PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
This article provides information on Sophos Malicious Traffic Detection (MTD) with a series of frequently asked questions for further information.
Applies from the following Sophos product(s) and version(s) Sophos Cloud Managed Endpoint 10.6.0Enterprise Console 5.3.0Sophos Anti-Virus for Windows 2000+ 10.6.2Sophos Cloud Managed Server 1.3.0
This article covers MTD on Sophos Anti-Virus for Windows. For Cloud Managed Sophos Anti-Virus for Linux please see KBA : 124433
Some of the more complex malware includes communication to remote servers for further instructions/updates or to upload/download further files.
The Sophos Malicious Traffic Detection is a component that will monitor HTTP traffic for signs of connectivity to known bad URLs such as Command and Control servers. If this traffic is detected then it is an early indicator that a new piece of malware may be present and as such can aid in the detection and collection of samples to enable the Sophos Labs to write specific detection.
All HTTP traffic from non-browser applications is checked.
Our web-protection already monitors browser traffic.
Sophos Central Managed Windows Endpoint version 10.6 and above. Sophos Central Managed Server version 1.3.0 and above Sophos Enterprise Console with managed computers running Sophos Endpoint Security and Control version 10.6.2 and above Sophos Cloud Managed Linux Endpoint version 10 (see KBA 124433)
Note: Whilst Sophos Endpoint Security and Control 10.6.2 and above will install and report to any version of Sophos Enterprise Console, only version 5.3.0 supports the MTD functionality.
Traffic to command and control servers based on the URL that is being accessed.
We rely on WFP (Windows Filtering Protocol). WFP is already used by web filtering and the firewall. This allows us to register hooks for certain network traffic which we can then intercept.
Do we block network traffic?
No, when a detection is made, HIPS will attempt to end, and clean-up processes seen to be communicating with a command and control server.
Yes. Exclusions can be made by adding in the file (typically the file making the network call) or folder you wish to exclude. Exclusions cannot be made based on the URL or based on drives. For example, 'C:\' will be recognized as a folder exclusions but 'C:' will fail as it's classified as a drive exclusion.
Note: As a check that any exclusions have been applied to the endpoint, the following file can be checked. 'C:\Programdata\Sophos\Sophos Network Threat Detection\Config\Policy.xml'.
C:\Programdata\Sophos\Sophos Network Threat Detection\Config\Policy.xml
No, only real-time look-ups are checked.
The MTD log will have two logs that rotate when they hit their max file size which is 10Mb. The max file size will increase to 1GB when any level of verbose logging is enabled.
Where are the MTD logs located?
C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.