This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console doesn't logs any hash of malicious files detected by Sophos Endpoint agent

As far as I know the hash of the files that have been detected by Sophos agent on clients are not logged (neither on Console DB or at client side) Am I wrong?

Is there a way to retrieve the MD5, SHA1 or whathever hash for the files detected as malicious from the Sophos agent running on the client?

There is also a feature request about this here:

- http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/7060110-sophos-enterprise-console-write-hash-value-in-mss

we tested this on Sophos Enterprise Console 5.2.2: does v. 5.3 includes this basic feature?

I think this feature should have high priority to support the Incident Response phases.

This thread was automatically locked due to age.

Parents

0 DavideP over 9 years ago

Hi Christian,
Well there are several reasons, let's start with some of them:
First of all, knowing the hash of the malicious detected files allows Analyst to run multiple analysis on the nature of the detected files. e.g. running query on VT or other OSint resources.
With the hash of the file is possible to use it as IOC and scan with that the rest of enterprise assets.
I found the "family" for detected malware missing lot of information that might be useful for the incident response phase.
There are cases in which suspicious files have been detected by Sophos as part of a specific new family of variant , and then hours later, the same file get detected as part of an old type of malware. I guess this is because in the meanwhile the signatures that detect that new variant have been tuned by Sophos; but from my perspective I'm playing with a black box.
Files get blocked or not by Sophos... That's it, we don't get that much information to run investigations on our end.
Of course there are some cases in which the hash change and the value of that information might be less valuable. But I would say that those cases are still the minority, and also for these the hash can be relevant for the purpose of the investigation.
We all know that AV cannot be The only solution that keep an asset safe, but maybe if they work in a more transparent way, they can still provide lot of information for Incident Response.
:56767
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DavideP over 9 years ago

Hi Christian,
Well there are several reasons, let's start with some of them:
First of all, knowing the hash of the malicious detected files allows Analyst to run multiple analysis on the nature of the detected files. e.g. running query on VT or other OSint resources.
With the hash of the file is possible to use it as IOC and scan with that the rest of enterprise assets.
I found the "family" for detected malware missing lot of information that might be useful for the incident response phase.
There are cases in which suspicious files have been detected by Sophos as part of a specific new family of variant , and then hours later, the same file get detected as part of an old type of malware. I guess this is because in the meanwhile the signatures that detect that new variant have been tuned by Sophos; but from my perspective I'm playing with a black box.
Files get blocked or not by Sophos... That's it, we don't get that much information to run investigations on our end.
Of course there are some cases in which the hash change and the value of that information might be less valuable. But I would say that those cases are still the minority, and also for these the hash can be relevant for the purpose of the investigation.
We all know that AV cannot be The only solution that keep an asset safe, but maybe if they work in a more transparent way, they can still provide lot of information for Incident Response.
:56767
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data