previously seen PUA warnings, and could potentially generate numerous support calls to your company's IT support staff.
  • when a scheduled scan detects a PUA it only reports to the Control Center, not to the affected computer.
• Enabling PUA scanning and implementing cleanup on your network can have the following impact on network users:
  • Users who have PUAs that they consider desirable may notice that applications have been removed from their computers without their consent.
  • To complete the removal of an unwanted PUA, users may need to restart their computers.
• Descriptions of PUAs are given on the Sophos website. Your company may want to use the information provided there, to help decide on its policies regarding PUAs and whether to authorize a given PUA or to remove it.
  • If your organization allows some PUAs to be on the network, you will need to configure your policies so that the specified PUAs are 'authorized'. This means that they are excluded from scanning and cleanup.
  • If your organization does not allow these applications, you can regularly scan and clean your network without the need to authorize any of these PUAs.

1. Detecting PUAs

This procedure gives an overview of how to carry out PUA detection. PUA detection must be enabled separately for on-access and scheduled scans.

• Scheduled scanning - when you set up a scheduled scan PUA scanning is enabled by default.
• On-access scanning - on-access scanning can provide protection against PUAs by intercepting files as they are accessed. Some applications 'monitor' files and attempt to access them frequently. If you have on-access scanning enabled, it detects each access and displays alerts on the affected computer and also alerts the Control Center. By default PUA scanning is disabled.

1. Set up and run a scheduled scan, ensuring that PUA detection is selected and that automatic cleaning is disabled.
2. If any PUAs were detected, this will be indicated in the 'Summary of threats' panel.
3. In the 'Summary of threats' panel, click 'Potentially unwanted applications.
4. The 'Resolve alerts and errors' window opens displaying a full list of the PUAs which were detected on your network.
5. Further information about individual PUAs can be found on the Sophos website.
6. Based on your company's policy regarding PUAs, you must now decide which of these applications you will continue to run on your network, and which you wish to remove. You should view this list even if you are planning to protect against all PUAs. It may contain applications that you do not regard as PUAs, or it may contain applications about which you need more information before deciding on how to handle them.
   
   Note: Sophos Technical Support cannot advise you on whether to remove or authorize an application - this is entirely a policy decision by your company.
7. The PUAs that you want to allow on your network you must 'Authorize'. PUAs that you do not want on your network must be cleaned. If you authorize an application it can run on any computer on the network.

2. Cleaning or authorizing PUAs

Cleaning PUAs

Refer to the section 'Clean up potentially unwanted applications' in the Sophos Control Center user manual and the on-line help, for detailed instructions on how to do this. The cleanup process may require you to restart the computer on which the PUA was reported.

Authorizing PUAs

Refer to the section 'Actions to take against potentially unwanted applications' in the Sophos Control Center user manual and the on-line help, for detailed instructions on how to do this.

3. Maintenance

After you have completed the above procedure, the status of your network with regard to PUAs should be as follows:

• all the computers on your network have been scanned,
• all PUAs detected are listed in 'Application alerts',
• where necessary, you have authorized selected PUAs so that they are excluded from future scans
• all unwanted PUAs have been cleaned from your network.

You must now ensure that your network is kept clear of PUAs. It is recommended that a scheduled scan with PUA scanning enabled is run on all computers once per day.

Sophos recommends that you now enable PUA scanning for on-access scanning. If a PUA is detected, by default the user of the infected computer will receive an alert. The alert will also be displayed in the Sophos Control Center.

You must decide whether to enable automatic cleaning or whether to remove detected PUAs manually, as described above. Automatic cleaning is not available for on-access scanning.

If you need more information or guidance, then please contact technical support.

• Article ID: 16102
• Created: 5 Jul 2006
• Last updated: 11 Dec 2006

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement