Why doesn't Sophos stop Malware, especially Fake AV malware, like it does viruses? We have a corporate license and all machines are up-to-date with Sophos AV but more & more we spend too much time removing malware & tracking down other changes that were made by the malware that have disabled programs.
I have to agree with this topic, and came here specifically to check on this issue. I've had two different computers recently infected with the Windows 7 Fake Secuirty 2012 antivirus, by another user, and in both cases it's really messed up the machine. This is running updated Sophos AV and updated Win 7/IE (don't know if it's an IE vulnerabilty or something else that allowed the problem in the first place). In neither case did Sophos prevent the infection, nor did a Sophos scan (quick or in depth) successfully remove it. Malwarebytes picked up 8--10 infected files after Sophos showed both machines clean, though I'm still not certatin I got rid of everything.
That solution, to touch every computer, is nuts when you're trying to secure 20,000 computers, as we are. I won't say we're one of the largest users of this product, but I firmly believe we are one of the larger enterprise users of your product. I've been completely overrun with FakeAV virus alerts that are never cleaned up from the console.
More often than not they lead to me getting a field engineer to take time out of their day to reimage a computer because Sophos refuses to clean it up. The other solution, as mentioned earlier, is to use a copy of Malware Bytes to remove it. There's got to be a better long-term solution. It's great Sophos catches it, but the fact that I can't remove it is insane. I can't clean it up from the console or from the endpoint. It always fails for us.
We are new to Sophos and also in the same boat as you guys...windows 7 security 2012 has hit 3 machines here so far and Sophos isn't cutting it. The reason for going to Sophos was to eliminate the amount of time spent cleaning up viruses and/or the effects of them afterwards...if this doesn't change we won't be renewing Sophos. To add, I've just been installing Malwarebytes after each infection because i know it will find what Sophos does not and that shouldnt be the case. Sophos should be better and stronger in indentifying virus attacks.
AS the person who did the initial testing and trial of our Sophos, then implementation and subsequent care and feeding over the last three years - I feel a sence of ownership to the Sophos product here at work. It protects our 1800 workstations and does a fairly good job of it - except for FakeAV.
I've found my infection rate drop considerably after enforcing the use of Sophos Web Security appliances - they catch a lot of crap before it hits the workstation. However, with that said - FakeAV still pops up occasionally and Sophos EPP can not remove it.
That frustatrates the heck out of me. Technically I know why and I'm comfortable saying so to my peers, managers, and the users who ask. But there is a good reason right there to begin trialing other products to see how, if, and can they clean up after FakeAV better than our current product before we renew our three year terms.
I would like to see more effort on the part of Sophos to battle this profitable malware. If that means injecting a boot partition into each workstation that I can initiate a clean up job from without having to visit the workstation and boot from CD, or leverage more updates more often, or allowing me to allow only specific applications to run using the Application control.
I'd also like to mention that our helpdesk has given up on doing onsite cleanups with the Sophos CLI on a CD and went for a Malware Bytes disinfection app on a thumbdrive. They found it to be faster and more efficient with this specific infection. If the first run doesn't clean up it up - we reimage the machine.
Just thought I'd add an enduser perspective to this. I somehow got XP Security 2012 onto my system (pretty sure I did not download or install anything on purpose, I tend to kill all iexplore.exe processes instead of clicking on any suspicious popup) and once it was obviously there (both in systray and popups) Sophos did not detect it. Because this happened in between the holidays I did not go through our IT department, but instead resorted to fixing it myself.
Full scan by Sophos: nothing. Neither did a full scan by Microsoft Security Essentials (which by then had to get manually updated virus definitions). Also latest Kapersky declared everything OK.
I had identified the main process "spg.exe" which could be killed but always reappeared after a few minutes. MSE's free tech support advised to find and delete the offending exe file and they provided an exefix_xp.com application to fix program/file extension association and they recommended scan with superantispyware. After some internet search ran MalwareBytes which did a great job detecting and fixing remaining issues of the FakeAV. Final registry cleanup with ccleaner. These steps did take time, and it sure would have been nice if Sophos could have just detected and removed it. And with everything locked down on the enduser machine this may be avoidable, but there also has to be a realistic balance. Aside from the quite high resource usage of SavService.exe Sophos usually protects very well in the background without interference.
PS: I probably should have submitted the file to Sophos labs but the online form encourages endusers to go through internal IT department channels first.
I response to the last two posts (and also to somewhat mitigate mine from about a week ago):
I'd also like Sophos to do better with respect to FakeAV. The problem (if you can call it problem) is IMO not so much cleanup but detection. One would assume that this malware should be easily identified - if not during on-access then by its behaviour (and that others can confirms this assumption). I might be totally wrong but it looks like Sophos' detection strategy doesn't allow the use of these seemingly simply identifiers (like, e.g., a processes window title) because on the one hand too many FakeAVs similar to ones already seen slip through, OTOH once SophosLabs have analyzed a sample and issued an IDE (and they do so within very short time) detection and cleanup are usually successful (note also that not all "FakeAV" seems to be classified as Mal/FakeAV* - IIRC Troj/Agent* might also be applied) . In my experience Sophos is not the "complete failure" (excuse the overexaggerated term) as soemtimes claimed, in most cases there are one or more generic and/or SUS detections.
This being said - unless you've sent in a sample (or someone else has done so in the meantime) there is no use in trying the CLI, it uses the same engine and definitions.
But - if you run some reports you will likely see that a certain amount of FakeAV is detected and cleaned (of course depending on your settings). The question is, how should Sophos know it missed some (sure, they know they do and I hope they don't take it lightly) and how many in proportion? A general complaint (like in this forum) is just general. Like any other company Sophos does its numbers: Unless the missed instances are reported (or flocks of customers are absconding) FakeAV might not get the attention it should. Thus you should call Support whenever a FakeAV is missed (and preferably send in samples). State how many computers are affected and what Sophos has missed but other products have found (again, not in general terms but with the specific samples). This will give your complaints considerably more weight.
I want to add that we don't have edge filters, users can surf to whatever site they want and still we are not flooded with FakeAV.
Christian
