False negative or false positive?

Question

I have a honeypot pc, I recently received a spam email with a link leading to a .exe file download. Sophos Intercept-x did not detect any malware. When uploading the file to virustotal.com some endpoints detected it as Trojan.GenericKD.67254445 ( BitDefender, GData, F-Secure) . I sent the file to Sophos: "The file doesn&rsquo;t seems to be not detect worthy. The detection showing on the file by other vendors are Generic only." Why do some endpoints detect it as a Trojan and Sophos doesn't? 
 
 SHA1:8e91d78f1b23b691b4d0f22907418e27b6213af6 
 Thanks

Qoosh · Accepted Answer

No problem at all. I inquired internally to get some more information on this as well. 
 As I understand you're running a honeypot device, I'd suggest looking into implementing some of our email security solutions on the test environment you have as well. 
 The level of email scanning that will occur from the endpoint may not go as in-depth into the attached files until those files are run on the local device. As Sophos Endpoint uses a layered approach, even if the initial check of file signatures on attachments does not catch the file, other layers such as behavioural detection from Intercept X will likely catch malicious behaviour. 
 The addition of Email protection will help you replicate a real-world test scenario where our entire suite is being used. 
 If you require a trial of Sophos Email, you can request one for up to 30 days. This trial can also be extended up to 60 days for testing.

False negative or false positive?

Top Replies