Automatic Scan of removable media

Hi

The big troubble in USB keys is the malware that Sophos can't detect becuase with the malware detected by Sophos the network can't is infected.

The option to scan or clean the USB can managed by a "USB use policy", however I have some observations:

1) Only the admin users can delete and clean malware from USB if this are blocked by Sophos and sent to Quarantine.

To solve this issue we uses the "Right Click Scanning" with a option Clean and Delete malware automatically.

2) In most cases to configure the "Right Click Scanning" need a help from IT staff. This can solve if this options could be configured from Enteprise Console as the "Antivirus and HIPs" policy.

3) If Sophos can detect and block the USB devices, I think that Sophos can add a Window message to help the users to Scan the USB keys when this is connected to PC. With this manner if the user have selected the option once, for example, when connected the first time to the PC the second or next times he can cancel the process.

The Sophos message is "Simplicity" and the idea is provide a "Simple" option to users to scan your USB's or other medias when it's are connected to the Pc's. 

4) To combat the unknow malware (mainly don't detected by Sophos) a new Device Control option as "Block the Executable Files" can help to protect the network without lost the functionality to copy/read/delete other documents from this medias. In the business the users generally uses your USB's to transport documents (word, excel, ppt, txt, etc).

5) Sophos need one option to sent automatically the suspect files to SophosLabs because most malwares are detected as Suspicious with HIPS activated. But, again the process to remove or send this samples to SophosLabs is a unusable for the users (no IT users - 99% de users in a business).

Finally, I think that Sophos are searching the best option to manage this cases (No-Admin Quarantine Management, No-Admin Malware Magement, USB, etc.) :smileytongue:

Regards,

Linck Tello Flores

In the community's early days I posted Please send us a sample [Re: Did you know? HIPS overview]. Never got a feedback - think it is time to exhume it :smileyhappy:.

Christian

Hello Sandy

Is a good news that some point was sent to Dev Team :)

About your question;

I say. Is unusable for common users (non-IT users = 99% users in a business). Because the steps, only can executed for IT users (with permissions, or medium technical know), maybe, for a small business don't is trouble but in mediums and big business this steps are complicated.

In business with multiple locations (remote offices, faculties) is very, very complicated.

Remember that the IT team can't visit all pc's to copy and send the samples to SophosLabs.

Sophos Endpoint catch multiple new malware with HIPS technology and need one option to permit sent the suspicious files from the same PC (with a click) or for example from a Central Quarantine (managed by a IT Admin).

If you see the suspicious files in the EC this can't deleted (the message is: Impossible clean this malware").

The question is:

How to manage this cases?

- Visiting the PC.

- Accessing remotely.

- Clean manually.

If you see all this options can executed only for IT staff and this is a trouble.

The EC should be have most manage options to treat the malware (viruses, suspicious, behaviour,etc) detected by Sophos in endpoints.

This is the idea!!  :mantongue:

Regards,

Linck Tello Flores

Hi,

Automated sample collection is coming in ESC 9.5 as part of our "Live Protection" feature. When enabled this features does a look up to Sophos for files that show suspicious behavior. If the file is new to Sophos, and the customer has enabled the "provide a sample option" (its off by default for existing installations), a sample is automatically gathered and processed by the Labs. If the file isn't new then it will either be blocked as malware or ignored if it is a proven legitimate file. As you can imagine this feature will assist in both new malware detection and the reduction of false positives.

BTW the BETA registration for ESC 9.5 is now live: http://www.sophos.com/products/beta/ 

Regards,

John

Great, John

Which catgories does this apply to - HIPS/xxxx and Sus/xxxx or also Mal/xxxx. While it is not exactly what I and perhaps some others would wish it is a big improvement. First time I see some beta details before the download is available :smileywink:

Christian

I noticed it hasn't been mentioned here, so I wish to add to this (already closed) post - in relation to Conficker, to prevent autoloading of USB media - disable Autoplay on your network.

This suggestion has been posted for most of the past year, in this article on removing Conficker:

http://www.sophos.com/support/knowledgebase/article/51169.html

Go to section 3, step 2, in the "What to do" part of the page:

Disable USB Autoplay. This must be done correctly as described in the Microsoft knowledgebasehttp://support.microsoft.com/kb/953252. If this is not done correctly the worm may be able to execute if the USB drive is opened in Explorer or double-clicked from My Computer.

Generally speaking, opening the drive in Explorer will cause Sophos' On-access scanner to kick in, and the infected file should be found. If policy for Conficker has been set as per above doc, this will alert admins to the infected machine via the Console, and they can kick off a remote scan of the system to confirm no other Conficker files are present.

Rds,

Stephen

Hi,

I work with John Stringer in Sophos product management, first time poster here,

Did some testing around this and noticed that the on-access scanner will pick up files in the removable drive root directory. This is triggered by the OS trying to identify the icons or other file properties as it opens the USB. It was able to catch a virus sample right away when I plugged the USB in without executing it. This was with the on-read setting enabled.

Sill looking at initiating a full scan, but this does provide some benefits by covering the root directory, figure I'd let people know.

Regards,

Shai

Re: Automatic Scan of removable media [ Edited ]

 12-01-2010 10:42 - last edited on 12-01-2010 10:43

John,

I've mentioned this to Ian Lakie by e-mail a week or so ago, but could something be introduced perhaps to stop autorun on removable devices? This could help, as I know I've found out in the last few weeks. However, in certain circumstances, we want the students to access the same computers that teachers use. We'd then be looking for something that would block by user, rather than end point.

I know there must be hundreds of other ways to do this without involving Sophos, but offering what others don't is typically a good thing..?

Regards,

Dave