Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 12206 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Virus Definitions

LeePhipps

Is there a way to see all virus definitions currently in your database?

For example I have been asked if I can show we are covered for a certain virus (HPmal/EccKrpt-A) that has hit another LA.



This thread was automatically locked due to age.
  • 0

    Hi,

    https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/HPmal~EccKrpt-B.aspx

    would suggest initial protection was released..

    Protection available since: 07 Jul 2015 13:53:44 (GMT)

    and it was last updated:

    Last Updated: 07 Jul 2015 13:53:44 (GMT)

    I assume your computers have updated since 07 Jul 2015 13:53:44 (GMT).

    Is this enough information?

    Regards,

    Jak

  • 0

    Hello Lee Phipps,

    (first of all, I'm not Sophos) could you elaborate on what you want to see or find out?

    HPmal/EccKrpt-A is a Sophos definition, Protection available since gives the time the detection has been released, revisions are indicated by the Last updated field. It takes some time - depending on your updating intervals - until the IDE is available on the endpoint. If your SUM and endpoints are updating you should have an up-to-date definition for HPmal/EccKrpt-A, as it has been published a month ago. Please see also How to determine whether you're receiving the latest data protection updates.

    Please note that the analysis shows it's a generic detection, furthermore it is prefixed HPmal (a description can be found in article 113342) - thus it's not a pre-execution detection. Nevertheless - according to search results - it seems to be effective.

    Christian

  • 0

    What they were wanting to see was something that shows all definitions we currently have. So they could see that we are covered for this ransomware (Teslacrypt which seems to be definition Troj/TeslaC-AZ).

    But I'm guessing if we have updated since the Protection available since date from Sophos that's the way I can show we are covered for it? Or is there any other way?

  • 0 in reply to LeePhipps

    Hello Lee Phipps,

    something that shows all definitions we currently have [to] see that we are covered for this ransomware 
    you're guessing correctly (IMO). Right now SAV boats it can detect 11111593 objects. Whatever this number signifies given that more than a few detection items are generic. If you are up-to-date you can be sure that a certain detection item is available for the scanning engine. Thus the objects this item is able to detect will be detected, in other words - you are covered. But - and there's the rub - this does not mean Troj/TeslaC-AZ (and its siblings - note that the suffix -AZ suggests there are dozens of definitions for this "family") will detect all past and in particular future variants of Teslacrypt or yet different implementations of this kind of crime.

    IMO this is an unnecessary effort (arguably it was to some extent justified in the past). The more important points are

    1. your AV is up-to-date and you detect updating issues quickly
    2. your AV vendor issues timely updates that are applied as fast as possible
    3. there's always the chance that a certain piece of malware is not detected so you have to have procedures in place to recover from its actions

    Christian

Unfiltered HTML