Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 6 subscribers
  • Views 42428 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New user several questions

brvx

First, for the automatic update interval, how is the time calculated? Is it ordinary chronological time, or is it actual computer running time. For example, if I select automatic updating for daily, with the last update having occurred at 9 AM Tuesday, will the next update happen at 9 AM Wednesday, provided the computer is not sleeping at that moment. Or will it need 24 hours of actual computer running time, which might not happen if the computer is sleeping for extended periods perhaps until several days later?

Second, I ran Sophos (9.0.8) yesterday booted from a 10.6.8 partition on an external drive. It calculated something like 1,900,000 files/folders to scan. The 10.6.8 boot volume was only around 701,000. The other volume on that drive, a 10.8.5, is around 607,000, which, if Sophos was scanning both, still comes nowhere near close to the total Sophos calculated. If I add in the internal 10.6.8 volume, the total is a figure around 2,001,000, still not the 1,900,000 I saw, but more plausible. Was it scanning all three volumes? I am very puzzled about the number of files Sophos calculated. Naturally, this scan took far longer than intended.

Finally, although I logged in to my admin user in order to run the scan, I am normally running out of a standard account for security. So, of course, there I could see that my admin user was out of bounds. But from the standard user, I ran a shell script which opened Sophos with root privileges (do shell script "/Applications/'Sophos Anti-Virus.app'/Contents/MacOS/'Sophos Anti-Virus' > /dev/null 2>&1 &" with administrator privileges) When I opened Sophos that way, I was able to see the other user, but I still got the notice that I was running using "current privileges." Not sure why that didn't disappear when opened as root, but what I wonder is, since that notice didn't disappear, if running as root will have the necessary privileges needed to scan all system files, and if anything is found, will I be able to "clean" that infection--should it really need to be cleaned? I would not like to have to log in to my admin account in order to do either of those, completely scan all system files, and clean, when necessary.


:1016041


This thread was automatically locked due to age.
Parents
  • 0
    brvx wrote:

    Bob, maybe this is where the confusion is coming in: I understand that I'm running as the current user, in this case out of a standard account, but I am running the Application (Sophos) with admin/elevated privileges, by way of that shell script. I think I have to assume that the GUI, unlike when opening Sophos from sudo, remains set as "current privileges," (or if you prefer "current user") even though those privileges are now elevated. I am doing this precisely in order to be able to scan items that would otherwise be off limits, not just other users, but system items. I want to be able to look into every possible nook and cranny I can. If you think there is any meaningful difference between running Sophos from the shell script or from sudo, I can easily do the latter, as well. The shell script is a bit more convenient, since it's ready to go and I dont have to su to my admin account to run sudo.

    If you launch the GUI via the command line using sudo, the effective user of the GUI is "root". If you launch the GUI using AppleScript with the "with administrator privileges" option, the effective user of the GUI is also "root". You can use the "whoami" command to figure out which user you're running as in your scripts.

    When the GUI detects it was launched as a standard user, it will only scan the disk as a standard user. Otherwise it will give you the option to authenticate as an administrative user (doesn't have to be the same user as you are running as) to enable scanning as root.

    It seems confusing to say this, but it doesn't really matter how you launch the GUI as long as you can satisfy it with administrative credentials to prove you should be able to scan all files on the disk. Once you've satisified the GUI that you are authorized, we run the scan in the background as root. That root process has no relationship with the GUI e.g. it really doesn't matter how you launched the GUI and what user its running as.

    You might be interested to look at the scheduled scan feature. You can configure scheduled scans if you are an administrative user. Once scheduled, they always run in the background as root. You wouldn't need to launch the GUI to run your scans.

    brvx wrote:

    While were at it, another question: I adopted Sophos only recently because it's beginning to look like Apple will no longer be supporting Snow Leopard with security updates--although, XProtect updates, for what limited protection they give, may continue. Even though I have Mountain Lion, which has just recently been patched with a security update, and is known for better sandboxing, and is probably safer (and it looks like Apple is continuing support for 10.7 and beyond), I prefer to keep using Snow Leopard. As far as I understand this, Sophos, or any A-V for that matter, works by way of a catalog of file definitions. Since what may not be further adddressed by Apple in 10.6 are OS vulnerabilities, can you perhaps explain what kind of protection Sophos can offer in that regard. It would seem it would only be able to identify known payloads or exploits aimed at those vulnerabilites, but not the vulnerabilities themselves.

