Sophos Window Shortcut LNK Tool

"Hi AdmV0rl0n (I think I got it right),

Just to clarify some stuff,

The identity we released is specific for the exploit and is not targeting a specific type of malware. What it does is block use of the exploit preventing  malware from exploiting the vulnerability. The vulnerability is well documented and we have been working with the rest of the community which is what allowed us to create the identity.

This work with SAV 7 as well,

Hope this clarifies this,

Shai Gelbaum

Product Manager"

You mean the identity is able to see and deal with existing code that tries to use the exploit. The vuln was not well documented (and I remain unimpressed with the MS version 1.2 which is still underplaying this threat), and early on people downplayed this exploit (yes even sophos) mistakenly, and I personallly don't think all of the angles are covered.

Further, the tool you offered was nicely presented, but later the open question exists on wether it works on local drives.

Its one thing to offer a product, and be conclusive on what your products do, but I get concerned that people are claiming they have closed off 'exploits' rather than closed off known viruses that attempt to use said exploits.

So lets bring this to a close.

A/ Does sophos close and block the exploitation of this exploit 100%.

This claim would equate to people not bothering to patch the exploit because YOU are indicating you've dealt with it.

B/ Or does sophos stand by that it stops exploitation of this exploit in cases where sophos have seen and can use HIPS in lab and in submitted cases - and impresses on all to get patched as its still regarded as critical

Or C/ another statement...

DS

"Hi AdmV0rl0n (I think I got it right),

Just to clarify some stuff,

The identity we released is specific for the exploit and is not targeting a specific type of malware. What it does is block use of the exploit preventing  malware from exploiting the vulnerability. The vulnerability is well documented and we have been working with the rest of the community which is what allowed us to create the identity.

This work with SAV 7 as well,

Hope this clarifies this,

Shai Gelbaum

Product Manager"

You mean the identity is able to see and deal with existing code that tries to use the exploit. The vuln was not well documented (and I remain unimpressed with the MS version 1.2 which is still underplaying this threat), and early on people downplayed this exploit (yes even sophos) mistakenly, and I personallly don't think all of the angles are covered.

Further, the tool you offered was nicely presented, but later the open question exists on wether it works on local drives.

Its one thing to offer a product, and be conclusive on what your products do, but I get concerned that people are claiming they have closed off 'exploits' rather than closed off known viruses that attempt to use said exploits.

So lets bring this to a close.

A/ Does sophos close and block the exploitation of this exploit 100%.

This claim would equate to people not bothering to patch the exploit because YOU are indicating you've dealt with it.

B/ Or does sophos stand by that it stops exploitation of this exploit in cases where sophos have seen and can use HIPS in lab and in submitted cases - and impresses on all to get patched as its still regarded as critical

Or C/ another statement...

DS