Sophos Endpoint 10

From reading the docs this self-defense should provide additional protection from

1. malware which elevates its rights to disable AV
2. manipulation of the settings using the UI through "unauthorized" remote access

Now this might indeed provide (albeit only slightly) increased security against occasional threats - but the gain is not that much. If some malware is only discovered because it fails to stop the AV process it has probably otherwise successfully evaded the scanner. Even if the first thing some malicious code does is turning off the scanner in order to be able to download and run additional components the fact that the scanner is turned off should alert you. As even if it fails to run off the scanner it might already have successfully planted some components (remember, it hasn't been detected in the first place) you should no longer "trust" the affected computer.

Theory tells us that absolute protection is impossible, even more so with a single "monolithic" and internal program. Thus it is essential to be prudent when using "important" machines. A (Windows) "server" is nowadays in general not more secure because of how it is "built" but how it's used. Use a server for gaming, chatting, downloading all kinds of stuff, allow (practically) anonymous access, enable guest accounts, take down the firewall, put it "on the internet" - it will be as vulnerable as your average "PC". Self-defense in such an environment is like parking your expensive car with all kinds of expensive stuff clearly visible inside in a shady neighbourhood in the beliefs that the burglar alarm's backup power supply might thwart any malicious acts (though it might help in a very few cases).

I'm not saying that self-defense (and all vendors employ it to a certain extent) is completely unnecessary - it's just not the most important thing and absence of certain features is not blunder.

Christian

From reading the docs this self-defense should provide additional protection from

1. malware which elevates its rights to disable AV
2. manipulation of the settings using the UI through "unauthorized" remote access

Now this might indeed provide (albeit only slightly) increased security against occasional threats - but the gain is not that much. If some malware is only discovered because it fails to stop the AV process it has probably otherwise successfully evaded the scanner. Even if the first thing some malicious code does is turning off the scanner in order to be able to download and run additional components the fact that the scanner is turned off should alert you. As even if it fails to run off the scanner it might already have successfully planted some components (remember, it hasn't been detected in the first place) you should no longer "trust" the affected computer.

Theory tells us that absolute protection is impossible, even more so with a single "monolithic" and internal program. Thus it is essential to be prudent when using "important" machines. A (Windows) "server" is nowadays in general not more secure because of how it is "built" but how it's used. Use a server for gaming, chatting, downloading all kinds of stuff, allow (practically) anonymous access, enable guest accounts, take down the firewall, put it "on the internet" - it will be as vulnerable as your average "PC". Self-defense in such an environment is like parking your expensive car with all kinds of expensive stuff clearly visible inside in a shady neighbourhood in the beliefs that the burglar alarm's backup power supply might thwart any malicious acts (though it might help in a very few cases).

I'm not saying that self-defense (and all vendors employ it to a certain extent) is completely unnecessary - it's just not the most important thing and absence of certain features is not blunder.

Christian