This article provides information on Sophos Download Reputation feature with a series of frequently asked questions for further information.
Applies to the following Sophos product(s) and version(s) Sophos Cloud Managed Server 1.3.0Sophos Cloud Managed EndpointSophos Endpoint Security and Control 10.6.3Enterprise Console 5.4.0
Download Reputation allows for a check to be performed against files as they are downloaded; this is done in order to determine the reputation of the file. The reputation is determined by performing a lookup from the endpoint against data created by SophosLabs. A more detailed explanation can be found in article 121319.
Reputation is determined by a file checksum lookup – the checksum is matched against known files and their reputations.
Download reputation uses SXL4 (HTTPS). This is used for both scheduled scans and live download lookups.
When downloading a file, an alert will be displayed to the user informing them that the file has a low reputation.
Checks will only be performed against files downloaded through browsers. However, downloads in Firefox are NOT checked. The technology required for this feature has recently been removed from Firefox and we are monitoring to see if an alternative will be implemented by Firefox.
File checksum information will be uploaded to Sophos in order to help maintain a large repository/database that future downloads can be checked against. However, no alerts or reputation checks are actionable during a scheduled scan.
Initially, yes. The lookups will be performed via HTTPS (not DNS), but the large increase in SXL lookups will only occur once. A cache will be produced on the endpoint to keep a list of which file checksums have already been sent to Sophos. The next time the scheduled scan runs, all information that was already sent in previous scans will be skipped.
For most systems, the cache is likely to be quite small. The maximum size is set to 200MB.
The cache is set so that older entries will be removed to make way for new entries.
A timeout period is used. If no connection/response to the SXL server can be made in this time, the product will stop waiting.
If the timeout is reached, then the product fails to open, which means the file download will be permitted without any prompts/alerts.
All downloaded files will be quickly checked to determine the file type. If the file matches the file types we are interested in (currently, only executables /.exe) then we will perform a full reputation lookup.
Reputation can be based on the URL that the file is downloaded from (eg. Sophos.com has a good reputation). A lookup will be performed against the URL.
This would not be flagged as a file with low reputation; The file checksums would match, which means the file itself is known to be good.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.