Web Intelligence and cURL

Hey again Francois,

I'm going to forward this question over to Bob, who is the development manager for this product. I'm sure he'll have a great answer for you shortly.

---

francoisjoseph wrote:

Is this by design? If so, where can we find a list of applications or services that are protected by the Web Intelligence bundle? What about other command-line tools, or Mail.app, for example?

---

Its by design. The full list is:

• Safari
• Firefox
• Chrome
• Opera
• OmniWeb
• Camino
• Cruz
• curl
• wget
• telnet

Some of those are rather esoteric and we should probably review the list again - there are many Chromium derivatives that we aren't filtering. We also shouldn't be filtering telnet, its really not a browser even though you can technically get web content with it. Overly agressive developer decision.

We've debated whether to filter mail applications. There is a lot of risky/spammy HTML junk that we could be blocking simply by treating mail clients as browsers. On the other hand, we should probably make it optional for anyone who wants to see their email unfiltered.

These are awesome questions! Thanks!

Thank you, Bob, for your kind reply, and for passing along the list. It is most appreciated!

Yes, I beg of you not to make mail filtering mandatory. Fishing out emails that Sophos detects as malicious from the clutches of the Quarantine Manager is quite an atrocious experience, and I shudder at the thought of what would happen if the filtering were more agressive than the on-access scanner already is.

Would it be possible for Sophos to add this list to the official documentation somewhere? I realise that it is getting increasingly difficult to document every single aspect of a large application like SAV 9.x, but a list of protected processes feels like it ought to be front and centre…

Hello francoisjoseph,

I shudder at the thought of what would happen

actually it should alleviate the problem - when a download is blocked/filtered the malicious stuff is not saved to disk, thus nothing has to be quarantined and hence QM is not involved: By blocking the content remedial action has been taken.

Christian

---

Actually it should alleviate the problem - when a download is blocked/filtered the malicious stuff is not saved to disk, thus nothing has to be quarantined and hence QM is not involved: By blocking the content remedial action has been taken.

---

This, of course, is supposing that Mail.app reacts well to not being able to save an attachement to disk that the server says is there… I am no Apple engineer, but my experience of it makes me rather pessimistic about its abilities to recover gracefully from such a failure.

---

Specimen wrote:
Nowadays it is recommended, and more people do so, to get their email over a secure connection, using POP or IMAP with SSL, in this situation AFAIK Web Intelligence is powerless, unless it does something like Avast does wich is controversial, that consists in installing a root certificate in Keychain, decrypting, scanning and encrypting with the root certificate.

Am I correct?

---

More and more services are moving to encrypted channels (aka SSL aka TLS). This is true for web content as well as everything else (instant messaging, email, etc.). We do not decrypt these channels in our endpoint software. Instead we attempt to validate the target domain / server via its IP address and your browser's SNI information. SNI (Server Name Indication) is a method for the browser to indicate in clear text the name of the domain its attempting to reach. We can still do reputaiton checks on that. But no content scanning.

We've considered building a feature to do decryption. We'd always make it an option though. Our network appliances already offer such a feature, including the ability to specify what types of sites to not filter this way (e.g. never decrypt banking sites, always decrypt software download sites). I think we'd do something similar in the endpoint software, if we ever do anything more than what we do today.

Having used Avast for Mac and their secure connection feature, I have enough experience to say that you should implement it per process, and have the ability somehow to whitelist processes, or, like avast does, restrict this scanning to browsers, because there are a lot of apps that connect via SSL and have their own hardwired URLs and cert management, if you go the Avast way of inserting a root cert it will not work for these apps because they ignore the Keychain CAs.

NOTE
In the interest of full disclosure, I am a very active member of the Avast for Mac forum, and I just switched back to Sophos because it seems to me that Avast management has been pushing its developers to bundle other apps like their VPN solution and the like and they gather statistics from users (sites visited) via their browser extension for commercial benefit, at least this what is seems to me is happening.

---

Specimen wrote:

In the interest of full disclosure, I am a very active member of the Avast for Mac forum, and I just switched back to Sophos because Avast management has been pushing its developers to bundle other apps like their VPN solution and the like and they gather statistics from users (sites visited) via their browser extension for commercial benefit.

---

Welcome back to the Sophos community. Appreciate the feedback and support, always nice to connect directly with users.

And, in the interest of full disclosure, we DO NOT collect information about the sites that you visit. We don't collect any personally identifable information. There are some basic stats sent to Sophos, things like the version of the software installed, the version of OS X its running on, etc. but its 100% anonymous.