Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 25335 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console doesn't logs any hash of malicious files detected by Sophos Endpoint agent

DavideP

As far as I know the hash of the files that have been detected by Sophos agent on clients are not logged (neither on Console DB or at client side) Am I wrong?

Is there a way to retrieve the MD5, SHA1 or whathever hash for the files detected as malicious from the Sophos agent running on the client? 

There is also a feature request about this here:

 - http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/7060110-sophos-enterprise-console-write-hash-value-in-mss

we tested this on Sophos Enterprise Console 5.2.2: does v. 5.3 includes this basic feature?

I think this feature should have high priority to support the Incident Response phases.

:56715


This thread was automatically locked due to age.
Parents
  • 0

    Hello DavideP,

    With the hash of the file is possible to use it and scan with that IOC the rest of the assets. [...] cases [in which the hash change] are still the minority

    I don't have numbers but that's not the point. You want the hash of detected files recorded. Assuming your assets are protected the AV will detect the files on all of them. If they are not protected and the file can be found this usually means that these endpoints have been infected and there might be more malware on them. A cobbled together hash-based scanner is not the best way to deal with this situation.

    the nature of the detected files

    :smileytongue: you want to take fright at what could have happened?:smileytongue: Seriously, except in those cases where the threat is detected not until "in operation" the detection (with the subsequent minimum action block) has prevented any malicious activity. For partial detections or suspicious files/activity in conjunction with a detection you should send the samples - just the hash won't improve identification (unless you want Labs to look up the hash in order to obtain a sample elsewhere).

    I have a black box

    ... like you car's engine and its management system.

    a specific family

    family is in the eye of the analyst. More than a few threats are assembled with kits, use polymorphic engines, fetch an applicable exploit and subsequently download a perhaps even customized payload (potentially following several varying redirects). Say you have a variant (not necessarily with identical hashes) of a (known and named) downloader (which has delivered several kinds of malware in the past) and this specific variant is found to always deliver (a variant of) a certain (known and named) malware. Then another variant of the downloader always connects to a certain rogue CDN but delivers various threats. See? It's not that simple.

    [Edit]

    Much better than my meager post are these Notes from Sophos Labs

    [/Edit]

    Christian   

    :56777
Reply
  • 0

    Hello DavideP,

    With the hash of the file is possible to use it and scan with that IOC the rest of the assets. [...] cases [in which the hash change] are still the minority

    I don't have numbers but that's not the point. You want the hash of detected files recorded. Assuming your assets are protected the AV will detect the files on all of them. If they are not protected and the file can be found this usually means that these endpoints have been infected and there might be more malware on them. A cobbled together hash-based scanner is not the best way to deal with this situation.

    the nature of the detected files

    :smileytongue: you want to take fright at what could have happened?:smileytongue: Seriously, except in those cases where the threat is detected not until "in operation" the detection (with the subsequent minimum action block) has prevented any malicious activity. For partial detections or suspicious files/activity in conjunction with a detection you should send the samples - just the hash won't improve identification (unless you want Labs to look up the hash in order to obtain a sample elsewhere).

    I have a black box

    ... like you car's engine and its management system.

    a specific family

    family is in the eye of the analyst. More than a few threats are assembled with kits, use polymorphic engines, fetch an applicable exploit and subsequently download a perhaps even customized payload (potentially following several varying redirects). Say you have a variant (not necessarily with identical hashes) of a (known and named) downloader (which has delivered several kinds of malware in the past) and this specific variant is found to always deliver (a variant of) a certain (known and named) malware. Then another variant of the downloader always connects to a certain rogue CDN but delivers various threats. See? It's not that simple.

    [Edit]

    Much better than my meager post are these Notes from Sophos Labs

    [/Edit]

    Christian   

    :56777
Children
No Data
Unfiltered HTML