Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 40 subscribers
  • Views 25543 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS VS AVIRA Problems ... Which one do you use

Billybob

I was going to mention this in the RC1 thread but it is not really firmware related. Before Sophos got into the UTM business, I had always thought of them as an AV company but mostly for Macs. I have noticed an alarming trend lately, Avira catches more viruses than Sophos, however sophos is the recommended engine in XG and UTM9 (due to PUA detection) and sandstorm functionality. 

I got a couple of random files from virustotal and tried them on UTM9 and sophos XG v16.0.5... In both cases sophos passes the virus. Sad part is that even windows defender catches these files as Trojan:Win32/Spursint.F!cl[:(]

Here are my settings 

File is passed

The same file is blocked if I switch to AVIRA for AV scan.

This is not UTM9 forum but  and  are regular mods that visit both forums, so I will post a few lines from UTM9 also for reference.

UTM9 blocking with Avira AV

2017:01:05-11:45:01 gatekeeper httpproxy[47665]: id="0056" severity="info" sys="SecureWeb" sub="http" name="web request blocked, virus detected" action="block" method="GET" srcip="192.168.0.3" dstip="46.105.105.167" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Custom Filtering)" size="2880" request="0x1a1c6400" url="img2.file-upload.cc:182/.../adobe.snr.patch.v2.0-painter.rar" referer="www.file-upload.cc/1yr4qa3kz04d" error="" authtime="0" dnstime="108103" cattime="8463582" avscantime="230576" fullreqtime="11534935" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" exceptions="" category="170" reputation="unverified" categoryname="Personal Network Storage" country="France" content-type="application/octet-stream" engine="Avira" virus="TR/Rogue.xqioq"

UTM9 allowing the same file with Sophos AV

2017:01:05-11:50:24 gatekeeper httpproxy[48749]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.0.3" dstip="46.105.105.167" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Custom Filtering)" size="685900" request="0xe1214c00" url="img2.file-upload.cc:182/.../adobe.snr.patch.v2.0-painter.rar" referer="www.file-upload.cc/1yr4qa3kz04d" error="" authtime="0" dnstime="68936" cattime="360" avscantime="987168" fullreqtime="3563482" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36" exceptions="" category="170" reputation="unverified" categoryname="Personal Network Storage" country="France" content-type="application/octet-stream" sandbox="1"

 

NOTES: XG was tested with www69.zippyshare.com/v/DyN937Yx/file.html and the referer for UTM9 is in the logs.



This thread was automatically locked due to age.
  • +1

    Bill,

    it depends on what you are trying to achieve on your box.

    If you need extreme protection, enable both AV and make sure the AV you use inside your PC/Devices is even different from Sophos and Avira.

    Defense in depth is the best protection ever. Sophos, Kaspersky, Symantec, Avira, etc... will always fail sometimes because they use Signature (false positive and false negative as your case).

    We are moving a new era where a single protection is not enough and we need more tools that are a mix of behaviour and signature analysis (like InterceptX).

    At home I am using XG where Avira is enabled and Sophos Cloud on all my devices.

  • 0 in reply to lferrara

    Great answer as always Luk, dual scan makes the surfing speed a little slower so I do like you and use sophos endpoints with avira on the gateway. I am not trying to point out the shortcomings of Sophos because like you said, threats appear so fast these days that protection in layers is the best protection. I am sure there are viruses that are in Sophos database that avira is not aware of. 

    I guess I was expecting similar protection from both products and was curious what most people were using.

  • 0 in reply to lferrara

    I noticed another interesting aspect. The number of signatures each vendor packs into their updates. From XG avd log file 

     

    2017-01-05 15:51:22 :[INFO] 5 display_sophos_version: Engine version number : 3.67
    2017-01-05 15:51:22 :[INFO] 5 display_sophos_version: Extended version : 2
    2017-01-05 15:51:22 :[INFO] 5 display_sophos_version: Threat data version string(IDE) : 5.34
    2017-01-05 15:51:22 :[INFO] 5 display_sophos_version: Number of detectable threats : 12415053
    2017-01-05 15:51:22 :[INFO] 5 display_sophos_version: Date of threat data (D/M/Y) : 29/11/2016


    2017-01-05 15:51:22 :[INFO] 3 avira__construct: Creating SAVAPI library instance
    2017-01-05 15:51:22 :[INFO] 3 add_log: [AVIRA_CALLBACK]Creating SAVAPI instance
    2017-01-05 15:51:22 :[INFO] 3 add_log: [AVIRA_CALLBACK]Using engine version 8.3.42.122

    I didn't see the number of detectable threats so I cheated and looked at UTM9, which shows both sophos and Avira signature count. The latest VDF update contains

    AVIRA       20170331, AVE 8.3.42.122, VDF 8.12.144.182 (14247100 signatures) [:O] 

    Sophos   3.67.2, threat data 5.34 from 29/11/2016 (12415019 detected threats)"

  • 0

    I know this is an old thread but I too would like to know what the users around here do in regards to single/dual engine and which they select as default?  Right now I have single engine scanning on, and the engine set to Sophos, but I am starting to feel more and more that having dual engine scanning is worth a small tradeoff in speed. 


    So what do you all do?

Unfiltered HTML