    Re: the recent "goto fail" SSL bug, it only affected 10.7 and up. Hence Apple only needed to offer a security patch for 10.7 and up. They have not formally declared end of life to 10.6 but I would expect it will happen this year. We will not support 10.6 forever either.

    Our product is built to detect malicious software by the patterns we find in files on disk. These patterns can be as specific as the executable instructions that attempt to take advantage of vulnerabilities. Depending on the vulnerability, the code required to exploit it may be so specific that it wouldn't matter who made or distributed the malicous software, we'd detect it. But this is not universally true. Like all things in life, the real answer is "it depends". We'd prefer to create "generic detection" patterns when we can, but its not always possible.

    Continuing to run a very old operating system is a poor choice, security wise. Security researchers are typically only looking at the latest stuff, and the older versions may contain problems or vulnerabilities that go undetected for years. The "goto fail" SSL bug is a really good example of a bug that can live in old code for a long time. Nobody knows whether its been exploited or not.

    :1016101
Reply
  • 0
    brvx wrote:

    Bob, maybe this is where the confusion is coming in: I understand that I'm running as the current user, in this case out of a standard account, but I am running the Application (Sophos) with admin/elevated privileges, by way of that shell script. I think I have to assume that the GUI, unlike when opening Sophos from sudo, remains set as "current privileges," (or if you prefer "current user") even though those privileges are now elevated. I am doing this precisely in order to be able to scan items that would otherwise be off limits, not just other users, but system items. I want to be able to look into every possible nook and cranny I can. If you think there is any meaningful difference between running Sophos from the shell script or from sudo, I can easily do the latter, as well. The shell script is a bit more convenient, since it's ready to go and I dont have to su to my admin account to run sudo.

    If you launch the GUI via the command line using sudo, the effective user of the GUI is "root". If you launch the GUI using AppleScript with the "with administrator privileges" option, the effective user of the GUI is also "root". You can use the "whoami" command to figure out which user you're running as in your scripts.

    When the GUI detects it was launched as a standard user, it will only scan the disk as a standard user. Otherwise it will give you the option to authenticate as an administrative user (doesn't have to be the same user as you are running as) to enable scanning as root.

    It seems confusing to say this, but it doesn't really matter how you launch the GUI as long as you can satisfy it with administrative credentials to prove you should be able to scan all files on the disk. Once you've satisified the GUI that you are authorized, we run the scan in the background as root. That root process has no relationship with the GUI e.g. it really doesn't matter how you launched the GUI and what user its running as.

    You might be interested to look at the scheduled scan feature. You can configure scheduled scans if you are an administrative user. Once scheduled, they always run in the background as root. You wouldn't need to launch the GUI to run your scans.

    brvx wrote:

    While were at it, another question: I adopted Sophos only recently because it's beginning to look like Apple will no longer be supporting Snow Leopard with security updates--although, XProtect updates, for what limited protection they give, may continue. Even though I have Mountain Lion, which has just recently been patched with a security update, and is known for better sandboxing, and is probably safer (and it looks like Apple is continuing support for 10.7 and beyond), I prefer to keep using Snow Leopard. As far as I understand this, Sophos, or any A-V for that matter, works by way of a catalog of file definitions. Since what may not be further adddressed by Apple in 10.6 are OS vulnerabilities, can you perhaps explain what kind of protection Sophos can offer in that regard. It would seem it would only be able to identify known payloads or exploits aimed at those vulnerabilites, but not the vulnerabilities themselves.

    Re: the recent "goto fail" SSL bug, it only affected 10.7 and up. Hence Apple only needed to offer a security patch for 10.7 and up. They have not formally declared end of life to 10.6 but I would expect it will happen this year. We will not support 10.6 forever either.

    Our product is built to detect malicious software by the patterns we find in files on disk. These patterns can be as specific as the executable instructions that attempt to take advantage of vulnerabilities. Depending on the vulnerability, the code required to exploit it may be so specific that it wouldn't matter who made or distributed the malicous software, we'd detect it. But this is not universally true. Like all things in life, the real answer is "it depends". We'd prefer to create "generic detection" patterns when we can, but its not always possible.

    Continuing to run a very old operating system is a poor choice, security wise. Security researchers are typically only looking at the latest stuff, and the older versions may contain problems or vulnerabilities that go undetected for years. The "goto fail" SSL bug is a really good example of a bug that can live in old code for a long time. Nobody knows whether its been exploited or not.

    :1016101
Children
No Data