Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 7464 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

would Sophos HIPS be capable of preventing locky desaster?

snmdla

locky is spreading rapidly, and we have seen that Sophos AV will not always recognize the mails that carry such bad payload.

Question: we set our Antivirus and HIPS policies to

[x] recognize harmful behaviour ("Erkennung schädlichen Verhaltens"
and unticked
[ ] only report, do not block ("verdächtiges Verhaltens nur melden, nicht blockieren")

With this setting, is it justified to feel somewhat safer?

Thanks, Tom



This thread was automatically locked due to age.
Parents
  • 0

    Hello Tom,

    feel somewhat safer
    what would feeling somewhat safer change for you and your users? Or how does feeling less safe impair your work?

    Please note that you can decide to merely alert only for suspicious (verdächtiges) behaviour, if you enable detect malicious behaviour such activity is blocked (but there's no guarantee that this is early enough). HIPS is an extra similar to an airbag in your car - you (hopefully) don't drive less carefully just because the airbag could mitigate the consequences of an accident. 

    Christian

Reply
  • 0

    Hello Tom,

    feel somewhat safer
    what would feeling somewhat safer change for you and your users? Or how does feeling less safe impair your work?

    Please note that you can decide to merely alert only for suspicious (verdächtiges) behaviour, if you enable detect malicious behaviour such activity is blocked (but there's no guarantee that this is early enough). HIPS is an extra similar to an airbag in your car - you (hopefully) don't drive less carefully just because the airbag could mitigate the consequences of an accident. 

    Christian

Children
  • 0 in reply to QC
    Christian, thanks.

    Of course we warn our users and educate them not to open such attachments. I just wanted to know if this is a good setting for installing a kind of airbag for this extremely nasty kind of trojan. We have users that have write access on quite an enormous amount of files, and I'd fear the day that I need to restore those files from backup.

    Kind regards,

    Tom
  • 0 in reply to snmdla

    Hello Tom,

    if this is a good setting
    I daresay any more "paranoid" and restrictive setting which doesn't interfere with normal operation is a good one. For On-Access Scan inside archive files is not recommended (and arguably not necessary), I'd enable Scan for ... Suspicious files though (and of course all three Check files on options as well as Live Protection). You could test the actual impact (i.e. performance penalty) of Extensions->Scan all files (not recommended) and if it's acceptable assess the effect on detections. 

    Please have a look at Comparison of Sophos's Malicious File Detection Technologies and the related articles.

    As an aside: When there's a "new" campaign you might see a significant number of Mal/Generic-S (both cleanable and not) and named detections whose analyses nevertheless describe them as generic and list send a sample as one of the options. Once or twice on such occasions I turned off automatic cleanup with Deny access only as fallback in the central part of our network in order to obtain samples for the "interesting" detections (not only the files mentioned but also scraping the user's %Temp%, %AppData% and browser cache for files which might have taken part in "delivering" the actual threat).   

    Christian

Unfiltered HTML