This article covers Malicious Traffic Detection (MTD) on Sophos Anti-Virus for Windows. For Central Managed Sophos Anti-Virus for Linux please see Central Managed Sophos Anti-Virus for Linux version 10 MTD functionality.
The following sections are covered:
Some of the more complex malware includes communication to remote servers for further instructions/updates or to upload/download further files.
The Sophos Malicious Traffic Detection is a component that will monitor HTTP traffic for signs of connectivity to known bad URLs such as Command and Control servers. If this traffic is detected then it is an early indicator that a new piece of malware may be present and as such can aid in the detection and collection of samples to enable the Sophos Labs to write specific detection.
All HTTP traffic from non-browser applications is checked.
Our web-protection already monitors browser traffic.
Sophos Central Managed Windows Endpoint version 10.6 and above. Sophos Central Managed Server version 1.3.0 and above Sophos Enterprise Console with managed computers running Sophos Endpoint Security and Control version 10.6.2 and above Sophos Central Managed Linux Endpoint version 10 Sophos Central Managed Mac Endpoint version 9.7.4 and above (With Intercept X)
Note: Whilst Sophos Endpoint Security and Control 10.6.2 and above will install and report to any version of Sophos Enterprise Console, only version 5.3.0 supports the MTD functionality.
Applies from the following Sophos product(s) and version(s) Sophos Endpoint Security and Control 10.8.4Central Windows Endpoint 10.8.2Sophos Central Managed Server 1.5.6
MTD will be enabled by default.
MTD will be disabled by default. To enable:
Traffic to command and control servers based on the URL that is being accessed.
We rely on WFP (Windows Filtering Protocol). WFP is already used by web filtering and the firewall. This allows us to register hooks for certain network traffic which we can then intercept.
No, when a detection is made, HIPS will attempt to end, and clean-up processes seen to be communicating with a command and control server.
Yes. Exclusions can be made by adding in the file (typically the file making the network call) or folder you wish to exclude. Exclusions cannot be made based on the URL or based on drives. For example, C:\ will be recognized as a folder exclusions but C: will fail as it's classified as a drive exclusion.
Note: As a check that any exclusions have been applied to the endpoint, the following file can be checked. C:\Programdata\Sophos\Sophos Network Threat Detection\Config\Policy.xml.
C:\Programdata\Sophos\Sophos Network Threat Detection\Config\Policy.xml
No, only real-time look-ups are checked.
The MTD log will have two logs that rotate when they hit their max file size which is 10Mb. The max file size will increase to 1GB when any level of verbose logging is enabled.
C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.