Hi there,
Does "Live Protection" works like a very fast way to distribute signatures, or like a reputation database?
Does SOPHOS has any comparable "reputation system" like Insight?
Is there anythink like it on a near term roadmap?
Thanks
Hello Ricardo,
it is not inappropriate to discuss these questions or to point out that others may be or are ahead of Sophos. I'm not defending Sophos and not belittling other technologies.
independent tests
I must admit I've given up intense reading of (online and paper) magazines, blogs, reviews, tests and so on. In part because I just don't have the time, in part because it is of no relevance due to the ancillary conditions and not least because test results have to be taken with (sometimes more than) a grain of salt (I have personal experience with an, admittedly small, number of tests - by reputable institutions - that were plain wrong because what has allegedly been tested wasn't possible or implemented at all - seriously. The emperor's new clothes).
The problem with many tests - as useful and significant in certain aspects they are - is that they are either a snapshot (i.e. not taking long term effects into account) or some results are already outdated or meaningless when the test is finished (take, e.g. a printer: it's nice to know that model X from vendor Y has a tested life expectancy of five years - only it has been discontinued two years ago).
Reputation (based on age and prevalence) - as enticing as the concept is - is just one other piece of information. Given the fingerprint is taken correctly (which I assume) it is a means to verify a (widely known) file's legitimacy. But then, a file is not an independent entity. A "reputable" program used with the wrong version of a "reputable" DLL might be exploitable. If you don't take this into account and abstain from monitoring the reputable program you'll miss the behaviour which otherwise would have been detected. The devil's in the detail.
low rep apps cannot write to non user directories
Now this might be useful for "home" installations but I fail to see its merit in a corporate environment. You just don't install arbitrary apps. Of course, a specific application might be vulnerable to attacks and allow an attacker to escape the user context - but then it's not a question of reputation whether this action should be permitted or not.
-compromises, -false positives
Can't seriously comment on it without details and numbers. One should not forget that risk is about probability and impact. Dunno the nature of the compromises you are referring to, false negatives should naturally be as close to zero as possible. False positives - as annoying as they can be - are another thing. False positives should of course not cause permanent damage but bringing them down below a certain threshold will cause false negatives to rise.
Detection is just one (although perhaps the most important) aspect of a product. Other factors might offset superior detection rates - they might not even come into effect in your environment because your "exposure profile" differs from that assumed in the tests.
Sorry for the longsome rant - I still don't know whether you are already a customer and considering to switch, a new customer unhappy with the decision or shopping for a solution and comparing features :smileyhappy:.
Christian
Hello Ricardo,
it is not inappropriate to discuss these questions or to point out that others may be or are ahead of Sophos. I'm not defending Sophos and not belittling other technologies.
independent tests
I must admit I've given up intense reading of (online and paper) magazines, blogs, reviews, tests and so on. In part because I just don't have the time, in part because it is of no relevance due to the ancillary conditions and not least because test results have to be taken with (sometimes more than) a grain of salt (I have personal experience with an, admittedly small, number of tests - by reputable institutions - that were plain wrong because what has allegedly been tested wasn't possible or implemented at all - seriously. The emperor's new clothes).
The problem with many tests - as useful and significant in certain aspects they are - is that they are either a snapshot (i.e. not taking long term effects into account) or some results are already outdated or meaningless when the test is finished (take, e.g. a printer: it's nice to know that model X from vendor Y has a tested life expectancy of five years - only it has been discontinued two years ago).
Reputation (based on age and prevalence) - as enticing as the concept is - is just one other piece of information. Given the fingerprint is taken correctly (which I assume) it is a means to verify a (widely known) file's legitimacy. But then, a file is not an independent entity. A "reputable" program used with the wrong version of a "reputable" DLL might be exploitable. If you don't take this into account and abstain from monitoring the reputable program you'll miss the behaviour which otherwise would have been detected. The devil's in the detail.
low rep apps cannot write to non user directories
Now this might be useful for "home" installations but I fail to see its merit in a corporate environment. You just don't install arbitrary apps. Of course, a specific application might be vulnerable to attacks and allow an attacker to escape the user context - but then it's not a question of reputation whether this action should be permitted or not.
-compromises, -false positives
Can't seriously comment on it without details and numbers. One should not forget that risk is about probability and impact. Dunno the nature of the compromises you are referring to, false negatives should naturally be as close to zero as possible. False positives - as annoying as they can be - are another thing. False positives should of course not cause permanent damage but bringing them down below a certain threshold will cause false negatives to rise.
Detection is just one (although perhaps the most important) aspect of a product. Other factors might offset superior detection rates - they might not even come into effect in your environment because your "exposure profile" differs from that assumed in the tests.
Sorry for the longsome rant - I still don't know whether you are already a customer and considering to switch, a new customer unhappy with the decision or shopping for a solution and comparing features :smileyhappy:.
Christian
