Sophos policy not updating
Computers running Sophos Pure Message can check for updates every 15 minutes.
Computers that are not running Sophos Pure Message will update every 60 minutes.
It's unclear if the antivirus solution left firms open to malware attacks or lessened the security of systems, but certainly would have caused problems for enterprises as the malware removal system is somewhat different to home users' systems.
Sophos UTM is an excellent secure web gateway capable of filtering and cleaning web traffic, but it also has a special trick when it comes to protecting endpoint computers both on and off premises.
(*Note here* this is not the same as Web Control – this is very basic malicious site blocking only) The Web Control feature enables you to extend similar web protection to users when they are roaming, not just when they are on premises.
The differences between Endpoint Web Control and the full Web Protection feature are explained further below.
Scan for PUA: If enabled, the on-access scanning will include a check for potentially unwanted applications (PUAs).
If this option is enabled, and Sophos does not already hold a sample of the file, the file will be submitted automatically.
Suspicious behavior (HIPSClosed): If enabled, all system processes are watched for signs of active malware, such as suspicious writes to the registry, file copy actions, or buffer overflow techniques. Web protection: If enabled, the website URLs are looked up in the Sophos online database of infected websites.
Sophos live protection: If the antivirus scan on an endpoint computer has identified a file as suspicious, but cannot further identify it as either clean or malicious based on the Sophos threat identity (IDE) files stored on the computer, certain file data (such as its checksum and other attributes) is sent to Sophos to assist with further analysis.
Send sample file: If a file is considered suspicious, but cannot be positively identified as malicious based on the file data alone, you can allow Sophos to request a sample of the file.
Sophos apologized in a blog post and pointed to a knowledge base article, which included steps to help mitigate the non-existent 'outbreak': If you have Live Protection enabled, you should stop seeing these detections eventually as the files are now marked 'clean' in the Live Protection cloud.