This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fake AV Malware Not Stopped

Why doesn't Sophos stop Malware, especially Fake AV malware, like it does viruses? We have a corporate license and all machines are up-to-date with Sophos AV but more & more we spend too much time removing malware & tracking down other changes that were made by the malware that have disabled programs.

:3565


This thread was automatically locked due to age.
Parents
  • I response to the last two posts (and also to somewhat mitigate mine from about a week ago):

    I'd also like Sophos to do better with respect to FakeAV. The problem (if you can call it problem) is IMO not so much cleanup but detection. One would assume that this malware should be easily identified - if not during on-access then by its behaviour (and that others can confirms this assumption). I might be totally wrong but it looks like Sophos' detection strategy doesn't allow the use of these seemingly simply identifiers (like, e.g., a processes window title) because on the one hand too many FakeAVs similar to ones already seen slip through, OTOH once SophosLabs have analyzed a sample and issued an IDE (and they do so within very short time) detection and cleanup are usually successful (note also that not all "FakeAV" seems to be classified as Mal/FakeAV* - IIRC Troj/Agent* might also be applied) . In my experience Sophos is not the "complete failure" (excuse the overexaggerated term) as soemtimes claimed, in most cases there are one or more generic and/or SUS detections.

    This being said - unless you've sent in a sample (or someone else has done so in the meantime) there is no use in trying the CLI, it uses the same engine and definitions. 

    But - if you run some reports you will likely see that a certain amount of FakeAV is detected and cleaned (of course depending on your settings). The question is, how should Sophos know it missed some (sure, they know they do and I hope they don't take it lightly) and how many in proportion? A general complaint (like in this forum) is just general. Like any other company Sophos does its numbers: Unless the missed instances are reported (or flocks of customers are absconding) FakeAV might not get the attention it should. Thus you should call Support whenever a FakeAV is missed (and preferably send in samples). State how many computers are affected and what Sophos has missed but other products have found (again, not in general terms but with the specific samples). This will give your complaints considerably more weight.

    I want to add that we don't have edge filters, users can surf to whatever site they want and still we are not flooded with FakeAV.

    Christian 

    :20607
Reply
  • I response to the last two posts (and also to somewhat mitigate mine from about a week ago):

    I'd also like Sophos to do better with respect to FakeAV. The problem (if you can call it problem) is IMO not so much cleanup but detection. One would assume that this malware should be easily identified - if not during on-access then by its behaviour (and that others can confirms this assumption). I might be totally wrong but it looks like Sophos' detection strategy doesn't allow the use of these seemingly simply identifiers (like, e.g., a processes window title) because on the one hand too many FakeAVs similar to ones already seen slip through, OTOH once SophosLabs have analyzed a sample and issued an IDE (and they do so within very short time) detection and cleanup are usually successful (note also that not all "FakeAV" seems to be classified as Mal/FakeAV* - IIRC Troj/Agent* might also be applied) . In my experience Sophos is not the "complete failure" (excuse the overexaggerated term) as soemtimes claimed, in most cases there are one or more generic and/or SUS detections.

    This being said - unless you've sent in a sample (or someone else has done so in the meantime) there is no use in trying the CLI, it uses the same engine and definitions. 

    But - if you run some reports you will likely see that a certain amount of FakeAV is detected and cleaned (of course depending on your settings). The question is, how should Sophos know it missed some (sure, they know they do and I hope they don't take it lightly) and how many in proportion? A general complaint (like in this forum) is just general. Like any other company Sophos does its numbers: Unless the missed instances are reported (or flocks of customers are absconding) FakeAV might not get the attention it should. Thus you should call Support whenever a FakeAV is missed (and preferably send in samples). State how many computers are affected and what Sophos has missed but other products have found (again, not in general terms but with the specific samples). This will give your complaints considerably more weight.

    I want to add that we don't have edge filters, users can surf to whatever site they want and still we are not flooded with FakeAV.

    Christian 

    :20607
Children
No Data