Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 8456 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AV signature

Steve Shaw

What comprises a anti-virus signature? Is it the hash, content, or something else?

 

Thanks

Steve.



This thread was automatically locked due to age.
  • 0

    Hello Steve,

    not sure what exactly you want to know (and why).
    Not a hash, as it would be necessary to obtain a particular incarnation of a threat before it'd be possible to protect against it. It'd be far too easy for malware writers to create "unknown variants" by simply changing bits in a dead (meaning: not part of the code) area. Also not (solely) content in the sense of String or RegEx.
    Signatures are intrinsically tied to the scanner and its strategy and are normally not self-contained entities, think of them as end-nodes in a decision tree.

    Christian   

  • 0 in reply to QC

    Hi Christian

    Thanks for the response. I am new to Cloud Sandboxing concept and i had heard about hash vs. content based signatures

    So was just curious to know how Sandstorm delivers the signature and the frequency.

    There are some vendors claiming to send update interval in range of 2-7  minutes

    Thanks

    Steve

  • 0 in reply to Steve Shaw

    Really, Steve, the way Sandstorm works, it's not important to the end users how long it takes for the UTMs to be updated.  If the signature matches to known-safe or known-malicious, the file doesn't get sent to Sandstorm.  If it's unknown to the UTM, off it goes.

    At one point, I guessed that there might be a local copy of the signatures, but now I suspect that the calculated signature is sent to Sandstorm.  In that case, the "update" time for new signatures would be instantaneous. 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Steve (and Bob),

    I see, Sandstorm. Now the Endpoint products have something similar called Live Protection. A decision is locally cached, otherwise - as Bob's said - "the Cloud" sends an instantaneous reply for known files. Actual updates of the static detection identities take their usual time.

    hash vs. content based
    as already mentioned it wouldn't make much sense to base the query and decision on the file hash in its usual meaning. During scanning tell-tale characteristics are extracted and analyzed and should in most cases lead to a bad or good decision. Though there might be "leftovers" (already "reduced" so that they ideally maintain enough characteristics to be designative but general enough to be representative for other files of that ilk) that at the moment seem inconsistent with either. AFAIK it's this extracted and reduced information that is used to build "the hash".

    Christian 

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?