This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console doesn't logs any hash of malicious files detected by Sophos Endpoint agent

As far as I know the hash of the files that have been detected by Sophos agent on clients are not logged (neither on Console DB or at client side) Am I wrong?

Is there a way to retrieve the MD5, SHA1 or whathever hash for the files detected as malicious from the Sophos agent running on the client?

There is also a feature request about this here:

- http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/7060110-sophos-enterprise-console-write-hash-value-in-mss

we tested this on Sophos Enterprise Console 5.2.2: does v. 5.3 includes this basic feature?

I think this feature should have high priority to support the Incident Response phases.

This thread was automatically locked due to age.

Parents

0 DavideP over 9 years ago

Interesting article about evasion techniques...
Anyway I guess I don't have to explain to an Emplyee from a Company of Security Solutions as Sophos if the hash of a detected file might be useful for Incident Response... It's the simplest ID of a file, obviously the name want give such valuable information.
There are plenty of OpenSource Intelligence sources that use (also) hashes of malicious files to identify them, of course not only... But is still a pretty common indicator as far as I know. There are pretty popular website that provide information starting from a file hash such:
- http://www.team-cymru.org/MHR.html
- https://www.metascan-online.com/#hash-lookup
- https://www.virustotal.com/#search
From there you can get lot of information useful to run Incident Response.
It's the first time I have to work with an Enterprise Antivirus that doesn't log hashes, not even in the database.
I had previous (pretty unpleasant ) experience with Symantec, but at least the hashes were calculated and logged on most of the single alerts and on central database.
I'm pretty sure that also Sophos calculate the hash of files that are scanned, so I don't understand why this info is not logged anywhere.
:56786
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DavideP over 9 years ago

Interesting article about evasion techniques...
Anyway I guess I don't have to explain to an Emplyee from a Company of Security Solutions as Sophos if the hash of a detected file might be useful for Incident Response... It's the simplest ID of a file, obviously the name want give such valuable information.
There are plenty of OpenSource Intelligence sources that use (also) hashes of malicious files to identify them, of course not only... But is still a pretty common indicator as far as I know. There are pretty popular website that provide information starting from a file hash such:
- http://www.team-cymru.org/MHR.html
- https://www.metascan-online.com/#hash-lookup
- https://www.virustotal.com/#search
From there you can get lot of information useful to run Incident Response.
It's the first time I have to work with an Enterprise Antivirus that doesn't log hashes, not even in the database.
I had previous (pretty unpleasant ) experience with Symantec, but at least the hashes were calculated and logged on most of the single alerts and on central database.
I'm pretty sure that also Sophos calculate the hash of files that are scanned, so I don't understand why this info is not logged anywhere.
:56786
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data