Hi there,
Does "Live Protection" works like a very fast way to distribute signatures, or like a reputation database?
Does SOPHOS has any comparable "reputation system" like Insight?
Is there anythink like it on a near term roadmap?
Thanks
Hello ricdgr,
putting the intricacies of reputation as well as implementation details aside for the moment - the basic priciple is the same: When the scanner encounters certain suspicious files its fingerprint is looked up. The Live Protection database likewise not only contains the "latest analyzed and known threats" but the fingerprints of "known good" (which you may call reputable) files as well (thus reducing false positives). The possible answers good, bad or undecided result in the client action allow, block/cleanup or depends (on the type of detection and the client's settings).
For Live Protection the database might ask the client to upload a sample of the dubious file (if the customer has enabled this feature).
There is no feature like the configurable Download Advisor - I might misjudge it from the little information I have but as far as I can see it depends on at least some customers being more willing to take a risk than others :smileyhappy:.
Christian
Hello ricdgr,
I don't (as I'm not Sophos :smileywink:). As you didn't find an answer in my previous post and obviously expected it to contain whitelist - could you please detail your conception of whitelist (with or without Live Protection) as well as file in this context? I'm not pulling your leg - in my understanding whitelist is generally a trade-off, deliberately accepting an additional (albeit small) risk to improve performance or trading false negatives for false positives. And file is ambiguous - for an exclusion it refers to those file system objects with a certain name(pattern)/path, for an authorization to a practically unique object.
Christian
Hi,
Your post was quite informative.
As far as I understood, Live Protection can only be used for "suspicious files".
When I speak about whitelist or reputation, I'm looking for the following features:
1 Only run files for known products or with a good reputation
2 Don't scan files that are known to be good (but as far as I can see, SOPHOS only whitelists known windows OS files).
Without [1], we have to wait for SOPHOS to classify a file as a threat, or hope for the HIPS rules to work. Competing products use the "number of installation" or "file older than" to prevent a file from running, to combat server side polymorphism (files that are quite unique and known for <1 day/hour).
Regards,
Ricardo
Hello Ricardo,
thanks for clarifying. Of course "fact sheets" emphasize the upside of a technology or feature which is usually depicted as not only being the distinctive excellence of a product but also of unparalleled power. More often than not it's not something no one else has thought of yet or unable to implement. What looks simple on the surface is actually quite complex.
Indeed in the scenario you described (combat server side polymorphism) a new malicious file will be blocked. But so will all legitimate as well until the quorum of unique customers (or at least clients) and/or the waiting time have been reached. Perhaps not really a problem for widely-used executables. Oh, did I say executables? Of course - you can't apply these rules to all content (think of "personalized" pages), I daresay you can't even apply it to JavaScript. IMO it is likely most useful for executables created "on the fly". Keep in mind that malware writers are not idiots and unaware of AV and how it works (for the latest developments on the Dark Side you might want to read the articles on Naked Security, for example the recent The PlugX malware factory revisited: introducing "Smoaler"). Apart from this - in order to be blocked from running a piece of malware has to make it to the disk first. As usually malicious scripts, manipulated web pages and rogue sites are involved there's a good chance that one of the other layers will prevent the download in the first place.
[Petite interlude]
Don't scan files that are known to be good
It depends what you mean by sex scan.. You can't just ignore a file altogether just because its name (and location), you have to make sure it is still the very file you trust and for this you have to acquire its fingerprint (which is not simple checksumming) thus you are still intercepting the open and still performing some kind of scan. Practically all vendors use something like this to avoid re-(deeper-)scanning of a "known" (i.e. already scanned) file. If the cache of known fingerprints does not survive a reboot (there are pros and cons as well) you just trade a cursory (note that legitimate and signed files usually don't cause the scanner to look deeper) scan for lookups.
[End interlude]
Having said this, the actual significance of various features is not as high as marketing is trying to convince you. Sure, there are situations where a certain one might save your day. And from time to time one or the other might give a vendor the edge over the rest for a limited time, long-term it evens out (although there are the ones occasionally ahead of the pack, those always found in the peloton and a few lagging behind). In real life and day-to-day operation other aspects are likely of more importance.
In short:
You have to consider the whole package - you likely won't prefer one car over the other just because it has eight instead of six air bags and cylinder-deactivation.
Christian
Thanks again for your post.
It depends on the implementation. Some vendors use reputation to limit what an application can do or to change the way their behaviour detection systems work (ex.: low rep apps cannot write to non user directories; or make hips more agressive for low rep apps).
And not wanting to sound inappropriate, I see the products using that kind of "technology" prospering and being rated better and better on independent tests (-compromises, -false positives), when others seem to be dropping the ball lately.
Hello Ricardo,
it is not inappropriate to discuss these questions or to point out that others may be or are ahead of Sophos. I'm not defending Sophos and not belittling other technologies.
independent tests
I must admit I've given up intense reading of (online and paper) magazines, blogs, reviews, tests and so on. In part because I just don't have the time, in part because it is of no relevance due to the ancillary conditions and not least because test results have to be taken with (sometimes more than) a grain of salt (I have personal experience with an, admittedly small, number of tests - by reputable institutions - that were plain wrong because what has allegedly been tested wasn't possible or implemented at all - seriously. The emperor's new clothes).
