This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

My feedback on Spectrum

First off,

I had a hard time getting malware activated. I had a linux virtual server downloading malware using Maltrieve (git) and a Windows 7 VM downloading the malware from that linux server to be executed. In between the 2 VM's and in between the VM's and the physical network I had a virtual Sophos UTM. The linux vm was allowed to downloaded bypassing all checks, the Windows 7 VM initially had its traffic scanned by the Sophos UTM so I would only get malware inside the Windows 7 currently undetected by Sophos. Unfortunately all malware got blocked by the Sophos UTM as CXweb/ExplPE-D: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/CXweb~ExplPE-D.aspx After disabling the scanning HTTP on the Sophos UTM between the 2 VM's I found out that the local Sophos Web Protection of the WIN7 VM gave the same protection :).

I ended up disabling Sophos Web Protection and eventually alltogether the on-access scanner, good job!

Now the feedback:

1. On the Threat Analysis page, when you click a threat you get Threat Analysis Details. At Next Steps the text gets wrapped based on resolution of screen. This breaks words.

2. The Threat Analysis seems to capture unrelated activity, which results in the question... how is the data captured for the analysis and when does the capture start?

3. I experienced high CPU and memory usage on the test system during my testing, what is the expected performance impact of the analysis?

4. It looks like the Threat Analysis is only for Windows Workstations, is there going to be server support?

Will be doing some more testing, want to see how an analysis looks like after the protection gets added when the malware has been active for a while.

This thread was automatically locked due to age.

Parents

Rincewind over 8 years ago

1. Can you let me know what browser you are using and your screen resolution? Screenshot would be useful. I can then get this fixed

2. Data is being captured all of the time Windows is up and running, from the moment when Windows boots until it shuts down. When a detection event happens that is of interest for analysis, we look back in the log file to find out what happened. The rules that we use to do this are being refined all of the time and you will see a difference in the next release. However, you still will find activity that we have been unable to work out if it was directly involved or not. This is one of the reasons why, in the next update, you will able to add comments to entries in the artefacts / visualisation to tag them as items of interest.

3. We are aware of an issue where Application Control is being used that leads to high CPU and memory usage by the agent SSP service. For the moment, we advise that policies used in the beta should not contain entries in the Application Control list.

4. Threat Analysis will only be for Windows agents with the initial release. We are looking at adding Windows Server and Apple Mac in future releases.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

Rincewind over 8 years ago

1. Can you let me know what browser you are using and your screen resolution? Screenshot would be useful. I can then get this fixed

2. Data is being captured all of the time Windows is up and running, from the moment when Windows boots until it shuts down. When a detection event happens that is of interest for analysis, we look back in the log file to find out what happened. The rules that we use to do this are being refined all of the time and you will see a difference in the next release. However, you still will find activity that we have been unable to work out if it was directly involved or not. This is one of the reasons why, in the next update, you will able to add comments to entries in the artefacts / visualisation to tag them as items of interest.

3. We are aware of an issue where Application Control is being used that leads to high CPU and memory usage by the agent SSP service. For the moment, we advise that policies used in the beta should not contain entries in the Application Control list.

4. Threat Analysis will only be for Windows agents with the initial release. We are looking at adding Windows Server and Apple Mac in future releases.
Cancel
Vote Up 0 Vote Down

Cancel

Children

William de Vos over 8 years ago in reply to Rincewind

Hi Rincewind,

Thank you for the response.

I used the firefox browser at 1440x900 (laptop screen).
Cancel
Vote Up 0 Vote Down

Cancel
William de Vos over 8 years ago in reply to William de Vos

When closing a threat analysis I get a error 500:
Cancel
Vote Up 0 Vote Down

Cancel
William de Vos over 8 years ago in reply to William de Vos

Appearently the error 500 only appears when not having made any changes to the threat analysis.

At the moment the Threat Analysis contains so much activity its undoable to seperate the malware activity from the normal activity.

I recommend the ability to not only have the "send sample" feature of the Sophos Endpoint (which doesnt give any report/feedback) but to also have the process that triggered the Threat Analysis to be send to Sandstorm for analysis and have the report attached in the Threat Analysis. And with report I dont mean the few lines visible as in the Sophos UTM but more like this: https://malwr.com/analysis/Mjc5M2IxNDgzNDBiNDZjNGJjNDU3OWIzMTYwMjQ3Mjk/

With a detailed report we can actually check if the payload was only detected and blocked or if it had been actually executed and detected later on in infected state.

In my own lab setup I use cuckoo-modified: https://github.com/spender-sandbox/cuckoo-modified (just to give you an idea what can be captured and reported).
Cancel
Vote Up 0 Vote Down

Cancel