This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re. Sophos and VirusTotal

Invariably, whenever I check a site in VirusTotal, Sophos always shows the site as "unrated." What's up with that? Should this make me question the usefulness of the WebProtection/WebIntelligence feature?

Here's one example of many, For https://www.spyresoft.com/

www.virustotal.com/.../



This thread was automatically locked due to age.
Parents
  • Hi,

    I would take the results of that with a pinch of salt.  I've just tried google.com

    Malekal suggested it was a malware site. It was also unrated by Sophos, maybe the site doesn't actually use Sophos?

    Looking at the SXL lookup by Sophos when accessing the site you mention I see the request and response:

    GET /V3/01/jjj.fclerfbsg.pbz.w/ HTTP/1.1

    User-Agent: SXL/3.1

    Host: http.00.a.sophosxl.net

    Accept: */*

    Connection: Keep-Alive

    HTTP/1.1 200 OK

    Content-Length: 11

    w u h 8 0

    So it is classified.

    Web protection also includes the sub-feature download scanning which scans files before being rendered by the browser.  So less about site classification.

    Using the UTM also shows the site is classified so Sophos does have data on the site.

    Hope it helps.

Reply
  • Hi,

    I would take the results of that with a pinch of salt.  I've just tried google.com

    Malekal suggested it was a malware site. It was also unrated by Sophos, maybe the site doesn't actually use Sophos?

    Looking at the SXL lookup by Sophos when accessing the site you mention I see the request and response:

    GET /V3/01/jjj.fclerfbsg.pbz.w/ HTTP/1.1

    User-Agent: SXL/3.1

    Host: http.00.a.sophosxl.net

    Accept: */*

    Connection: Keep-Alive

    HTTP/1.1 200 OK

    Content-Length: 11

    w u h 8 0

    So it is classified.

    Web protection also includes the sub-feature download scanning which scans files before being rendered by the browser.  So less about site classification.

    Using the UTM also shows the site is classified so Sophos does have data on the site.

    Hope it helps.

Children
  • You say that perhaps VT doesn't actual use Sophos. In that case, why would Sophos even be listed? For example, Intego isn't listed at all. Since, without fail, Sophos always appears as "unrated," why is VT even bothering to list it? I think it would be useful to know what Sophos thinks of a site, and whether or not it's been checked out--and when. Would it be possible to someone at the Sophos end to get this hooked up with VT, so the Sophos rating shows?

    Also, can you please explain how you were able to determine that the URL I gave above is in the Sophos database. Don't understand what you posted. I'd like to be able to see that that for myself, not just assume that Sophos is on the job with any particular site.

  • Hello,

    The screenshot is of the web UI of the Sophos UTM. The Sophos Web Appliance also has similar functionality. The both allow you to check the classification of a site.

    In terms of the endpoint software, that performs what are called SXL lookups to the Sophos infrastructure to classify them.

    The example output given is from Wireshark, examining a single lookup.

    For example:
    If I navigate to the Sophos test page:
    www.sophostest.com/malware
    which is detected as Mal/HTMLGen-A. The corresponding SXL lookup is as follows:

    ===
    GET /V3/01/1.znyjner.jjj.fbcubfgrfg.pbz.w/ HTTP/1.1
    User-Agent: SXL/3.1
    Host: http.00.a.sophosxl.net
    Accept: */*
    Connection: Keep-Alive
    ===
    ===
    HTTP/1.1 200 OK
    Content-Length: 28

    w h p 13 100 Mal/HTMLGen-A
    ===
    Note the name returned in the response.

    As another example:
    www.sophostest.com/.../index.html
    is classified as Adult or Sexually Explicit (category 01). The lookup for that would be:

    ===
    GET /V3/01/1.nqhyg-2svaqrkk-2rugzy.jjj.fbcubfgrfg.pbz.w/ HTTP/1.1
    User-Agent: SXL/3.1
    Host: http.00.a.sophosxl.net
    Accept: */*
    Connection: Keep-Alive
    ===
    ===
    HTTP/1.1 200 OK
    Content-Length: 14

    w l p 01 384
    ===
    Note the 01 in the response is the category.

    Hope this helps you start your own investigations.
  • Thanks for the information, but no idea where to go or what to do to check a site in UTM. Besides that, what still remains to be explained is why VirusTotal lists Sophos, and invariably Sophos shows as "unrated." Who's responsible for that, Sophos or VT?

  • Thanks, but no idea what to do or where to go to check a site's classification in UTM. Besides that, what has never been explained or responded to is why VirusTotal shows Sophos, but invariably Sophos shows as "unrated" for any site.
  • You'd need a UTM or access to one. You can install one for free:
    www.sophos.com/.../sophos-utm-home-edition.aspx

    Regarding VirusTotal, you might be best to contact them:
    www.virustotal.com/.../
  • Pardon my cynicism, which may be unwarranted, while I have seen a number of them from Firefox and WOT over the years, I have never, ever seen a notice from Sophos about having visited a dangerous site.

  • On more thing. What's supposed to happen if one hits a site flagged by Sophos as dangerous? Some kind of warning popup? I've never come across anything.

  • The alert mechanism depends on OS and how the blocked content is delivered to some degree.  You should get a toast message on Windows 8+ for example if it's content served over HTTPS, otherwise on earlier OS it's a balloon message.  If it's over HTTP then you should see a replacement page in the browser.

    Does this test page show anything:

    or

    Maybe Web Protection is broken on your computer?

    I'm currently running the Home version - home.sophos.com.  In which case when visiting the first link I get:



  • Yeah, I get that from the test URL. But strange that I've never seen that, while I have, over the years, gotten blocked or warning notices from Firefox and WOT. Maybe the trigger for the Sophos blocking is set higher? Needs the presence of some specific, currently active, malware? If VT, Google Safe Browsing or Quttera show something, I usually stay away, or don't allow (re. what scripts to allow in NoScript.)