Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 6 subscribers
  • Views 39484 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Window Shortcut LNK Tool

TomG

When will the version 1.0.0.0 tool be updated to support the 'PIF' vulnerability as well. I'd like to take care of both issues at the same time if at all possib.e

:4210


This thread was automatically locked due to age.
  • 0

    Is there any malware yet detected, which is using .PIF file?

    All I have seen are using .LNK files.

    :4218
  • 0

    At the end of the article it says "Please note: Existing Sophos Endpoint customers are already protected from the Windows Shortcut Exploit and do not need to install this tool."

    Personally whoever wrote the above is treading a very fine line. I believe that to be 100% untrue. If anyone from sophos would like to confirm that this protects people from the exploit rather than just known and seen code, then please step up to the plate.

    Presumably sophos would be so brazen as to claim next that no MS customers running sophos AV need to bother patching the exploit.

    Darren

    :4220
  • 0

    Hi AdmV0rl0n,

    I feel that implementing MS workarounds is more safer option until there's official patch available.

    Have you disabled Webclient NT service from clients like one of workarounds suggests? What applications are impacted by Webclient service?

    Did you deployed Sophos tool or MS workarounds?

    :4221
  • 0

    I cannot do either. I'm in the unfortunate position that 'leaders' in my company keep reading things like this Sophos announcement and continue to live in la la land. Therefore, they at this time believe sophos will save their universe and they can ignore the exploit in glorious ignorance and security in general.

    I have to say, its not the first time in the event ti8me line of this LNK issue that I have found comment or statement from sophos to be worryingly off the mark. Early on they downplayed this despite it being seriously obvious how bad this exploit was, and how it was going to be exploitable in a vast number of ways.

    The web service is required in co because we are a sharepoint house. So its not likely that will be closed off unless a sasser level event hits.

    :4222
  • 0

    Hi,

    Wanted to answer some of the questions here,

    1. For existing Sophos customers SophosLabs added an identity called Exp/Cplink-A. The identity uses the same logic as the tool in addition to protection from PIFs exploits.
    2.  PIF files, so far we haven't seen any attacks using PIF files. We are investigating ways of implementing PIF protection in a tool but it is trickier then the LNK files and we don't want to release it until it meets our quality criteria.

    Hope this helps,

    Shai Gelbaum

    Product manager

    :4226
  • 0

    "The web service is required in co because we are a sharepoint house. So its not likely that will be closed off unless a sasser level event hits."

    We're using Sharepoint too in our environment, but I can still modify documents even Webclient NT service from my client Disabled. I think disabling this service affects only certain operations like copy-pasting files from your workstation to sharepoint portal.

    :4230
  • 0

    Shai:

    Thanks for your reply (too many companies don't bother monitoring discussions like this).

    1. The web page with the youtube (and a couple of other articles/blogs) say that the tool only works on external storage devices. Is this true? (If yes, too bad, it is a severe limit on an apparently brilliant tool. One that appears to be much better than the "official" MS workaround).

    If 1 is false ...

    2. Does the tool check LNK files being downloaded from the internet to the local drive (C:)?

    3. Does the tool check NEW LNK files being created on the local drive?

    PS: your site is upsetting me. This is my third try at posting these questions. The first 2 times your site "lost" my content when I tried to post or preview. VERY upsetting. Each time my comment is becoming less friendly, more terse...

    :4248
  • 0

    Hello Ron007,

    thanks for your perseverance. If you have issues with this site please post them in About SophosTalk and try to describe the problem in detail. There are some 3500 posts already so you can assume that this is not the normal behaviour. We can discuss details on the About board.

    Christian

    :4254
  • 0

    Hi,

    The blog post and the video are correct, version 1.0.0 is designed to prevent attacks coming from external sources and not ones already located on the machine. We had to find the best balance between security and usability (low false positives) and found this to be the best choice.  The idea was to get a tool out there quickly that people can actually use without having extensive technical knowledge.

    Since then Sophos engineering and SophosLabs have been working on further refining this and I hope to release a new version of the tool today or tomorrow with improved protection and fixing some of the install problems people have had.

    Hope this helps,

    Shai Gelbaum

    Product Manager

    :4262
  • 0

    Hi,

    We are running Sophos AV in our environment. We do not have End point deployed. Are we protected in this case by the shortcut signiture or do we need to deploy the tool?

    Thanks

    :4264