Sophos PUA Manual

What’s A PUA? A PUA is a Potentially Unwanted Application. The key word here is potentially. In some cases, it may

be adware or hacking tools installed on your computer. In other cases, it may be something you installed

and want to use on your computer (Weatherbug is an example).

Scanning for PUAs If you’ve downloaded and installed the Sophos package from Technology Services’ public web site, your

version of SophosAV will automatically scan for PUAs. We’ve set up the program to do these scans in

the background on Wednesday, Friday and Sunday at noon and 6 pm. These scans will only occur if

your computer is turned on.

Once a scan is completed, it will populate your quarantine with the names of the PUAs it finds on your

computer. Unlike viruses and spyware, PUAs in your quarantine list will not stop running unless you

remove them. If you’re not worried that any of these programs might cause problems, you don’t need to

do anything. You just need to know they will be listed in your quarantine list. However, if you are

worried that one of these programs might do something bad, you can remove it from your computer using

your Sophos interface.

If you do choose to pay attention to PUAs, once you allow a PUA, Sophos won’t mark it on subsequent

scans. Subsequent scans will only catch

and mark new PUAs it finds.

To check now for PUAs, scan your

computer. It will start as soon as you click

on Scan My Computer. This may take a

few minutes.

Working in Quarantine Manager To see if Sophos has found any PUAs, open

Sophos (right-click on the blue shield on

your system tray and choose Open). Then

click on Manage Quarantine Items.

You’ve opened up the Quarantine

Manager.

Click on the Applications Tab to open up

the PUA list. You’ll see a list of PUAs

your computer found during the scan.

Here is where you can decide if you want

to remove any of the PUAs.

VCU Sophos PUA Manual Page 2

Learning About PUAs How to decide if you want to remove a program? Well, depends… if you recognize a program, you

probably want to keep it. If you don’t recognize it, or you installed the program, but now you’re worried

because it showed up on the PUA list, you can double-click on the name of the program. This will bring

up a web site from Sophos with information about the program to help you decide.

Clicking on the tabs brings up different information.

If you decide you want to remove the application,

there are instructions for removal on the Recovery

tab.

You may also be able to remove the application from

the Sophos Quarantine Manager.

How to Remove a PUA Click on the box next to the item. If you see

the Cleanup button enabled you can clean

the PUA from the computer. Click on

Cleanup. This message will come up:

Click on Yes to All.

VCU Sophos PUA Manual Page 3

Then the removal process will continue:

And POOF, it’s gone! Click Close.

Allowing PUAs in Quanantine Manager Okay, so what if you want to allow a PUA?

That’s easy too. From that same window,

click on the box next to the name of the

application you want to allow, and click on

Authorize. That’s it! You’ve allowed that

application to run.

How to Manage PUAs

So what if you want to see what PUAs

your computer has found, and which ones

you have allowed to run? That’s easy too.

Click Configure Sophos Anti-Virus

VCU Sophos PUA Manual Page 4

Click Authorized Application List

You will see a list of applications. Those

on the left have been found by Sophos,

and those on the right are found

applications that you have authorized.

You can manage your allowed

applications from this window. To allow

an application, select the application from

the Known Applications list. The Add

button will become available. Click on the

Add button and the application will move

over to your Authorized application list.

Then click OK. That’s all you have to do.

Unless there’s a change in the program, it

shouldn’t show up in your Quarantine list

again.

Anything you leave in your Known

applications list will continue to run unless

you remove it. It will not hurt anything if

you leave it in this list while you decide

what to do, but know that if you think it is

something you don’t want, you will need to

follow the instructions above to remove it.

Disallow an application by doing the

reverse: Click on an application on the

Authorized application list, then click

Remove to put it on the Known

applications list. After a scheduled scan or

manual scan, the application will appear in

Quarantine Manager again. There you can

remove it from the computer if you wish.

VCU Sophos PUA Manual Page 5

How to Block PUAs You can set Sophos up to completely block PUAs from running, unless they’ve been authorized on the

Authorized application list (as in the above section).

Disclaimer: This is not something you should do unless you know that you won’t want to run any

PUAs in the future. Blocking PUAs may mean that programs you may want to run will be

prevented from loading, downloading or running and may have other implications.

To set Sophos to block all (non-authorized) PUAs, open Sophos and

click on On-access scanning. On the Scanning tab, click on Scan

for potentially unwanted application, and then click OK. Now you

can close Sophos. This blocks all PUAs unless they are specifically

allowed (see How to Manage PUAs above).

Installing an Application when PUAs are Blocked. When you attempt to download an application if you have PUAs blocked, Sophos

will give you an alert and block the download.

If you want to allow an application to load, you’ll need to first unblock the

installer package, and then, once you attempt to install the application, you’ll need

to repeat the steps to allow the application to run.

When you get an

alert like the one

on the left, close

the alert (click on the red “x” box on the

top right). Then open Sophos and click

on Items in Quarantine. Make sure

you’re on the Applications tab. In this

example, we’re attempting to install

Weatherbug, so click on the box next to

Weatherbug Installer and then click on

Authroize at the bottom. Now you’ll

have to go back and re-download the

application.

This step authorizes the installer. It does

not authorize the application itself.

VCU Sophos PUA Manual Page 6

Once the installer is download, when you attempt to install the application,

you’ll get another alert. Now you have to repeat the above steps again to allow

the application to run. Close the alert and open Sophos, click on Items in Quarantine, make sure you’re on the Applications tab, and click on the box

next to the item

you’re attempting

to install, then

click on Authorize.

If the installer was downloaded onto your

desktop (or into a folder), you can now re-

install the application. If you were

installing live, you may need to go back to

the application’s website and re-download

the application in order to install it. If you

get another alert, you may need to repeat

this process again to complete the install

(you’ll need to do this each time you get

an alert).

You can manage applications installed in this manner by following the instructions in the How to

Manage PUAs section above.

The VCU default configuration provides a scan for PUAs. To learn how to create such a scan, see the

handout at www.ts.vcu.edu/security/Set_up_a_scan.pdf

If you have any questions about PUAs or Sophos , you can ask the Help Desk.

Phone (804) 828-3018, e-mail help@vcu.edu, or visit www.ts.vcu.edu/helpdesk.