Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 3973 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing Sophos potential false positive

Sophos_User

I wanted to get some ideas on how we can prevent a potential issue like that recently discovered with MacAfee’’’’s false positive.

I will list below what I am doing and would like to get feedback on what others are doing. 

1)  I have multiple groups within the Sophos console containing pilot and production machines. 

2)  I have multiple polices that I keep in sync except for AV version. 

3)  I keep the pilot machines on the "recommended" setting in the policy. 

4)  The production machines stay 1 version behind which at this time is 9.0.5 VDL4.52 for at least 1 week.  

5)   If nothing happens to my pilot machines, nothing is reported in the news  and there is nothing in posted in this user community I rollout the latest version to production.

Can anybody post their processes or comment on my processes?

thanks

:2590


This thread was automatically locked due to age.
Parents
  • 0

    Hello Sophos_User,

    the recent "issue" might appear as simple to avoid as it is scary (booting into Safe Mode on many machines is not fun).

    Allow me some general remarks first: An issue like this is very unlikely but - as we saw - unlikely isn't impossible. We are dealing with a system of sufficient complexity here so even in theory such incidents are not avoidable - or better: Theory tells us that we can't prove it's error-free. And - this too is inherent to complex systems - a malfunction in a security layer can cause the same effects it should protect against. Thus it's all about reducing the risks and be assured, no vendor (and no serious "open" group) treats this in a frivolous manner. **bleep** happens also in the AV industry - but seldom.

    Now what do you gain from delaying updates? Details aside, you might not protected from the latest threats. This offsets at least part of the reduced risk - and I daresay all in all it increases your risk. The same is already true for certain OS and application patches.

    The questions are whether your "pilot" machines are "typical" and how long you should wait. In my opinion - but I may err - the engine and library pose the lesser risk. It's more likely that new IDE has "unexpected" side-effects and as they are usually applied also to the earlier versions it doesn't matter that you delayed the version update. The good news is that a correction travels the same path and unless your clients went belly up the problem might have been corrected before you notice.

    Still - in the past years I have seen one or two "near hits". The impact depends on the tools you have available and whether you have remote access to the clients or not. In principle you face the same problem as when you've been hit by malware - except that you don't have to worry about additional hidden items and whatever.

    I might become imprudent or just lazy with age but I think that it's just not worth the effort (and I say this with a background of some 20 years on the mainframe where it was guaranteed that a "mishap" affected everything and all users ... :smileywink:)

    Dissenting opinions welcome

    Christian

    :2618
Reply
  • 0

    Hello Sophos_User,

    the recent "issue" might appear as simple to avoid as it is scary (booting into Safe Mode on many machines is not fun).

    Allow me some general remarks first: An issue like this is very unlikely but - as we saw - unlikely isn't impossible. We are dealing with a system of sufficient complexity here so even in theory such incidents are not avoidable - or better: Theory tells us that we can't prove it's error-free. And - this too is inherent to complex systems - a malfunction in a security layer can cause the same effects it should protect against. Thus it's all about reducing the risks and be assured, no vendor (and no serious "open" group) treats this in a frivolous manner. **bleep** happens also in the AV industry - but seldom.

    Now what do you gain from delaying updates? Details aside, you might not protected from the latest threats. This offsets at least part of the reduced risk - and I daresay all in all it increases your risk. The same is already true for certain OS and application patches.

    The questions are whether your "pilot" machines are "typical" and how long you should wait. In my opinion - but I may err - the engine and library pose the lesser risk. It's more likely that new IDE has "unexpected" side-effects and as they are usually applied also to the earlier versions it doesn't matter that you delayed the version update. The good news is that a correction travels the same path and unless your clients went belly up the problem might have been corrected before you notice.

    Still - in the past years I have seen one or two "near hits". The impact depends on the tools you have available and whether you have remote access to the clients or not. In principle you face the same problem as when you've been hit by malware - except that you don't have to worry about additional hidden items and whatever.

    I might become imprudent or just lazy with age but I think that it's just not worth the effort (and I say this with a background of some 20 years on the mainframe where it was guaranteed that a "mishap" affected everything and all users ... :smileywink:)

    Dissenting opinions welcome

    Christian

    :2618
Children
No Data