Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 4454 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Send a sample with one click

zaino_unipmn_it

Could I suggest to send a sample using "Sophos Endpoint and Security Control"?

Usually virus starts from RUN regkey, autostart folder and so on. The software could search all autorun application, running applications and suggest which of them could be sent to Sophos Laboratory without compiling the web form (you already have our contact data, in sending sample you also could acquire PC id, name, ip...). It could be more rapid. Sometimes I couldn't send sample because I'm on a PC owned by another user even if it has Sophos installed but I don't have any pen drive for saving a sample (if system permit it). Other times I send sample with some hour of late.

Thanks, for your attention,

Dott. Marco Zaino

Università del Piemonte Orientale

Alessandria, ITALY

:35731


This thread was automatically locked due to age.
  • 0

    Hello Dott. Marco,

    the sending part first: What would prevent users from using this function and thus flooding Labs with suspected malware? Or how should Labs determine that the submission is "genuine"? Anyway - why not using the web form from the PC?

    As for the software suggesting samples to be sent: Taking all the usual places I've seen (and that's likely a small subset) together this could be quite some list. Pruning this list automatically would OTOH require some "intelligence" (sometimes the malware gives itself away using "funny names" but other times not). While I concur that some kind of "collector" would be helpful I've no notion how it could actually work. But admittedly I haven't thought about it much.

    What do others say?

    Christian 

    :35749
  • 0

    Hi,

    I sent in a feature request for something similar.

    However, I wanted it from the Enterprise Console - hence only admins would have this feature and not the end users themselves, thus preventing the issue of flooding Labs with samples.

    How I envisioned it would be, HIPS and Detect Malicious and Suspicious Behaviour and files would be turned on so that Sophos is detecting strange files (e.g. regmod behaviour is a common one). When an alert comes up, in the Resolve Alerts/Warnings section, there could be an extra button next to Acknowledge which allows the admin to select the files causing the alerts and then submit them to Labs for analysis. 

    :35845
  • 0

    Hello slayer,

    that's a different beast - submitting items already detected (albeit only due to their behaviour) is not the same as scanning the machine for potential yet unknown threats. 

    IIRC this suggestion has been made in this forum and I guess it has also been requested by others (including myself). It would definitely help to deal with HIPS alerts.

    Christian 

    :35867