Sophos Enterprise Console doesn't logs any hash of malicious files detected by Sophos Endpoint agent

Hi Christian,

Well there are several reasons, let's start with some of them:

First of all, knowing the hash of the malicious detected files allows Analyst to run multiple analysis on the nature of the detected files. e.g. running query on VT or other OSint resources.

With the hash of the file is possible to use it as IOC and  scan with that the rest of enterprise assets.

I found the "family" for detected malware missing lot of information that might be useful for the incident response phase. 

There are cases in which suspicious files have been detected by Sophos as part of a specific new family of variant , and then hours later, the same file get detected as part of an old type of malware. I guess this is because in the meanwhile the signatures that detect that new variant have been tuned by Sophos; but from my perspective I'm playing with a black box.

Files get blocked or not by Sophos... That's it, we don't get that much information to run investigations on our end. 

Of course there are some cases in which the hash change and the value of that information might be less valuable. But I would say that those cases are still the minority, and also for these the hash can be relevant for the purpose of the investigation.

We all know that AV cannot be The only solution that keep an asset safe, but maybe if they work in a more transparent way, they can still provide lot of information for Incident Response.

Hello DavideP,

With the hash of the file is possible to use it and scan with that IOC the rest of the assets. [...] cases [in which the hash change] are still the minority

I don't have numbers but that's not the point. You want the hash of detected files recorded. Assuming your assets are protected the AV will detect the files on all of them. If they are not protected and the file can be found this usually means that these endpoints have been infected and there might be more malware on them. A cobbled together hash-based scanner is not the best way to deal with this situation.

the nature of the detected files

:smileytongue: you want to take fright at what could have happened?:smileytongue: Seriously, except in those cases where the threat is detected not until "in operation" the detection (with the subsequent minimum action block) has prevented any malicious activity. For partial detections or suspicious files/activity in conjunction with a detection you should send the samples - just the hash won't improve identification (unless you want Labs to look up the hash in order to obtain a sample elsewhere).

I have a black box

... like you car's engine and its management system.

a specific family

family is in the eye of the analyst. More than a few threats are assembled with kits, use polymorphic engines, fetch an applicable exploit and subsequently download a perhaps even customized payload (potentially following several varying redirects). Say you have a variant (not necessarily with identical hashes) of a (known and named) downloader (which has delivered several kinds of malware in the past) and this specific variant is found to always deliver (a variant of) a certain (known and named) malware. Then another variant of the downloader always connects to a certain rogue CDN but delivers various threats. See? It's not that simple.

[Edit]

Much better than my meager post are these Notes from Sophos Labs

[/Edit]

Christian   

Interesting article about evasion techniques...

Anyway I guess I don't have to explain to an Emplyee from a Company of Security Solutions as Sophos if the hash of a detected file might be useful for Incident Response... It's the simplest ID of a file, obviously the name want give such valuable information.

There are plenty of OpenSource Intelligence sources that use (also) hashes of malicious files to identify them, of course not only... But is still a pretty common indicator as far as I know. There are pretty popular website that provide information starting from a file hash such: 

 - http://www.team-cymru.org/MHR.html

 - https://www.metascan-online.com/#hash-lookup

 - https://www.virustotal.com/#search

From there you can get lot of information useful to run Incident Response.

It's the first time I have to work with an Enterprise Antivirus that doesn't log hashes, not even in the database.

I had previous (pretty unpleasant ) experience with Symantec, but at least the hashes were calculated and logged on most of the single alerts and on central database.

I'm pretty sure that also Sophos calculate the hash of files that are scanned, so I don't understand why this info is not logged anywhere.

Hello DavideP,

an Employee

who? Me? I'm a customer and I just want to find out in what way these hashes could help me to improve our Incident Response. It's still not clear. While I understand their forensic value (probably in conjunction with an original file) I fail to see how these could help me to respond to an alert, and it has to be an alert, viz a positive detection (whether as suspicious or malicious), otherwise it wouldn't get recorded anyway.

Maybe it's a lack of imagination on my side but basically I see the following scenarios:

1) A file is detected as malicious but I don't use automatic cleanup because I want a second opinion before taking any "destructive action". I could spend the whole day chasing hashes being none the wiser afterwards. Some customer/vendor must be the first one to encounter a specific hash, so if it's me there'll be no recorded hash. Am I supposed to submit any file with an unknown hash e.g. to VirusTotal? BTW - while VT forwards "missed" samples to the respective AV labs it looks like the samples are not resubmitted. Take for example Troj/Agent-WFN. Sophos' first sample has the "seen" date 2012-03-21. The corresponding sample was scanned at VT on 2012-03-19 and Sophos failed to detect it then.

2) A file is detected as suspicious and I want a definite answer. Most of the above applies here as well, furthermore other vendors' detections might also classify the sample as "only" suspicious.

Thus: If I want to submit the sample (to whomever) I don't need the hash. If the hash can't be found I have to submit the file. If the hash is found I'll still have to take the results with a grain of salt /and at least with VT it seems advisable to resubmit the sample in order to get a "current" assessment). If Sophos' detection is not "to my liking" I should submit the sample to Labs anyway. Which important aspect am I missing?

Christian

Sorry about the confusion, as VIP I thought you where working for Sophos.

Anyway, a good use case is the Stacking techniques, that might includes also file hashes :

https://www.mandiant.com/blog/indepth-data-stacking/

I would say in general that AntiViruses shouldn't be the only source of trust, but they can still provide useful headsup for investigation. Providing detected hashes of suspicious files is an example of information that you can use to extend the analysis of status / health-check of your company's assets.

Hello DavideP,

VIP (and please note it is Executive VIP :smileyvery-happy:)

is just a forum rank,  two forum users have it (frequent advice earned Jak's and drivel mine). Thanks for the explanations and your patience.

Christian