This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False negative or false positive?

I have a honeypot pc, I recently received a spam email with a link leading to a .exe file download. Sophos Intercept-x did not detect any malware. When uploading the file to virustotal.com some endpoints detected it as Trojan.GenericKD.67254445 (BitDefender, GData, F-Secure). I sent the file to Sophos: 

"The file doesn’t seems to be not detect worthy. The detection showing on the file by other vendors are Generic only."

Why do some endpoints detect it as a Trojan and Sophos doesn't?

SHA1:8e91d78f1b23b691b4d0f22907418e27b6213af6

Thanks



This thread was automatically locked due to age.
Parents
  • Now the support agent sent me a complete answer and I understood the situation. This really isn't a Sophos false negative.

    Thank you for your help  

  • No problem at all. I inquired internally to get some more information on this as well. 

    As I understand you're running a honeypot device, I'd suggest looking into implementing some of our email security solutions on the test environment you have as well. 

    The level of email scanning that will occur from the endpoint may not go as in-depth into the attached files until those files are run on the local device. As Sophos Endpoint uses a layered approach, even if the initial check of file signatures on attachments does not catch the file, other layers such as behavioural detection from Intercept X will likely catch malicious behaviour. 

    The addition of Email protection will help you replicate a real-world test scenario where our entire suite is being used.

    If you require a trial of Sophos Email, you can request one for up to 30 days. This trial can also be extended up to 60 days for testing.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • No problem at all. I inquired internally to get some more information on this as well. 

    As I understand you're running a honeypot device, I'd suggest looking into implementing some of our email security solutions on the test environment you have as well. 

    The level of email scanning that will occur from the endpoint may not go as in-depth into the attached files until those files are run on the local device. As Sophos Endpoint uses a layered approach, even if the initial check of file signatures on attachments does not catch the file, other layers such as behavioural detection from Intercept X will likely catch malicious behaviour. 

    The addition of Email protection will help you replicate a real-world test scenario where our entire suite is being used.

    If you require a trial of Sophos Email, you can request one for up to 30 days. This trial can also be extended up to 60 days for testing.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data