Re. Sophos and VirusTotal

Hi,

I would take the results of that with a pinch of salt.  I've just tried google.com

Malekal suggested it was a malware site. It was also unrated by Sophos, maybe the site doesn't actually use Sophos?

Looking at the SXL lookup by Sophos when accessing the site you mention I see the request and response:

GET /V3/01/jjj.fclerfbsg.pbz.w/ HTTP/1.1

User-Agent: SXL/3.1

Host: http.00.a.sophosxl.net

Accept: */*

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 11

w u h 8 0

So it is classified.

Web protection also includes the sub-feature download scanning which scans files before being rendered by the browser.  So less about site classification.

Using the UTM also shows the site is classified so Sophos does have data on the site.

Hope it helps.

Hi,

I would take the results of that with a pinch of salt.  I've just tried google.com

Malekal suggested it was a malware site. It was also unrated by Sophos, maybe the site doesn't actually use Sophos?

Looking at the SXL lookup by Sophos when accessing the site you mention I see the request and response:

GET /V3/01/jjj.fclerfbsg.pbz.w/ HTTP/1.1

User-Agent: SXL/3.1

Host: http.00.a.sophosxl.net

Accept: */*

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 11

w u h 8 0

So it is classified.

Web protection also includes the sub-feature download scanning which scans files before being rendered by the browser.  So less about site classification.

Using the UTM also shows the site is classified so Sophos does have data on the site.

Hope it helps.

You say that perhaps VT doesn't actual use Sophos. In that case, why would Sophos even be listed? For example, Intego isn't listed at all. Since, without fail, Sophos always appears as "unrated," why is VT even bothering to list it? I think it would be useful to know what Sophos thinks of a site, and whether or not it's been checked out--and when. Would it be possible to someone at the Sophos end to get this hooked up with VT, so the Sophos rating shows?

Also, can you please explain how you were able to determine that the URL I gave above is in the Sophos database. Don't understand what you posted. I'd like to be able to see that that for myself, not just assume that Sophos is on the job with any particular site.

Thanks for the information, but no idea where to go or what to do to check a site in UTM. Besides that, what still remains to be explained is why VirusTotal lists Sophos, and invariably Sophos shows as "unrated." Who's responsible for that, Sophos or VT?

Pardon my cynicism, which may be unwarranted, while I have seen a number of them from Firefox and WOT over the years, I have never, ever seen a notice from Sophos about having visited a dangerous site.

On more thing. What's supposed to happen if one hits a site flagged by Sophos as dangerous? Some kind of warning popup? I've never come across anything.

The alert mechanism depends on OS and how the blocked content is delivered to some degree.  You should get a toast message on Windows 8+ for example if it's content served over HTTPS, otherwise on earlier OS it's a balloon message.  If it's over HTTP then you should see a replacement page in the browser.

Does this test page show anything:

or

Maybe Web Protection is broken on your computer?

I'm currently running the Home version - home.sophos.com.  In which case when visiting the first link I get:

Yeah, I get that from the test URL. But strange that I've never seen that, while I have, over the years, gotten blocked or warning notices from Firefox and WOT. Maybe the trigger for the Sophos blocking is set higher? Needs the presence of some specific, currently active, malware? If VT, Google Safe Browsing or Quttera show something, I usually stay away, or don't allow (re. what scripts to allow in NoScript.)