Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 2483 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HIPS Detections in SEC

Jeremy Nielson

Hi all, I'm looking for some additional clarification/context that I cant seem to find in the Knowledge Base.

The HIPS Detections are supposed to be detecting on behaviors, but when I look up HPmal detections (https://search.sophos.com/#q=hpmal&t=Support&sort=date%20descending), they all only have file hash signatures.  

I'm interested in this because we recently had malware that ran powershell through WMI.  It seemed that HIPS / Suspicious Behavior detection should have caught this.  When I submitted the malware, they gave it a file signature, but wouldn't provide any HPmal detection information.  They told me to get the PowerShell behavior detection is to buy InterceptX.  Looking back at all past PowerShell detections, am I wrong to think this was something SEC was doing before?

 

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Jeremy Nielson,

    HIPS has a "limited view" of what running processes do. The challenge is likely reliable detection, i.e. at the same time avoiding false positives. If HIPS were perfect we wouldn't need Intercept X (substitute other vendors' monikers as applicable). Naturally it's still preferable to detect threats with download or on-access scanning, Consequently specific detections are created in response to submissions where feasible.

    Sophos naturally won't disclose why HIPS detected this and didn't detect that even though they appear to be similar if not the same to the untrained eye. SEC was doing - SEC does nothing, unless you use SEC as synonym for the SESC endpoint software. The management server just distributes updated detection data and collects alerts and events. Not unlikely that threats that were detected as HPmal are later proactively detected and prevented from running - thus no more HPmal - while HIPS, due to its limitations, might fail to detect more sophisticated variants that are better at hiding their doings.

    Christian

  • 0 in reply to QC

    "limited view"

    "due to its limitations"

     

    Great, let's start there.  What is in the "limited view" that HIPS has visibility into?  If Word is launching powershell or wmic, it seems that it was detected previously with HIPS and HPmal detections, but now support is vague or closed off on discussions about what's actually detectable with HIPS.

     

    From my side of the software renewal, existing functionality has been nerfed and functionality that would have made the Sophos A/V platform usable is now a forced upgrade with an additional purchase cost.  

  • 0 in reply to Jeremy Nielson

    Hello Jeremy Nielson,

    even if it superficially seems to be the same behaviour the chain of actions is likely different. I'm not sure that it is unconditionally deemed malicious If Word is launching powershell - if so you should have got a detection. I'm sure though that Sophos hasn't "downgraded" HIPS and its rules in order to promote Intercept X. And neither is HIPS a stripped-down Intercept X nor is the latter HIPS' derivative. 

    Christian 

  • 0 in reply to QC

    Thank you for the responses, but it doesn't really answer the questions posed...

     

    On instinct, one would hope that Sophos wouldn't degrade existing functionality to sell a new product.  But looking at the facts and lack of information and transparency around what HIPS can detect, and previous marketing around the complete functionality of the Endpoint product... 

     

Reply
  • 0 in reply to QC

    Thank you for the responses, but it doesn't really answer the questions posed...

     

    On instinct, one would hope that Sophos wouldn't degrade existing functionality to sell a new product.  But looking at the facts and lack of information and transparency around what HIPS can detect, and previous marketing around the complete functionality of the Endpoint product... 

     

Children
  • 0 in reply to Jeremy Nielson

    Hello ,

    it doesn't really answer the questions posed
    sorry, not being Sophos I can just surmise - but I think you'll only get an official definitive statement in the case of HIPS being retired. And perhaps I didn't correctly interpret your questions.

    Trying to rephrase it:
    Sophos (previously) claimed that Endpoint's HIPS catches (almost) everything that evaded detection by the scanner. Recently you have observed that HIPS fails to detect threats that it seemingly detected previously and you have been told that Intercept X could do it but at extra cost. You expectation, based on marketing's claims that Endpoint is a complete solution, is that HIPS is on a par with Intercept X. Your conclusion is that HIPS is deliberately degraded in order to sell an additional product. Correct?

    looking at the facts
    Fact is that HIPS is not up to the latest "malware technologies". Fact is also that marketing always exaggerates (was there ever a detergent that did not remove all stains -except the one from yesteryear?). Fact is that the functional principles of HIPS and Intercept X are different (the latter is, BTW, an acquired product).
    It's a fact that HIPS did not detect this particular threat but unless it is the same threat (or detailed underlying mechanism) there's no reason to assume that the functionality has been degraded. HIPS configuration (I assume this is the how - HIPS' equivalent of the scanning engine) is more or less stable, HIPS rules haven't been updated very often in the last years - indicating the component is either near perfect or near the end of its useful life.

    Marketing and pricing is a very different beast. Of course the consequences are unsatisfactory from a customer's POV. There's HIPS, integral part of Endpoint. Then there's Intercept X (actually it's Exploit Prevention for SEC environments) that provides an on the surface similar functionality but integrated with a number of other functions. The similar-to-HIPS part can't be backported to Endpoint, and one can't slice and dice HitmanPro.Alert.
    A discount on EXP for Endpoint customers? EXP with most functionality disabled as HIPS replacement? BTW - SCF and Patch are about to be retired ...

    Christian             

Unfiltered HTML