Sophos Enterprise Console doesn't logs any hash of malicious files detected by Sophos Endpoint agent

Hello DavideP,

an Employee

who? Me? I'm a customer and I just want to find out in what way these hashes could help me to improve our Incident Response. It's still not clear. While I understand their forensic value (probably in conjunction with an original file) I fail to see how these could help me to respond to an alert, and it has to be an alert, viz a positive detection (whether as suspicious or malicious), otherwise it wouldn't get recorded anyway.

Maybe it's a lack of imagination on my side but basically I see the following scenarios:

1) A file is detected as malicious but I don't use automatic cleanup because I want a second opinion before taking any "destructive action". I could spend the whole day chasing hashes being none the wiser afterwards. Some customer/vendor must be the first one to encounter a specific hash, so if it's me there'll be no recorded hash. Am I supposed to submit any file with an unknown hash e.g. to VirusTotal? BTW - while VT forwards "missed" samples to the respective AV labs it looks like the samples are not resubmitted. Take for example Troj/Agent-WFN. Sophos' first sample has the "seen" date 2012-03-21. The corresponding sample was scanned at VT on 2012-03-19 and Sophos failed to detect it then.

2) A file is detected as suspicious and I want a definite answer. Most of the above applies here as well, furthermore other vendors' detections might also classify the sample as "only" suspicious.

Thus: If I want to submit the sample (to whomever) I don't need the hash. If the hash can't be found I have to submit the file. If the hash is found I'll still have to take the results with a grain of salt /and at least with VT it seems advisable to resubmit the sample in order to get a "current" assessment). If Sophos' detection is not "to my liking" I should submit the sample to Labs anyway. Which important aspect am I missing?

Christian

Hello DavideP,

an Employee

who? Me? I'm a customer and I just want to find out in what way these hashes could help me to improve our Incident Response. It's still not clear. While I understand their forensic value (probably in conjunction with an original file) I fail to see how these could help me to respond to an alert, and it has to be an alert, viz a positive detection (whether as suspicious or malicious), otherwise it wouldn't get recorded anyway.

Maybe it's a lack of imagination on my side but basically I see the following scenarios:

1) A file is detected as malicious but I don't use automatic cleanup because I want a second opinion before taking any "destructive action". I could spend the whole day chasing hashes being none the wiser afterwards. Some customer/vendor must be the first one to encounter a specific hash, so if it's me there'll be no recorded hash. Am I supposed to submit any file with an unknown hash e.g. to VirusTotal? BTW - while VT forwards "missed" samples to the respective AV labs it looks like the samples are not resubmitted. Take for example Troj/Agent-WFN. Sophos' first sample has the "seen" date 2012-03-21. The corresponding sample was scanned at VT on 2012-03-19 and Sophos failed to detect it then.

2) A file is detected as suspicious and I want a definite answer. Most of the above applies here as well, furthermore other vendors' detections might also classify the sample as "only" suspicious.

Thus: If I want to submit the sample (to whomever) I don't need the hash. If the hash can't be found I have to submit the file. If the hash is found I'll still have to take the results with a grain of salt /and at least with VT it seems advisable to resubmit the sample in order to get a "current" assessment). If Sophos' detection is not "to my liking" I should submit the sample to Labs anyway. Which important aspect am I missing?

Christian