Hello I would like to know if Sophos Virtual Email Appliance does Heuristic scanning on malware threats? I don't see any option to configure this in the console.
Thanks,
Ren
This thread was automatically locked due to age.
Hello I would like to know if Sophos Virtual Email Appliance does Heuristic scanning on malware threats? I don't see any option to configure this in the console.
Thanks,
Ren
Hello Ren,
heuristic scanning or just pattern matching
which AV does still solely pattern matching (if by pattern you mean certain bit/byte sequences - not necessarily continuous though)? Scanning is not what it used to be.
speed vs performance
There's no Gold Standard but generally one doesn't want malware to get through. I understand aggressive as aiming for a low false negative rate.which is not the same as accuracy. It's the latter which usually requires deeper scanning and therefore more resources.
Can't answer in more detail right now, have to hurry (and anyway I'm not an appliance expert or an expert at all), you might want to read these Notes from SophosLabs.
[Edit: adding more details]
Revisiting aggressive: Of course a low FNR alone is nonsense and useless you want a low FPR as well. Still you don't want to miss any positive samples (i.e. actual malware). Thus the scanning effort is bounded below by the requirement to detect all malware. Now we know this is not only impossible but also infeasible as the effort is bounded above. For optimum performance you'd try to identify positives first and then with "deeper" scanning weed out the false positives. Sophos (I am not Sophos BTW) won't give you an option which will reduce the sensitivity (true positive rate) and you could only trade less false positives off for higher speed. Better throughput but more rejected/discarded mails - is this what you have in mind?
mass-mailing worms?
you mean the actual replicating code? Or that there's an ongoing a mass-mailing to your site?
packers?
yes, and self-decryption (not to be confused with encrypted attachments) and polymorphism as well
infected macros?
yes, executable code in general (please see for example Zero-day Windows exploit ... or Anatomy of a poisoned image)
compressed files?
yes, please note there are also the Unscannable and Suspect attachment categories
spyware/grayware?
gray is gray :smileyhappy:, please see Spyware and Adware for what is considered malicious and what not
The appliance is not the miracle cure and not a replacement for endpoint security. The AV Policy is just one step in the message flow, it has to be effective and efficient. Any "tuning" could have an adverse result when the environment (i.e. the amount and/or type of incoming messages) suddenly changes.
Christian
Hello Ren,
heuristic scanning or just pattern matching
which AV does still solely pattern matching (if by pattern you mean certain bit/byte sequences - not necessarily continuous though)? Scanning is not what it used to be.
speed vs performance
There's no Gold Standard but generally one doesn't want malware to get through. I understand aggressive as aiming for a low false negative rate.which is not the same as accuracy. It's the latter which usually requires deeper scanning and therefore more resources.
Can't answer in more detail right now, have to hurry (and anyway I'm not an appliance expert or an expert at all), you might want to read these Notes from SophosLabs.
[Edit: adding more details]
Revisiting aggressive: Of course a low FNR alone is nonsense and useless you want a low FPR as well. Still you don't want to miss any positive samples (i.e. actual malware). Thus the scanning effort is bounded below by the requirement to detect all malware. Now we know this is not only impossible but also infeasible as the effort is bounded above. For optimum performance you'd try to identify positives first and then with "deeper" scanning weed out the false positives. Sophos (I am not Sophos BTW) won't give you an option which will reduce the sensitivity (true positive rate) and you could only trade less false positives off for higher speed. Better throughput but more rejected/discarded mails - is this what you have in mind?
mass-mailing worms?
you mean the actual replicating code? Or that there's an ongoing a mass-mailing to your site?
packers?
yes, and self-decryption (not to be confused with encrypted attachments) and polymorphism as well
infected macros?
yes, executable code in general (please see for example Zero-day Windows exploit ... or Anatomy of a poisoned image)
compressed files?
yes, please note there are also the Unscannable and Suspect attachment categories
spyware/grayware?
gray is gray :smileyhappy:, please see Spyware and Adware for what is considered malicious and what not
The appliance is not the miracle cure and not a replacement for endpoint security. The AV Policy is just one step in the message flow, it has to be effective and efficient. Any "tuning" could have an adverse result when the environment (i.e. the amount and/or type of incoming messages) suddenly changes.
Christian
