This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SWA - Malware protection hole, and Sophos declined the fix

Hi, 

We all know what happend to Microsoft ISA/TMG server. - It was no longer development by Microsoft, and evertually it got dropped. 

So I imagine, like me, other users looked at alternatives. The truth is though, there wasn't any third party products that could meet the feature set, especially with the third party plug-ins that were availabile to ISA/TMG.

We didn't need a firewall, we are happy with our current brand thank-you. Plus I don't believe in a Swiss Army security product.

So we decided on using Sophos Web Appliance to be our replacement server. It provided the functionality we needed at the right price. 

Over the time of using the product we have noticed that there is a clear lack of development with this product. I've raised other feature requests, such as improving the abysmal reporting, but these requests clearly aren't being developed. The only answer from Sophos is to "use a third party reporting tool to interpret the Sophos logs."

I fail to see how spending thousands of pounds on a product to make use of someone else's data (which they should report on in the first place) would help.

Anyhow, I can live with that, but this.... Recently I found an issue whereby the Sophos Web Appliance lets users download certain file types, such as image file types (.DMG, .ISO) without scanning them, as a result we are seeing lots of malware being let through by the Sophos Web Appliance, as the Sophos Web Appliance doesn't scan the files and doesn't have the capability of blocking them. 

I raised a ticket with Sophos support, and the answer from Sophos support was:

A. "The end-point should capture the malware" WHAT!!! That's like saying the doorman/bouncer on a nightclub decides to let known troublemakers in, leaving his collegues inside the nightclub to deal with them. Potentially after they've hurt a few customers.

B. Raise a change request on the Astaro feature request forums. Please Mr Bouncer, can you stop the troublemakers from coming in? REPLY: Sorry sir, I'll have a discission with the management and owners before and see what they want beforehand.

BTW: The official feature request link on the Sophos Website: http://www.sophos.com/en-us/support/feature-requests.aspx doesn't list the web products as being part of the feature request forums. 

However, I did find the link to the Sophos Web products feature requests link (Thanks to GOOGLE). http://feature.astaro.com/forums/143211-sophos-web-security 

I was asked to raise a change request on the Astaro portal, but noticed that someone else had pipped me to the post:

http://feature.astaro.com/forums/143211-sophos-web-security/suggestions/3746822-allow-creation-of-additional-policies-and-or-local 

Sophos's answer to this:

DECLINED: "The UTM policy model provides this kind of flexibility. We will not be implmenting this in the SWA"

Here's another comment from a Sophos official:

DECLINED: "This feature already exists on the UTM. Future web development will be focused on the UTM and so we won’’’’t be doing this on the SWA

Since Sophos was bought out by Apax Partners, I've noticed a lack of interest in customer engagement, good products being dropped, and customers being left in the lurch. Being a customer for over 15 years I've seen a huge change from Sophos since this buy-out, and not for the better.  

So Sophos. I'd like to see some honesty and transparency please:

Q1. What is happening with the SWA product. Are you still developing it?

Q2. Are you telling us to move to UTM?

Q3. Are you doing anything about the abysmal reporting?

Q4. Are you really telling us that you are knowingly and willing allowing malware in, and are telling customer that the end-point product should catch them instead of SWA, and that we should raise a change request that you have clearly declined!?

:56068


This thread was automatically locked due to age.
  • To add to this post and highlight the vulnerability of SWA scanning:

    TEST

    FILE

    TYPE

    WEB SCANNING APPLIANCE RESULT

    NOTES

    SOPHOS PROCESS???

    1

    Sophos_4910821_EICAR_test.txt

    ASCII

    Scanned and blocked as threat

    Equals ASCII, so scan

    2

    Sophos_4910821_EICAR_test_txt.zip

    ASCII inside a Binary

    Scanned and blocked as threat

    Equals Compressed Binary, so scan, then scan the ASCII

    3

    Sophos_4910821_EICAR_test_txt.dmg

    ASCII inside a Binary

    Not scanned

    Equals Image Binary, so don’’’’t scan

    4

    Sophos_4910821_EICAR_test_dmg.zip

    ASCII inside a Binary, and then another Binary

    Not scanned

    Equals Compressed Binary, so scan, but don’’’’t scan the Image Binary

    5

    Sophos_4910821_EICAR_test_iso

    ASCII inside a Binary

    Not scanned

    Equals Image Binary, so don’’’’t scan

    6

    Sophos_4910821_EICAR_test.txt_fake.dmg

    ASCII

    Scanned and blocked as threat

    Added _fake.dmg extension

    Equals ASCII, so scan

    7

    Sophos_4910821_EICAR_test_txt.zip_fake.dmg

    ASCII inside a Binary

    Scanned and blocked as threat

    Added _fake.dmg extension

    Equals Compressed Binary, so scan then scan the ASCII

    :57710
  • Hi there,

    Thanks for your feedback. I understand your concerns.

    Firstly, with regard to the comments posted in response to feature requests: I apologize for the confusion there. We are not retiring the Web Appliance or our Web Gateway product line. The comment regarding the UTM was made at a time when we were considering that path, but it became quite clear that it was not the right way to go. In fact, over the past year we have stepped up our investment in Web Gateway and the Web Appliance, with our acquisition of Mojave networks, and the recent release of version 4.0 of the Web Appliance.

    With regard to the specific issue of malware detection within archives, this is a tricky issue.

    Web Gateway products are very performance-sensitive. End-users expect their web usage to be lightning-fast. Every additional process taken by a Web Gateway to inspect content impacts that performance. At some point, the value of the protection is outweighed by the inconvenience caused and at that point, users start trying to take matters into their own hands, attempting to bypass protection.

    Our top priority as a Web Gateway is to prevent malware that can be executed in, or that can be invoked in a browser environment without any kind of end-user interaction. We aim to stop drive-by downloads, threats embedded in PDFs or Flash, or in binaries that can be executed following a simple click of the mouse.

    Malware embedded in a disk image or ISO, or any other kind of encoding or compression, is nice to stop, but poses much less of a direct threat. They generally require the end-user to take several deliberate steps to unpack and transform into 'live' malware once they hit the endpoint. Scanning them at the gateway is very processor, and sometimes storage-intensive on the gateway device. But they can be easily protected against by an Endpoint product as the files are decompressed and transformed into live code that can be loaded and executed.

    Taken to its extreme, malware could be encoded or encrypted in some totally new way devised by a malware author, which can only be unencoded by a specific tool that they provide. In that case, there would be no way a Web Gateway could make sense of that stream of bytes and scan it. A determined attacker inside the organization could even download malware source code and compile it.

    So in short:

    - Sophos Web Appliance is focused on preventing active threats that happen in the browser without obvious user interaction

    - Sophos Web Appliance will always prioritize performance over extensive scanning inside archives

    - We will review our position regularly to make sure (a) we're doing all we can without becoming burdensome, and (b) we're not creating gaps in protection when used with a properly configured endpoint solution

    - Sophos recommends the use of Endpoint and Gateway protection together

    And finally, I should add that Sophos Web Appliance does not take into account filename or file extension when judging whether or not to scan something. The product bases all its decisions on examining the file and looking at its true file type.

    Regards

    Rich Baldry

    :57883