Why doesn't Sophos stop Malware, especially Fake AV malware, like it does viruses? We have a corporate license and all machines are up-to-date with Sophos AV but more & more we spend too much time removing malware & tracking down other changes that were made by the malware that have disabled programs.
Hi,
Sophos most certainly should be stopping the malware. Malware is just a general all encompassing term for malicious software which Sophos aims to fully control. I can only suggest that anything you find that Sophos is not detecting and you feel is malware, you send a sample submission to Sophos Labs.
As you're clearing it up and are aware of it, what is detecting it, Sophos or are you using another piece of security software as well? Is it that Sophos is detecting it once it's too late and the machine is already infected, in which case it maybe that the configuration may need to be changed.
Are you able to list the version of Sophos you are using, do you use the latest package or a fixed package?
Do you have HIPS and BOPS enabled?
Sophos BHO enabled?
How frequent do you update from Sophos, I.e.: what is the schedule of SUM/EMLibrary updating from Sophos and then the schedule of the clients updating from the distribution share? This should determine the worst case latency.
Do you enforce any device control or application control policies to reduce the likelihood of malware being introduced? How about a web and email appliance? It is advisable to layer security measures and policies where possible (or to the extent that budget permits I guess) to reduce the chance of infection.
To put a relevant football spin on it: to rely solely on AV at the client is like just fielding a goal keeper. :)
Thanks,
Jak
I have to chime in here,
I've been using Sophos at a number of client sites for ~5years. (roughly 800 computers all in all)
I've generaly been very happy with the product.
This year I have had computers in every site contract some type of malware.
99% of those were FakeAV of a few flavors.
In every case the Server/Client were up to date.
Sophos support always helps in the removal, but often can't provide an explaination of what went wrong.
I've even asked "what am I doing wrong / look at my policy"
My policy apparently looks fine (Pretty much default)
Usualy the removal process is long and arduous. Often with full CD/offline scans leaving things behind.
I've found the quickest resolution is usualy:
reboot, kill any processes with obviously bogus names. (otherwise you'll get in the loop of the FakeAV windows)
Run the free Malwarebytes AntiMalware. (Hey I know this is a Sophos forum but this seems to do the trick when I need it)
reboot. (sometimes fix .exe file association)
I'm getting sick of giving clients the "Some Malware will always find a way / They come up with new IDEs every day" lines
ps. I've never heard back from SophosLabs after submitting samples.
Hello RyanB,
This year I have had computers in every site contract some type of malware
Were these already known threats or "new" ones (or new variants)? I've had a very few cases of FakeAV soaking in (in all but one case for the user - usually they are only members of the Users group). In most cases some of the components were detected by HIPS but I had also a few where at first nothing has been detected.
Usually I try to identify the executables and search for fishy registry keys and additional suspect files (e.g. in TEMP or cache directories) - takes less than a quarter of an hour - and submit the samples. You should receive a response after a few hours which looks like
Hello, Thank you for contacting Sophos Technical Support. **Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.** The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly. 15.tmp -- identity created/updated (New detection Troj/FakeDpr-A) svchost.exe -- identity created/updated (New detection Troj/FakeDpr-A) dwm.exe -- identity created/updated (New detection Troj/FakeDpr-A) stor.cfg -- non-malicious 9234310388.exe -- identity created/updated (New detection Troj/FakeAV-BZJ) 603996256.exe -- identity created/updated (New detection Troj/FakeAV-BZJ) Security Tool.lnk -- non-malicious 9616366416.exe -- identity created/updated (New detection Troj/FakeAV-BZJ) Anwendungsdaten.zip -- archive file 3B.tmp -- identity created/updated (New detection Troj/Agent-PJR) dwm.exe -- identity created/updated (New detection Troj/FakeDpr-A) dwm.exe -- identity created/updated (New detection Troj/FakeDpr-A) svchost.exe -- identity created/updated (New detection Troj/FakeDpr-A) stor.cfg -- non-malicious shell.exe -- identity created/updated (New detection Troj/FakeDpr-A) FakeBS.jpg -- clean
or perhaps
The file(s) below are already detected with the latest version of Sophos Anti-Virus and the latest IDE definitions. MANIFEST.MF -- clean AdgredY.class -- already detected DyesyasZ.class -- already detected LoaderX.class -- already detected 6973d79a-3594b9cf -- archive file JavaJar-A.zip -- archive file 6973d79a-3594b9cf.idx -- non-malicious Please update Sophos Anti-Virus,and run a Full System Scan to clean up this threat.
