File Reputation "Insight"?

Hi

Actually I am a customer. Am a bit unhappy with the extra features (firewall that lacks network IPS and does a allow all when using 3g cards; app control with very low number of apps [ is sophos really planning to classify all the games in the world?] and that does not allow me to add applications I know, no default deny, etc; device control that does not prevent users from running code from usb drives, and does not let me add more devices than sophos thinks are required, no per users or per admin overrides, etc), to the point I find them worthless and don't use them altogether. But don't have a solid opinion about the AV performance.

And am trying to get some baseline on what to expect from the product.

* Tests

SOPHOS, on Oct 2012, gave a thumbs up to the way Dennis Labs was doing their "real world" tests.

   http://nakedsecurity.sophos.com/2012/10/18/comparative-anti-malware-tests-the-right-way-to-do-them/

At the time, SOPHOS was rated quite good, so I do undestand they agreed the methodology and where vocal about it.

Fast forward to March 2013, and you can see that SOPHOS is now listed on the "real world" tests quite poorly. Very high number of compromises and false positives.

  http://www.dennistechnologylabs.com/reports/s/a-m/2013/DTL_2013_Q1_SMB.1.pdf

* Reputation

When I speak of "low rep apps", I'm meaning executables and code users download from the internet and run. Unfortunatelly the Application Control feature does not enable me to create a Default Deny policy, and has quite a poor number of applications listed. So, nothing prevents users from downloading stuff from the internet, and running it. Reputation Based rules, like the ones I gave an example of, will limit the damage malicious not-reputable code can do on the machine.

I can give you another example of how this would be used. I have a new version of a software that I know is good, and is even signed by a trusted provider. SOPHOS HIPS somehow considers the software to be suspicious and just blocks it. Instead, it could limit the rights of the application and let it run, and could even raise the reputation index because of it being signed by a trusted provider, and give it more rights. Even better, let the admin decide what to do.

This is something a known russian company does.

(Sorry for the first paragraph rant btw.)

Regards,

Ricardo

Hi

Actually I am a customer. Am a bit unhappy with the extra features (firewall that lacks network IPS and does a allow all when using 3g cards; app control with very low number of apps [ is sophos really planning to classify all the games in the world?] and that does not allow me to add applications I know, no default deny, etc; device control that does not prevent users from running code from usb drives, and does not let me add more devices than sophos thinks are required, no per users or per admin overrides, etc), to the point I find them worthless and don't use them altogether. But don't have a solid opinion about the AV performance.

And am trying to get some baseline on what to expect from the product.

* Tests

SOPHOS, on Oct 2012, gave a thumbs up to the way Dennis Labs was doing their "real world" tests.

   http://nakedsecurity.sophos.com/2012/10/18/comparative-anti-malware-tests-the-right-way-to-do-them/

At the time, SOPHOS was rated quite good, so I do undestand they agreed the methodology and where vocal about it.

Fast forward to March 2013, and you can see that SOPHOS is now listed on the "real world" tests quite poorly. Very high number of compromises and false positives.

  http://www.dennistechnologylabs.com/reports/s/a-m/2013/DTL_2013_Q1_SMB.1.pdf

* Reputation

When I speak of "low rep apps", I'm meaning executables and code users download from the internet and run. Unfortunatelly the Application Control feature does not enable me to create a Default Deny policy, and has quite a poor number of applications listed. So, nothing prevents users from downloading stuff from the internet, and running it. Reputation Based rules, like the ones I gave an example of, will limit the damage malicious not-reputable code can do on the machine.

I can give you another example of how this would be used. I have a new version of a software that I know is good, and is even signed by a trusted provider. SOPHOS HIPS somehow considers the software to be suspicious and just blocks it. Instead, it could limit the rights of the application and let it run, and could even raise the reputation index because of it being signed by a trusted provider, and give it more rights. Even better, let the admin decide what to do.

This is something a known russian company does.

(Sorry for the first paragraph rant btw.)

Regards,

Ricardo