This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Collect reputation data during on-demand scans

The online help and PDF manual for Central both show this configurable Threat Protection policy under Live Protection:

Collect reputation data during on-demand scans. When a scheduled scan runs, or you use "Scan Now", Live Protection will collect data about the software on users' computers and send it to Sophos. The data helps us decide which software is most widely used and so likely to be trustworthy.

Checking my policies in Central I dont see the above option under Live Protection. Is this feature not yet exposed in Central contrary to what Help suggests?

I've quickly checked the KB looking for details of what was collected and sent to Sophos but wasn't able to spot much. I don't necessarily want to disable this feature but it would be nice to know a little more about what gets uploaded. 

Regards

 

 



This thread was automatically locked due to age.
Parents
  • Hi  

    Disabling the live portion option will control the data collection for both on-demand scans & Scheduled scan. Likewise you will be able to manage its use as mentioned in the Sophos Central admin Guide.

    LiveProtection was added to give the endpoint the ability to 'lookup' files in real-time to verify if they are malicious. Over the past few years it has proven very effective at stopping new malware outbreaks and protecting our customers.

    However regarding the details on Telemetry Data Collection, you can find the details here.

     

    Hope it Helps

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Gowtham,
    Thanks for your reply, however, I think Telemetry & Reputation Data Collect are different. I'm not running Sophos Endpoint Security and Control and the online & PDF manual for Central makes no mention of the word Telemetry. Does Central also gather Telemetry, if so when does it do it?

    In my post I was specifically referring to the collection of "Reputation Data" that the Central manual suggests is automatically collected during Scheduled Scans and Scan Now runs. I realize that I can disable Live Protection itself but the manual also clearly shows that I could (if I was so minded) disable "Collect Reputation Data during on-demand scans". I do not see this option in the GUI.

    What Reputation Data is collected and what software is reported? For instance if I start "Program X" on my PC five times a day does this get logged and reported? Should I worry that Sophos is logging usage of applications on my devices?

    Regards
    Andy.

     

     

Reply
  • Hi Gowtham,
    Thanks for your reply, however, I think Telemetry & Reputation Data Collect are different. I'm not running Sophos Endpoint Security and Control and the online & PDF manual for Central makes no mention of the word Telemetry. Does Central also gather Telemetry, if so when does it do it?

    In my post I was specifically referring to the collection of "Reputation Data" that the Central manual suggests is automatically collected during Scheduled Scans and Scan Now runs. I realize that I can disable Live Protection itself but the manual also clearly shows that I could (if I was so minded) disable "Collect Reputation Data during on-demand scans". I do not see this option in the GUI.

    What Reputation Data is collected and what software is reported? For instance if I start "Program X" on my PC five times a day does this get logged and reported? Should I worry that Sophos is logging usage of applications on my devices?

    Regards
    Andy.

     

     

Children
  • Hello Andy,

    I'm not Sophos and not a Central user, these are just my two cents.

    I do not see this option in the GUI
    you mean just Collect is missing from the GUI (I assume Use Live Protection, Automatically submit, and Use during scheduled are there - the docs aren't clear whether the latter is available in a Server as opposed to an Endpoint policy)?

    collection of "Reputation Data"
    the Reputation Lookup uses only checksums, the Download Reputation article suggests that additional information is used to determine the score. Prevalence and age are statistical data, URL doesn't apply to scheduled scans, the files' metadata (name, path, timestamps) could be additional information uploaded (dunno which SXL mechanism is used) but I don't think so.
    Program profiling is definitely not part of Reputation Collection (note it is, if enabled, done for scheduled and on-demand scans only). Reputation Lookup might submit the URL.

    telemetry
    for SESC it's in a subfolder of the AutoUpdate Program Files folder. A large part of the information is anyway in Central Admin, so any additional information might get sent as part of an Agent status message.

    While a MachineID is often sent to uniquely identify the endpoint (please note that this isn't strict - otherwise there'd be no articles on how to correctly prepare a Gold Image) no PII is sent. Naturally it's possible to make correlations for UserIDs and MachineIDs (for those data not already in Central).

    Christian

  • Hi Christian,
    Thanks for replying. It is the absence of the Collect option in the GUI that I was querying, I do see the other Live Protection options in Policy.

    I am also concerned about the lack of info regarding what data is collected in the first place - "Live Protection will collect data about the software on users' computers and send it to Sophos". If it is just passing hash values to Sophos that they then use in the Reputation Download feature then I guess this is ok.

    Regards
    Andy.

  • Hello Andy,

    Live Protection does (if enabled) upload not only hashes but also samples (up to a certain size). It doesn't do this for all files, please see here which events trigger a lookup (also note  the Note: at the end of the What is it? chapter). I think initially only the second point of How does it work applied, i.e. certain detection items (notably Mal/Generic-S) could come to the decision to perform a Live Protection lookup. The first one could mean that each definite detection is unconditionally re-assessed though I think this is not the case.

    As Download Reputation: Frequently Asked Questions says currently, only executables/.exe are considered this I assume that Reputation Collection will apply to just these, a Live Protection sample could be taken from any file (e.g. documents) though. Don't forget that hashes of common programs are as revealing as their name and version or a (possibly partial) sample.

    As for collect[ing] data about the software on users' computers - most software nowadays calls home in one or the other way. Guess your ISP could assess software use quite easily. Guess about the software is just another term for about executables.

    Christian 

  • Hi Christian,
    I think we're coming at this from different angles. I'm not at all concerned about the operation of Live Protection. I have this facility enabled on all 2000+ devices at my site. I'm absolutely happy for it to automatically send samples of what it considers suspicious to Sophos for further analysis.

    What does concern me a little (only because I can find no info) is the item under the Help topic for Live Protection that says:

    Collect reputation data during on-demand scans. When a scheduled scan runs, or you use "Scan Now", Live Protection will collect data about the software on users' computers and send it to Sophos. The data helps us decide which software is most widely used and so likely to be trustworthy.

    Now i read the above to translate into - Sophos tracking software usage on my PC and then periodically uploading this cache of data when a Scan runs. Sophos then use this to determine the reputation of files. For instance data collected says that millions of PC's have an EXE called Winword.exe and that the app is used regularly and was installed some time ago. A file like this is likely to have a high reputation. There may be another device that has abc.exe that has run one time and was first reported today, it's reputation is likely to be suspicious. This data cache is then used for Download Reputation checks within the product as I understand it.

    Now I fully understand that Sophos will need a cache of data to determine what is likely to have a good or bad Reputation and that getting it from us makes sense. I'm interested in what this upload contains mainly so that I'm armed with the answer when/if my boss comes knocking at my door! What data am i unknowingly sharing with Sophos every time a scan runs?

    Maybe i'm misunderstanding the bold line item above and see a problem where none exists.
    Regards
    Andy.

     

  • Hello Andy,

    tracking software usage
    would best be done by the On-Access scanner, wouldn't it? But then, why rely on a Scheduled or Scan now scan (which could never happen) to upload the data (apart from the required house-keeping overhead for the accumulated data)? Thus I think it mean that just data about the files encountered during the scan (whether they have ever been executed or not) is uploaded, nothing more.

    Christian