The problem with many tests - as useful and significant in certain aspects they are - is that they are either a snapshot (i.e. not taking long term effects into account) or some results are already outdated or meaningless when the test is finished (take, e.g. a printer: it's nice to know that model X from vendor Y has a tested life expectancy of five years - only it has been discontinued two years ago).
Reputation (based on age and prevalence) - as enticing as the concept is - is just one other piece of information. Given the fingerprint is taken correctly (which I assume) it is a means to verify a (widely known) file's legitimacy. But then, a file is not an independent entity. A "reputable" program used with the wrong version of a "reputable" DLL might be exploitable. If you don't take this into account and abstain from monitoring the reputable program you'll miss the behaviour which otherwise would have been detected. The devil's in the detail.
low rep apps cannot write to non user directories
Now this might be useful for "home" installations but I fail to see its merit in a corporate environment. You just don't install arbitrary apps. Of course, a specific application might be vulnerable to attacks and allow an attacker to escape the user context - but then it's not a question of reputation whether this action should be permitted or not.
-compromises, -false positives
Can't seriously comment on it without details and numbers. One should not forget that risk is about probability and impact. Dunno the nature of the compromises you are referring to, false negatives should naturally be as close to zero as possible. False positives - as annoying as they can be - are another thing. False positives should of course not cause permanent damage but bringing them down below a certain threshold will cause false negatives to rise.
Detection is just one (although perhaps the most important) aspect of a product. Other factors might offset superior detection rates - they might not even come into effect in your environment because your "exposure profile" differs from that assumed in the tests.
Sorry for the longsome rant - I still don't know whether you are already a customer and considering to switch, a new customer unhappy with the decision or shopping for a solution and comparing features :smileyhappy:.
Christian
Hi
Actually I am a customer. Am a bit unhappy with the extra features (firewall that lacks network IPS and does a allow all when using 3g cards; app control with very low number of apps [ is sophos really planning to classify all the games in the world?] and that does not allow me to add applications I know, no default deny, etc; device control that does not prevent users from running code from usb drives, and does not let me add more devices than sophos thinks are required, no per users or per admin overrides, etc), to the point I find them worthless and don't use them altogether. But don't have a solid opinion about the AV performance.
And am trying to get some baseline on what to expect from the product.
* Tests
SOPHOS, on Oct 2012, gave a thumbs up to the way Dennis Labs was doing their "real world" tests.
http://nakedsecurity.sophos.com/2012/10/18/comparative-anti-malware-tests-the-right-way-to-do-them/
At the time, SOPHOS was rated quite good, so I do undestand they agreed the methodology and where vocal about it.
Fast forward to March 2013, and you can see that SOPHOS is now listed on the "real world" tests quite poorly. Very high number of compromises and false positives.
http://www.dennistechnologylabs.com/reports/s/a-m/2013/DTL_2013_Q1_SMB.1.pdf
* Reputation
When I speak of "low rep apps", I'm meaning executables and code users download from the internet and run. Unfortunatelly the Application Control feature does not enable me to create a Default Deny policy, and has quite a poor number of applications listed. So, nothing prevents users from downloading stuff from the internet, and running it. Reputation Based rules, like the ones I gave an example of, will limit the damage malicious not-reputable code can do on the machine.
I can give you another example of how this would be used. I have a new version of a software that I know is good, and is even signed by a trusted provider. SOPHOS HIPS somehow considers the software to be suspicious and just blocks it. Instead, it could limit the rights of the application and let it run, and could even raise the reputation index because of it being signed by a trusted provider, and give it more rights. Even better, let the admin decide what to do.
This is something a known russian company does.
(Sorry for the first paragraph rant btw.)
Regards,
Ricardo
Hello Ricardo,
should have remembered your post about SCF and 3G modems :smileyhappy:
Looks like Sophos is just not right for you as you have many gripes in different areas (and you seem to be more than a bit unhappy). You want a lot of things and if you are the only one responsible for all this - my sympathy, seriously. We could discuss the various details but that won't help you.
Each vendor has a certain strategy, with the company and the products, and a "culture". This influences the decision on target groups, portfolio and, last but not least, product design and development. From what you need and your expectations and what I know of SESC (or Sophos in general - see the motto Security made simple) you're not a good fit.
Oh, thanks for the link - and, no offence meant
Christian
No offense taken.
Actually the product will fit what I need, because I do get more than just the AV (most notably, the mobile control features) already have a UTM at the edge and can only license per-user (only SOPHOS does this). That does not prevent me of being critic of some aspects, and to request more information to know the product better.
Security Made Simple does not imply that SOPHOS has to babysit each one of us. Why are we not trusted to define our own groups for DLP, or our own application fingerprints or certificates for applications we know? High false positive ratio is nor easy, it's a nightmare. Not being able to block a certain app we see peopleusing is easy, but makes the feature pointless.
Problem I have with the AV is that it looks like SOPHOS way of working is to try to map everything bad on their own, being it DLP content, Apps, device types or malware. That does not seem to scale very well to the current dynamic threat and devices landscape.
I wonder if there anything planned (major release) for this year that somehow improves on this, and how is SOPHOS dealing with server side polymorphism and APTs, other than "mapping the bad".
From your comments, I'm worried it will be even more dumbed down for easiness.
