Sophos takes an apparently divisive action when it cleans a computer from a detected threat (adware, malware, spyware, or virus). During the clean-up, Sophos implements a threat remediation effort to not only remove the detected file but also reset dozens of Windows security-related settings to their default values.
Some people think this is Sophos overstepping its role while others think it is a common sense action for security software to take. The threat remediation steps change over 80 configurations that are common malware targets including enabling UAC (User Account Control), checking Exe signatures from IE downloads, don’t hide desktop icons, allow Windows Run, enable Task Manager, and many other settings. For the full list, you can review Sophos Knowledge Base article 118583.
This remediation effort is the default behavior for Sophos to take after a clean-up. If you need to have UAC disabled or some other behavior persist, you can set those settings specifically through Group Policy or you can opt-out of this behavior by creating a Registry key.
From Sophos support, here are the steps to disable and enable threat remediation:
Disabling threat remediation
- Open Regedit and navigate to the following location:
32-bit: HKLMSoftwareSophosSAVServiceApplication
64-bit: HKLMSoftwareWOW6432NodeSophosSAVServiceApplication - Create a Key at this location called: CCOverride
- Threat remediation is now disabled.
Enabling threat remediation
- Open Regedit and navigate to the following location:
32-bit: HKLMSoftwareSophosSAVServiceApplication
64-bit: HKLMSoftwareWOW6432NodeSophosSAVServiceApplication - Delete Key at this location called: CCOverride
- Threat remediation is now enabled.