Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 2586 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos reacting to threats - Annoyed Customer

ryan summerhayes

Hello we are a school in the UK and on Friday we had a ransom ware attack - a user had opened an email with an excel attachment (genuine user error – they should of known better) - this caused a huge amount of data to be encrypted.

We currently run the latest endpoint on all our desktops / laptops / set to update every 5 minutes from a dedicated endpoint server- with puremessage on our email system yet the threat was not picked up -

Only when we submitted the attachment to Sophos was it then added to the global update sent out to all customers.

Our problem is why this not was picked up by Sophos - we regularly find ourselves submitting samples to Sophos and then are added globally.

Yet to make matters worse when forwarding this email to a free outlook & gmail account on Friday before even submitting the sample to Sophos this was blocked by the mail providers.

We pay a large amount of monies per year for this service, we hardly ever contact support yet over the weekend and into today we are restoring data which should have been avoided – to say we are annoyed is an understatement.

Can someone shed light into this issue!



This thread was automatically locked due to age.
Parents
  • 0

    Hello ryan summerhayes,

    [to begin with - I'm not Sophos]
    which should have been avoided
    all vendors boast zero-day protection, generic as well as, at least to some extent, signatureless detection. Obviously this approach has its limits, otherwise malware would no longer be an issue. A "classic" AV scanner even with added HIPS technology can't accurately tell good from bad, and a more paranoid strategy increases the chance of false positives. 

    why this not was picked up by Sophos
    as said, detection is not perfect and I daresay every vendor occasionally encounters an unknown threat. This shouldn't really be a surprise though, as malware writers constantly update their software and test their creations against various AV scanners. Thus from time to time there's some "innovation" which has to be analyzed before it can be at least generically detected.

    before even submitting the sample to Sophos [...] was blocked by the mail providers
    I see several possible reasons:

    1. some vendors are simply better than Sophos
    2. some vendors obtained samples before Sophos and therefore already had a detection
    3. freemail providers can be more picky (i.e. tolerate more false positives) in what they accept and what not

    Bottom line is - you can't get 100% protection. We've had several "targeted waves" in the last months - plans for more aggressive policies at the gateway has to be put aside though. Fortunately the latest wave was blocked at various stages - ranging from the documents themselves, their immediate contents, to "broker" components, and even the running final process that HIPS decided to kill. Uploads to virustotal didn't suggest significantly better results with other vendors. As said, it normally takes one or two samples (and where do they come from?) for reliable detection.

    Christian     

Reply
  • 0

    Hello ryan summerhayes,

    [to begin with - I'm not Sophos]
    which should have been avoided
    all vendors boast zero-day protection, generic as well as, at least to some extent, signatureless detection. Obviously this approach has its limits, otherwise malware would no longer be an issue. A "classic" AV scanner even with added HIPS technology can't accurately tell good from bad, and a more paranoid strategy increases the chance of false positives. 

    why this not was picked up by Sophos
    as said, detection is not perfect and I daresay every vendor occasionally encounters an unknown threat. This shouldn't really be a surprise though, as malware writers constantly update their software and test their creations against various AV scanners. Thus from time to time there's some "innovation" which has to be analyzed before it can be at least generically detected.

    before even submitting the sample to Sophos [...] was blocked by the mail providers
    I see several possible reasons:

    1. some vendors are simply better than Sophos
    2. some vendors obtained samples before Sophos and therefore already had a detection
    3. freemail providers can be more picky (i.e. tolerate more false positives) in what they accept and what not

    Bottom line is - you can't get 100% protection. We've had several "targeted waves" in the last months - plans for more aggressive policies at the gateway has to be put aside though. Fortunately the latest wave was blocked at various stages - ranging from the documents themselves, their immediate contents, to "broker" components, and even the running final process that HIPS decided to kill. Uploads to virustotal didn't suggest significantly better results with other vendors. As said, it normally takes one or two samples (and where do they come from?) for reliable detection.

    Christian     

Children
Unfiltered HTML