Once the new identities have been published no other tools than scans (in the "worst" case with SAV32CLI from safe mode) were necessary to remove the threats.
Of course if the users are Power Users or Administrators penetration can go deeper. Still this wouldn't explain that known threats are missed - unless the user either turns off on-access scanning or authorizes a suspect file (which should show a non-compliance for the AV policy).
I've never heard back from SophosLabs after submitting samples
Either Labs or local Support should reply with the results (unless you indicated that you've successfully removed the threat and/or don't need a reply) - if not please contact Support.
Christian
I have to agree with RyanB; Fake AV is becoming a real problem, Sophos does not detect -it announces itself as soon as it arrives " Your computer is infected with XXX viruses and Trojans, please click on this link and send money" etc,
Detection is not the issue, I need to block it, some of the variants of Fake AV can dig in deep and eventually cripple the machine, if it is not fully removed it will come back so I find that the best policy is to swop out an infected PC and wipe it
Had another undetected FakeAV just these days.
Although they employ similar mechanisms and can easily be spotted by a human I assume their behaviour is not easily distinguishable from that of legitimate software and therefore even HIPS doesn't always catch them. As these threats are convincing but otherwise not too sophisticated how "deep" they can dig in depends on the user's rights.
Usually users can't (or don't want to) tell you which site they visited and what they did before they noticed they can't get rid of it. So I can't say whether infection can be completely avoided once you've opened a "contaminated" webpage. Even if it doesn't catch all threats HIPS can significantly reduce the risk as can Web Protection.
I can only repeat that it is important to send in a sample when "something" has slipped in as obviously rather specific entities are necessary to reliably detect these threats. Unless the FakeAV did replace some system file or registry key (the dozen or so I inspected closer did not and "only" added files, registry keys/values and shortcuts) it can be completely cleaned up by the usual methods.
Christian
So is there any solution to this?
I work for a large organisation and we have multiple layers of security including the latest Sophos but yet malware gets through far too often. Sophos detects it far too late and there nothing Sophos can do to remove it. We have to end up using Malware Bytes to remove it, and sometimes even re-image the machine.
This is a list of some of the Malware that has got through:
Windows Security Suite
Windows Defender
HDD Repair VirusSecurity Warning
Windows Recovery
XP Security
PC Repair
Windows XP Restore
We use OpenDNS, the customer has limited rights on the machine, we patch our systems regularly, update Sophos regularly...
Suggestions/Solutions?
Hello cruzdre ,
Suggestions/Solutions?
your description is rather general and without details one can give only general replies - which probably won't help you much. With OpenDNS and multiple layers of security in place it's strange that you get an apparently significant amount of malware (and obviously not only the "latest"). Sounds more like there are other avenues for it to get in.
Sophos detects it far too late and there nothing Sophos can do to remove it
While a certain piece of malware might call itself Windows Security Suite it likely comes in different versions (even though from a user's POV they might look and act identical) , keeps changing and also gets in by different methods - to repeat some points from my posts in this thread:
Most malware (including rootkit components) can be successfully removed by Sophos once it has been identified. Sometimes it is necessary that a specific IDE is issued by the labs, therefore it is important to send in samples. Usually it takes a very few hours until an update is available so trying to get rid of it in the meantime (unless you are familiar with the process) is not worth the effort (moreover trying to analyze it on your own instead of submitting a sample will be counterproductive )
In most cases there's at least a general detection of at least one component (Download scanning, HIPS/SUS and Live Protection increase the likelihood of at least partial detection - but of course Alert only won't help)
Limited rights are not a cure-all but allowing only Users most of the time restricts an infection to the user's account only and does not affect the computer
Last but not least try to determine the source - it's not that "all the Internet" is full of threats. As in real life there are places you (or your users) better not visit if you want to stay clear of threats. Also it helps to be wary of top search results as well as install this or update that instructions on webpages and pop ups
If you could post a detailed course of events (together with the policy settings used) for a specific case there'd be a better chance to get a precise answer
Christian
I am new to this blog, but not to the frustration of Sophos Endpoint Security not allowing me to clean fake AV. I am not satisfied witht the your evasive response to the issue. The question you should answer directly is why Sophos can't clean or remove instances it identifies. Then the "free" Malware bytes identifies and removes it quickly. In a corporate environment I can't wait for 15% of my machines to become infected and wait for me or some other guinea pig to submit a file for you. How is it that Malware bytes can remove it without my help? This is about time and money, not excuses about how I don't know where or how it got to my machines. I pay you to take care of that for me! The excuses won't win my business.
