Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 10866 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Behaviour detection

cyberjog

Hello, 

I believe, for performing behaviour based detection , there may not be any signatures , and most of the detection is based on 

husristics/scan  performed on the code/attachment etc.

Can anybody please provide  samples/examples of behaviour based malware.

Deployement of Sophos engine would be in a security gateway .

:17799


This thread was automatically locked due to age.
  • 0

    Hello again,

    your post sounds a little bit confused and confusing so for clarification I suggest reading the Glossary of Terms and the page about Suspicious Behavior. Perhaps this information helps you to rephrase your question and get the desired answers.

    Just a few remarks: "Behavior" is ambiguous - it could mean what a program is expected to do based on an analysis of the code and what it actually does at runtime. But as with signatures (which are still in use - although it's not a simple search for strings of bytes) the final decision depends on the context. Download a file from the Internet and run it - good or bad? Well, you actually expect that from your browser. But it should do this in a decent manner - loading a file from the Internet into memory and branching there is definitely bad. Analysis might include executing certain pieces of code in a small emulator. 

    Scanning is similar to the security check on an airport. There are some basic checks and for most that's it. Anything and anyone out of the normal (whatever this exactly is) is subjected to closer inspection. A weapon in your luggage would be a signature. Some electronic devices would be suspicious. And so on. Eventually you might pass the gate which does not mean that you won't show malicious behaviour later one the airplane.   

    security gateway

    Which communications should be intercepted? Email, downloads, IM, VoIP ...?

    Christian

    :17811
  • 0


    Thanks Christian

    I'm Rephrasing the same.

    I meant to test Behaviour GenoType Protection feature on the file attachments ( Pre -execution analysis )

    and not Suspicious Behaviour.

    Subject should changed to "Behaviour GenoType Protection" .

    http://www.sophos.com/support/knowledgebase/article/17315.html

    would be intercepting both inbound and outbound web traffic with file attachments.

    :17843
  • 0

    Thanks for rephrasing :smileyhappy:

    The Behavioral Genotype Protection article was written in 2006 as you can see, I'd call it a marketing buzzword (no insult intended - but see the SophosLabs™ , a techie would never use this ™ :smileywink:) and nowadays there's Sophos Genotype®  and Behavioral Genotype® Protection . Anyway this is not a configurable addition or only available under certain conditions but part of the scanning engine. Though neither the Web nor the Endpoint Security datasheets still mention Genotype but the Email Security does :smileyhappy:

    As for web traffic - this usually means HTTP(S) traffic and there are no "attachments", email attachments will be scanned in both directions and I guess uploads as well.

    Christian

    :17857
Unfiltered HTML