Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 6 subscribers
  • Views 39496 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Window Shortcut LNK Tool

TomG

When will the version 1.0.0.0 tool be updated to support the 'PIF' vulnerability as well. I'd like to take care of both issues at the same time if at all possib.e

:4210


This thread was automatically locked due to age.
  • 0

    Hi,

    If you are running Sophos Anti-Virus on your endpoints you are already protected against the Windows Shortcut Exploit. We detect it as Exp/Cplink.

    :4266
  • 0

    My question is whether this IDE is valid and detected by Sophos V7 or if it is only effective if we are runnig Sophos endpoint protection.

    :4269
  • 0

    Thu 29-Jul-2010 10:59

    Hi,

    If you are running Sophos Anti-Virus on your endpoints you are already protected against the Windows Shortcut Exploit. We detect it as Exp/Cplink.

    ^^^^ PLEASE stop claiming this or clarify.

    I may be wrong but Sophos do not close off the 'Exploit', and Sophos only guard against know code trying to traverse it. Sophos may not guard or know about unknown code despite HIPS and endclient. I asked this earlier in thread and its still not being absorbed by Sophos.

    :4304
  • 0

    Hi AdmV0rl0n (I think I got it right),

    Just to clarify some stuff,

    The identity we released is specific for the exploit and is not targeting a specific type of malware. What it does is block use of the exploit preventing  malware from exploiting the vulnerability. The vulnerability is well documented and we have been working with the rest of the community which is what allowed us to create the identity.

    This work with SAV 7 as well,

    Hope this clarifies this,

    Shai Gelbaum

    Product Manager

    :4306
  • 0

    "Hi AdmV0rl0n (I think I got it right),

    Just to clarify some stuff,

    The identity we released is specific for the exploit and is not targeting a specific type of malware. What it does is block use of the exploit preventing  malware from exploiting the vulnerability. The vulnerability is well documented and we have been working with the rest of the community which is what allowed us to create the identity.

    This work with SAV 7 as well,

    Hope this clarifies this,

    Shai Gelbaum

    Product Manager"

    You mean the identity is able to see and deal with existing code that tries to use the exploit. The vuln was not well documented (and I remain unimpressed with the MS version 1.2 which is still underplaying this threat), and early on people downplayed this exploit (yes even sophos) mistakenly, and I personallly don't think all of the angles are covered.

    Further, the tool you offered was nicely presented, but later the open question exists on wether it works on local drives.

    Its one thing to offer a product, and be conclusive on what your products do, but I get concerned that people are claiming they have closed off 'exploits' rather than closed off known viruses that attempt to use said exploits.

    So lets bring this to a close.

    A/ Does sophos close and block the exploitation of this exploit 100%.

    This claim would equate to people not bothering to patch the exploit because YOU are indicating you've dealt with it.

    B/ Or does sophos stand by that it stops exploitation of this exploit in cases where sophos have seen and can use HIPS in lab and in submitted cases - and impresses on all to get patched as its still regarded as critical

    Or C/ another statement...

    DS

    :4309
  • 0

    Hi,

    The identity closes off the known ways to exploit the vulnerability. There are a lot of very smart people working on both sides and it is always possible that someone finds a new ways to use this that we (Sophos and the rest of the security community) haven't identified. Which is why you always need to keep your system patched and your AV up to date.

    To clarify my statement a bit more, someone running SAV with up to date identities doesn't need to install the tool as the same capabilities are in SAV.

    Enjoy your weekend,

    Shai Gelbaum

    Product manager

    :4311
  • 0

    Greetings!

    I have Win.XP SP3 and have installed Sophos Antivirus via my university student account, so I don't think I have the EndPoint package.

    I have just downloaded and installed the Windows Shortcut Exploit Protection Tool.

    NOW, the only difference that I can tell is that the file SophosLinkIconHandler32.dll  was put into the following folder:

    "C:\Program Files\Sophos\Windows Shortcut Exploit Protection Tool"

    Windows didn't notify me that there was a new program installed and there is nothing in the 'Start' menu.

    So my question is: Is all well?  I.e. has the Windows Shortcut Exploit Protection Tool installed properly.

    Prior to installation I had no porblems and so how do I know if the Windows Shortcut Exploit Protection Tool installed as it should have?

    Cheers!

    [Und, ja, ich kann ein bisschen deutsch.   :smileyvery-happy:  ]

    :4973