Please, help me PUA On-access detection in Sophos Linux

Nobody ???

For a very good reason, this is not the correct forum. This is a firewall forum.

One of the moderators might read you request and move you to the correct forum.

Ian

DouglasLeeder said:

Hi,

 

I'm afraid I don't know for certain, but I think PUA only include Windows programs, such as Adware.

 

Thanks,

Douglas.

 

But phishings and miners signatures are downloaded regularmentary in updates for savupdate.

Why on-access don't detect it ?

Hello,

[disclaimer: just observations, no inside knowledge]
right now there are several miners in the Latest PUAs list. Miners running on Linux are categorized as Viruses and Spyware/Trojans.

Adware and PUA for Mac OS X (like MacKeeper) detection has been added in 2015. PUA isn't AdWare, a number of legitimate software (like several programs in the Sysinternals/Microsoft PSTools collection) is classified as PUA.

signatures are downloaded
@Henrique RJ - signatures is perhaps not the ideal term as it elicits certain connotations (especially the one that "signatures" are independent and self-contained items that the scanner uses one after the other one a file until it either gets a hit or the list is exhausted). A detection item is part of a decision network, you can think of it as a set of instructions mostly working top down, i.e. refining the assessment, calling or branching to other items in the process. A classification as AdWare is not necessarily an afterthought. In other words, detection items aren't subdivided into those for viruses, others for Trojans, and so on.

Christian

QC said:

Hello,

[disclaimer: just observations, no inside knowledge]
right now there are several miners in the Latest PUAs list. Miners running on Linux are categorized as Viruses and Spyware/Trojans.

Adware and PUA for Mac OS X (like MacKeeper) detection has been added in 2015. PUA isn't AdWare, a number of legitimate software (like several programs in the Sysinternals/Microsoft PSTools collection) is classified as PUA.

signatures are downloaded
@Henrique RJ - signatures is perhaps not the ideal term as it elicits certain connotations (especially the one that "signatures" are independent and self-contained items that the scanner uses one after the other one a file until it either gets a hit or the list is exhausted). A detection item is part of a decision network, you can think of it as a set of instructions mostly working top down, i.e. refining the assessment, calling or branching to other items in the process. A classification as AdWare is not necessarily an afterthought. In other words, detection items aren't subdivided into those for viruses, others for Trojans, and so on.

Christian

 

So Sophos in Linux don't detect phishings ?

No has any " out off " tip to make on-access detect miners and phishings ?

Any secret tip or tweak ?

Hello Henrique RJ,

phishings
are a different story. There's the famous Mal/Phish-A, as you can see "all" OSs are listed as affected. But please note that the Mal/ prefix indicates that it belongs to the Viruses and Spyware category - not to AdWare and PUA. There's also the rather large Troj/Phish family, again Viruses and Spyware.
Also note that there's "only" on-access scanning - it relies on the potentially offending content being available in scannable file. As phishings usually arrive by mail it depends on the behaviour of the mail client whether on-access gets the chance to scan the content.

miners
as said, some miners are in the Viruses and Spyware, others PUA. Guess the distinction is who runs it and who profits  - if it's the user then it's likely PUA, if it's running without explicit consent then malware.

Any secret tip
The important question is: What is your scenario? Is this a Linux desktop and you want to be protected? Are yoi worrying that you might "pass something on"? Is this a file or web server accessed by non-Linux clients? Or a gateway?

Christian

QC said:

Any secret tip
The important question is: What is your scenario? Is this a Linux desktop and you want to be protected? Are yoi worrying that you might "pass something on"? Is this a file or web server accessed by non-Linux clients? Or a gateway?

Christian

Yes, it Linux desktop and I want to be protected.

Hello Henrique RJ,

I see. There's AFAIK nothing that's categorized as Adware or PUA for Linux. The Linux biotope is different from the ones for Windows or OS X. As there are reputable repositories for all kinds of (open and free) software you're much less likely to install a something from somewhere.
Having said that, browsing is the most likely cause for annoyance - but what could be caught by on-access scanning is mostly platform dependent and no problem on Linux.

Christian

But, Why Sophos detect phishings in Windows and not in Linux ?

Nothing ???

Any hot tip ?

oh come on people, I need one tweaking configuration for Sophos Linux to detect phishings, adwares, PUAs and miners in on-access ( the assinatures exists, it's downloaded every weeks, I look that ).

thks

Any hot tip ?

oh come on people, I need one tweaking configuration for Sophos Linux to detect phishings, adwares, PUAs and miners in on-access ( the assinatures exists, it's downloaded every weeks, I look that ).

thks

Hello Henrique RJ,

why did you choose Linux as your desktop OS in the first place? No offence intended but wanting to tweak security software and being afraid of phishing does IMO not really fit together.

Christian

QC said:

Hello Henrique RJ,

why did you choose Linux as your desktop OS in the first place? No offence intended but wanting to tweak security software and being afraid of phishing does IMO not really fit together.

Christian

 

Christian

Actually I considere Windows 10 extremally problematic.

Look for this list in image:

The select file is a " phis-clu.ide "

It's a phishing assignature in the directory /opt/sophos-av/lib/sav/ downloaded in 27th may 2018

Why Sophos AV Linux don't detect it ( on-access ) ?

Who activate this detection in on-access ?

That is a question.

Thanks !!!

Hello Henrique RJ,

Sophos AV Linux don't detect it
doesn't detect which it? I'm not sure I understand what you expect. How can you tell what phis-clu.ide is supposed to detect? And how do you know that this detection is not activated? Do you have a sample that triggers Troj/Phish-CLU detection on Windows but not on Linux?

Christian 

QC said:

Hello Henrique RJ,

Sophos AV Linux don't detect it
doesn't detect which it? I'm not sure I understand what you expect. How can you tell what phis-clu.ide is supposed to detect? And how do you know that this detection is not activated? Do you have a sample that triggers Troj/Phish-CLU detection on Windows but not on Linux?

Christian 

 

I tested others phishings sites ( by PhishTank ) detecteds for Sophos in VirusTotal anda in my Linux it don't detect.

Example: www.virustotal.com/

Hello Henrique RJ,

PhishTank deals with sites, On-Access scans files. As far as I can see the example site is blocked by Web Protection (which is not available on Linux) - the On-Access scanner and its detection items don't come into play here.

Christian

QC said:

Hello Henrique RJ,

PhishTank deals with sites, On-Access scans files. As far as I can see the example site is blocked by Web Protection (which is not available on Linux) - the On-Access scanner and its detection items don't come into play here.

Christian

 

Disagree

Eureka !!!

Sophos in Linux finaly detection a phishing page.

Look

The object detected in VirusTotal: " Dropbox - sign in.html "

www.virustotal.com/

Detection for link:

www.virustotal.com/

As you can see from the popup - that is a detection on a file (in the mozilla cache).

Nothing to do with the network connection or the URL being fetched.

DouglasLeeder said:

As you can see from the popup - that is a detection on a file (in the mozilla cache).

Nothing to do with the network connection or the URL being fetched.

 

Thats right

For detect URL I have the Firefox and uBlock Origin protection.

From the VirusTotal link you can see the detection for signature ( phishing ) in file " Dropbox sign in.html ".

Thanks

Hi Henrique RJ,

The reported URL in Virustotal is detected by the Network or MTD of Sophos AV that is not available in the Linux.

The detection that you see is for the file that is locally stored in the machine via the browser which will be picked by the SAV.