Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 3407 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tamper Protection

dw-ecl

Just wondering if there is any chance in future releases of the tamper protection feature being extended to include the application control settings (well, I say settings but I really meam stopping them from disabling it?)

Thanks,

D

:9029


This thread was automatically locked due to age.
  • 0

    HI,

    I've tested the beta of SEC 4.7 and SAV 9.7 and tamper protection now covers Data and Device control but doesn't stretch to Application control.

    I would suggest raising a support call to make a feature request unless a Sophos PM sees this thread and responds.

    Regards,

    Jak

    :9045
  • 0

    Hi,

    We are planning to extend both the existing tamper protection to cover Application Control and provide a greater depth of protection using the tamper protection policy.

    The extension to cover Application Control should occur in ESDP V10 or potentially earlier. One option we are considering is covering App C under the AV tamper protection selection. This would be a stop gap solution until we can add App C into the tamper protection policy via a SEC release. I'd be interested in your view on whether this would be an acceptable approach? My main concern is the lack of visibility but it would mean that App C tamper protection could potentially be delivered earlier.

    Regards,

    John

    :9093
  • 0

    Hello John

    For my Sophos customers any option should be good received :) before the ESDP V10 launch.

    One more thing, the Tamper Protection should be protect the "Sophos Services".

    Regards

    Linck Tello Flores

    :9129
  • 0

    I agree about protecting the Sophos services. If a user can go in and stop the service, the tamper protection is useless.

    :10021
  • 0

    If a user can go in and stop the service

    We're not talking about users here but users with administrative rights. I wouldn't say that Tamper Protection is useless as it is now. Keep in mind that you (or the "real administrators") still want to be able to "get in" when something's not working correctly. A cunning protection scheme might, in case of an error, render the client all but inoperative. 

    Christian

    :10041
  • 0

    That was precisely my point. In an environment where most users are Power User or have Local Admin rights the Tamper Protection is useless. Also, many rootkits and priveledge escalation attacks attempt to stop these services with local admin rights under context of the current user priveledges.

    But I disgress... there are ways that you can manage this security, just not within Sophos natively.

    If you are in a AD environment using Group Policy, you can set these services as protected at the Domain Admin level. This prevents even users with Local Admin rights from stopping or disabling these particular services.

    Under your Default Domain Policy (or any OU policy for that matter) -> Computer Configuration -> Windows Settings -> Security Settings -> System Services.

    Define each Sophos service there and remove the Administrators group from each while adding Domain Admins. Make sure to leave SYSTEM permission as is.

    :10045
  • 0

    If you are in a AD environment

    That's an IF - this additional level is not available in non-AD environments.

    Let me put it this way (my personal opinion) - even though the product has control in its name, Sophos does not believe in "absolute control". Controlling risks, malware and the like - yes. Controlling users - NO. It's protecting, helping, educating (not only users but also administrators, BTW). Enforcing is a "last measure" - something you should not need. But as with a child (and sometimes adults too) you have to "take control" in certain situations. Educating administrators you have to give them more control over their users (we had already policy compliance indication and policy "reset"). Administrators and "local" administrators should be allies and not fighting each other. Tamper protection does not hide the inaccessible options in the GUI - something Sophos could have done. They have chosen no to ... think about, why.

    Christian

    :10105
  • 0

    Not to beat a dead horse or anything but,

    What about "User Land" rootkit behavior associated with some of the latest attacks like Zeus? These run in Ring 3 and can compromise based on the user priveledges.  The reason why it is able to slip by conventional antivirus programs is because it imports a large number of application programming interfaces (API's).

    Are you saying that to Sophos, this is a moot point? And that I shouldn't allow my users to have Local Admin access? To me this really isn't about trusting my users. I'm more worried about Zero-day threats that could inject or modify the Sophos services. More specifically, the ability to defend itself against malware that targets itself.

    I'm not knocking on the Sophos product, I think it's great. But having the OPTION to protect these services at the Kernel level would be a good feature. I'm suprised that you don't agree.

    Enterprise level applications like the ones produced by Cisco (CSA) and CoreTrace (Bouncer) do include this feature for a good reason.

    :10107
Unfiltered HTML