Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 1600 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS decryption - Downloads

Axnfell

I am pleased this feature now exists in Intercept-X

We see one of the main attack vectors as follows:

  • User receives phishing e-mail or a macro-enabled attachment.
  • User clicks through warnings and executes the macro-enabled attachment. Or, they're tricked into a download.
  • It downloads an executable or payload etc, etc.

While we can block Downloads in a Web Control policy (particularly exe, DLL, etc) - it would never prevent Downloads through HTTPS connections.

Now we have the capability:

  • Given my use case above, is it possible to implement a policy on the endpoint that prevents users from downloading executables or potentially malicious payloads (i.e. Beacons)
  • If so, how do we avoid legitimate downloads (i.e. Microsoft Updates, Adobe, etc) - or do we simply have to whitelist wildcard domains?

I appreciate we can do this at the firewall level with SSL-inspection.

Ideas welcomed.

Thanks



This thread was automatically locked due to age.
  • 0

    Hello Axnfell, 

    Thank you for reaching out to the Sophos Community Forum. 

    It sounds like you have already made changes to the Endpoint Web Control policy for "Risky File Types". Are you looking to block certain file types using configurations on the firewall? 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Simply put - we want to prevent drive by downloads or high risk file types, as you indicated.

    Prior to SSL support, this was pointless. Risky download protection only worked for HTTP, and most malicious actors would use HTTPS

    Now SSL is supported, if we implement these policies, will we hit upon many false positives? Mainly

    - O365 updates, Windows Updates, Sophos updates etc.

    Does Sophos already have global exclusions for these?

    Also, does the endpoint agent identify the file type based on payload or just extension?

  • 0

    Download reputation should help with this as well from the browser route in.

  • 0 in reply to Administrator User540

    Good point. 
    Downloads triggered through Powershell or VBS are my primary concern. We have Sophos, Umbrella and SSL inspection in (some) sites - but this would be a useful control.

  • 0 in reply to Axnfell

    Network threat protection would block the request for the file from say a non browser process like cscript/wscript/Powershell.exe, etc.

    It would require Sophos Labs to have classified the IP or domain as hosting malicious content. This is your c2 type detection.

    If it does bring down the payload. The AMSI component would see the script at this point for processes that pull in the AMSI dll like Powershell, cscript, wscript. If it was written to disk it would be scanned also. 

    Behavioural would also have a run at it post execution.  There are many layers.

Unfiltered HTML