Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 4121 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing Sophos potential false positive

Sophos_User

I wanted to get some ideas on how we can prevent a potential issue like that recently discovered with MacAfee’’’’s false positive.

I will list below what I am doing and would like to get feedback on what others are doing. 

1)  I have multiple groups within the Sophos console containing pilot and production machines. 

2)  I have multiple polices that I keep in sync except for AV version. 

3)  I keep the pilot machines on the "recommended" setting in the policy. 

4)  The production machines stay 1 version behind which at this time is 9.0.5 VDL4.52 for at least 1 week.  

5)   If nothing happens to my pilot machines, nothing is reported in the news  and there is nothing in posted in this user community I rollout the latest version to production.

Can anybody post their processes or comment on my processes?

thanks

:2590


This thread was automatically locked due to age.
Parents
  • 0

    Hello and welcome,

    chossing this thread (instead of starting a new one) is IMO a godd decision as your post highlights a different aspect of false positives. While being flagged as "malicious" is more than unpleasant it not only happens with AV products but other services (especially email) as well.

    Good to hear that it has been resolved.

    I don't know what details Sophos told you. Anyway I'll put in my two cents. There are basically two ways to create blacklists. One is active scanning, the other collecting data during normal operation. An example of the former was probing for  "open mail relays" which then found themselves on blacklists (the use of these lists was optional and subject of fierce debate). "Decent" blacklisters informed (or tried to inform) the site's administrator in case of a detection. Nowadays active unsolicited scanning is practically unfeasible (even the big search engines no longer use it as their primary tool) and data is collected during normal operation. All major vendors' gateway products (email and web and network components) optionally collect data to identify "problem sites" which can help to improve performance but also protect against unknown threats. This information might also be used in client products. That's the rationale.

    Now I imagine that there's quite some amount of (new) data every day. As there is no "standard contact" for a website it is not possible to send a notification automatically. I don't know if (and how) and under which circumstances Sophos (and other vendors) attempts to find a contact to send the notification to (I know they do). If you are wrongly blocked and haven't been informed (and are rather small) your best chance are your clients (and I might add this is also true if your site has indeed been compromised).

    I wonder why companies such as Sophos feel that it is ok to damage the reputation of another company while not even having the regard to notify them of their actions.

    I don't think that these companies are taking this lightly. The risk of false positives is always here and even bigger is the risk that the information is misinterpreted. But without protection it would be even worse. So it's always a trade off - sad as it is.

    Christian

    :4707
Reply
  • 0

    Hello and welcome,

    chossing this thread (instead of starting a new one) is IMO a godd decision as your post highlights a different aspect of false positives. While being flagged as "malicious" is more than unpleasant it not only happens with AV products but other services (especially email) as well.

    Good to hear that it has been resolved.

    I don't know what details Sophos told you. Anyway I'll put in my two cents. There are basically two ways to create blacklists. One is active scanning, the other collecting data during normal operation. An example of the former was probing for  "open mail relays" which then found themselves on blacklists (the use of these lists was optional and subject of fierce debate). "Decent" blacklisters informed (or tried to inform) the site's administrator in case of a detection. Nowadays active unsolicited scanning is practically unfeasible (even the big search engines no longer use it as their primary tool) and data is collected during normal operation. All major vendors' gateway products (email and web and network components) optionally collect data to identify "problem sites" which can help to improve performance but also protect against unknown threats. This information might also be used in client products. That's the rationale.

    Now I imagine that there's quite some amount of (new) data every day. As there is no "standard contact" for a website it is not possible to send a notification automatically. I don't know if (and how) and under which circumstances Sophos (and other vendors) attempts to find a contact to send the notification to (I know they do). If you are wrongly blocked and haven't been informed (and are rather small) your best chance are your clients (and I might add this is also true if your site has indeed been compromised).

    I wonder why companies such as Sophos feel that it is ok to damage the reputation of another company while not even having the regard to notify them of their actions.

    I don't think that these companies are taking this lightly. The risk of false positives is always here and even bigger is the risk that the information is misinterpreted. But without protection it would be even worse. So it's always a trade off - sad as it is.

    Christian

    :4707
Children
No Data
Unfiltered HTML