The Usual Sus/Pects

With the SAV7 release Sophos introduced the Sus/ detection class (Suspicious files), designed to cater for the more paranoid among us by utilizing looser-style generic identities. These looser identities detect characteristics that are deemed questionable enough to warrant concern but may not actually be of a malicious nature.

The reporting of suspicious files are off by default – this may change in future releases, but can easily be enabled.
Suspicious files configuration

An expected result of this was a sharp increase in concerned customers who enabled the Suspicious Behaviour option and suddenly got Sus/ detection on software they’ve had since the dawn of time.

Customers that get Sus/ detections on such files are in a good position to determine the legitimacy of said files and can proceed to authorise them immediately (see our KnowledgeBase article). At the same time, to improve our generic detection we (SophosLabs) would like Sus/ samples submitted for analysis.


Installers will often drop components to the Temp folder which may sometimes get detected by the On-Access scanner as a Sus/ but due to the transient nature cannot be authorised. Turning off SAV for the Temp folder is not advised however since there exist a plethora of malware that also install there, some of which look like real installers (see Troj/Zlob family).

The modern threat landscape warrants a more aggressive approach to proactive detection which entails a higher rate of unwated detections that we try to minimise. So if you do turn on Suspicious Behaviour identities and do get the odd unexpected Sus/ then don’t panic and feel free to authorise the file if you know it’s clean. Of course we’d love to see any sample that triggers detection for further analysis and improvement of our systems.