This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos home premium scripts detection and type of technologies

Hi all, I know this is not the right forum but sophos home premium doesn't have a dedicated forum so since it is based on the same technologies as the endpoint version I will try to post here.

Two questions the first of which is probably silly.

1) Sophos home premium intercepts .jsp scripts within web pages and then blocks them if they are malicious?


2) Would it be possible to have a link to a document that illustrates all the technologies implemented for detection? (Machine learning, Deep learning or similar?).

Having the premium version and dealing with cyber security it would be very interesting to be able to explore the subject with something technical.
Thank you all.



This thread was automatically locked due to age.
Parents
  • Hello,

    To the best of my knowledge JSP is more of a server side technology to generate dynamic web pages that the client browser consumes. The collection of server hosted resources, such as JSON, HTML, JavaScript, CSS, are the things the browser processes into the browsing experience visiting a site.  These resources (Dev tools (F12) "Network" view will show you them being downloaded as the page is loaded) are scanned before hitting the browser both for control purposes and to prevent malicious content such as JavaScript being interpreted/downloaded by the browser.

    An Introduction to Machine Learning and Deep Learning | Sophos AI is 4 years old but gives you some general information about ML and Deep learning which you mentioned.

    Again, a little out of date - Sophos-Comprehensive-Exploit-Prevention-wpna.pdf provides some information on some of the exploit prevention, there are quite a few more now.

    The product uses servers in the cloud to classify things, be it files, for reputation, URLs for reputation, etc.. SXL4, is the Sophos name and current version for this infrastructure and protocol if you see that mentioned. 

    The endpoint has some local detection data and reputation data but has to reach out to SXL4 to be able to classify the vast array of things it can encounter and get the latest data/classifications in real-time rather than relying on a slower updating channel. That said, ML models, that are trained and tweaked for a while tend to be downloaded over the update channel and remain static for a while.

    The updating channel is used primarily for product versions and features, with some static identities such as application control.  Most of the data consumed by products these days is real-time and cloud based. The SSPService.exe is the process that makes the SXL lookups. 

    The there is behavioral rules, i.e. as a very simple example, process x copies itself to location y and creates a 'run' startup reg value to ensure it is started each time the user logs in for persistence.  Behavior that is unusual or has all the hallmarks of malicious could be blocked. The behavior mentioned is something many genuine applications do, so you need to consider the process that ran it, what reputation does it have, for example is it signed, what does the ML engine think about it.  It's really hard to differentiate the good and the bad sometimes and understand the intent of the software so you have to consider a number of things. Does process x reach out to a known "bad" server that SXL has a classification for, if so the Network Threat Protection component will add value.

    There are a lot of layers.  I hope this helps somewhat.

Reply
  • Hello,

    To the best of my knowledge JSP is more of a server side technology to generate dynamic web pages that the client browser consumes. The collection of server hosted resources, such as JSON, HTML, JavaScript, CSS, are the things the browser processes into the browsing experience visiting a site.  These resources (Dev tools (F12) "Network" view will show you them being downloaded as the page is loaded) are scanned before hitting the browser both for control purposes and to prevent malicious content such as JavaScript being interpreted/downloaded by the browser.

    An Introduction to Machine Learning and Deep Learning | Sophos AI is 4 years old but gives you some general information about ML and Deep learning which you mentioned.

    Again, a little out of date - Sophos-Comprehensive-Exploit-Prevention-wpna.pdf provides some information on some of the exploit prevention, there are quite a few more now.

    The product uses servers in the cloud to classify things, be it files, for reputation, URLs for reputation, etc.. SXL4, is the Sophos name and current version for this infrastructure and protocol if you see that mentioned. 

    The endpoint has some local detection data and reputation data but has to reach out to SXL4 to be able to classify the vast array of things it can encounter and get the latest data/classifications in real-time rather than relying on a slower updating channel. That said, ML models, that are trained and tweaked for a while tend to be downloaded over the update channel and remain static for a while.

    The updating channel is used primarily for product versions and features, with some static identities such as application control.  Most of the data consumed by products these days is real-time and cloud based. The SSPService.exe is the process that makes the SXL lookups. 

    The there is behavioral rules, i.e. as a very simple example, process x copies itself to location y and creates a 'run' startup reg value to ensure it is started each time the user logs in for persistence.  Behavior that is unusual or has all the hallmarks of malicious could be blocked. The behavior mentioned is something many genuine applications do, so you need to consider the process that ran it, what reputation does it have, for example is it signed, what does the ML engine think about it.  It's really hard to differentiate the good and the bad sometimes and understand the intent of the software so you have to consider a number of things. Does process x reach out to a known "bad" server that SXL has a classification for, if so the Network Threat Protection component will add value.

    There are a lot of layers.  I hope this helps somewhat.

Children