This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SWA - Malware protection hole, and Sophos declined the fix

Hi, 

We all know what happend to Microsoft ISA/TMG server. - It was no longer development by Microsoft, and evertually it got dropped. 

So I imagine, like me, other users looked at alternatives. The truth is though, there wasn't any third party products that could meet the feature set, especially with the third party plug-ins that were availabile to ISA/TMG.

We didn't need a firewall, we are happy with our current brand thank-you. Plus I don't believe in a Swiss Army security product.

So we decided on using Sophos Web Appliance to be our replacement server. It provided the functionality we needed at the right price. 

Over the time of using the product we have noticed that there is a clear lack of development with this product. I've raised other feature requests, such as improving the abysmal reporting, but these requests clearly aren't being developed. The only answer from Sophos is to "use a third party reporting tool to interpret the Sophos logs."

I fail to see how spending thousands of pounds on a product to make use of someone else's data (which they should report on in the first place) would help.

Anyhow, I can live with that, but this.... Recently I found an issue whereby the Sophos Web Appliance lets users download certain file types, such as image file types (.DMG, .ISO) without scanning them, as a result we are seeing lots of malware being let through by the Sophos Web Appliance, as the Sophos Web Appliance doesn't scan the files and doesn't have the capability of blocking them. 

I raised a ticket with Sophos support, and the answer from Sophos support was:

A. "The end-point should capture the malware" WHAT!!! That's like saying the doorman/bouncer on a nightclub decides to let known troublemakers in, leaving his collegues inside the nightclub to deal with them. Potentially after they've hurt a few customers.

B. Raise a change request on the Astaro feature request forums. Please Mr Bouncer, can you stop the troublemakers from coming in? REPLY: Sorry sir, I'll have a discission with the management and owners before and see what they want beforehand.

BTW: The official feature request link on the Sophos Website: http://www.sophos.com/en-us/support/feature-requests.aspx doesn't list the web products as being part of the feature request forums. 

However, I did find the link to the Sophos Web products feature requests link (Thanks to GOOGLE). http://feature.astaro.com/forums/143211-sophos-web-security 

I was asked to raise a change request on the Astaro portal, but noticed that someone else had pipped me to the post:

http://feature.astaro.com/forums/143211-sophos-web-security/suggestions/3746822-allow-creation-of-additional-policies-and-or-local 

Sophos's answer to this:

DECLINED: "The UTM policy model provides this kind of flexibility. We will not be implmenting this in the SWA"

Here's another comment from a Sophos official:

DECLINED: "This feature already exists on the UTM. Future web development will be focused on the UTM and so we won’’’’t be doing this on the SWA

Since Sophos was bought out by Apax Partners, I've noticed a lack of interest in customer engagement, good products being dropped, and customers being left in the lurch. Being a customer for over 15 years I've seen a huge change from Sophos since this buy-out, and not for the better.  

So Sophos. I'd like to see some honesty and transparency please:

Q1. What is happening with the SWA product. Are you still developing it?

Q2. Are you telling us to move to UTM?

Q3. Are you doing anything about the abysmal reporting?

Q4. Are you really telling us that you are knowingly and willing allowing malware in, and are telling customer that the end-point product should catch them instead of SWA, and that we should raise a change request that you have clearly declined!?

:56068


This thread was automatically locked due to age.
Parents
  • To add to this post and highlight the vulnerability of SWA scanning:

    TEST

    FILE

    TYPE

    WEB SCANNING APPLIANCE RESULT

    NOTES

    SOPHOS PROCESS???

    1

    Sophos_4910821_EICAR_test.txt

    ASCII

    Scanned and blocked as threat

    Equals ASCII, so scan

    2

    Sophos_4910821_EICAR_test_txt.zip

    ASCII inside a Binary

    Scanned and blocked as threat

    Equals Compressed Binary, so scan, then scan the ASCII

    3

    Sophos_4910821_EICAR_test_txt.dmg

    ASCII inside a Binary

    Not scanned

    Equals Image Binary, so don’’’’t scan

    4

    Sophos_4910821_EICAR_test_dmg.zip

    ASCII inside a Binary, and then another Binary

    Not scanned

    Equals Compressed Binary, so scan, but don’’’’t scan the Image Binary

    5

    Sophos_4910821_EICAR_test_iso

    ASCII inside a Binary

    Not scanned

    Equals Image Binary, so don’’’’t scan

    6

    Sophos_4910821_EICAR_test.txt_fake.dmg

    ASCII

    Scanned and blocked as threat

    Added _fake.dmg extension

    Equals ASCII, so scan

    7

    Sophos_4910821_EICAR_test_txt.zip_fake.dmg

    ASCII inside a Binary

    Scanned and blocked as threat

    Added _fake.dmg extension

    Equals Compressed Binary, so scan then scan the ASCII

    :57710
Reply
  • To add to this post and highlight the vulnerability of SWA scanning:

    TEST

    FILE

    TYPE

    WEB SCANNING APPLIANCE RESULT

    NOTES

    SOPHOS PROCESS???

    1

    Sophos_4910821_EICAR_test.txt

    ASCII

    Scanned and blocked as threat

    Equals ASCII, so scan

    2

    Sophos_4910821_EICAR_test_txt.zip

    ASCII inside a Binary

    Scanned and blocked as threat

    Equals Compressed Binary, so scan, then scan the ASCII

    3

    Sophos_4910821_EICAR_test_txt.dmg

    ASCII inside a Binary

    Not scanned

    Equals Image Binary, so don’’’’t scan

    4

    Sophos_4910821_EICAR_test_dmg.zip

    ASCII inside a Binary, and then another Binary

    Not scanned

    Equals Compressed Binary, so scan, but don’’’’t scan the Image Binary

    5

    Sophos_4910821_EICAR_test_iso

    ASCII inside a Binary

    Not scanned

    Equals Image Binary, so don’’’’t scan

    6

    Sophos_4910821_EICAR_test.txt_fake.dmg

    ASCII

    Scanned and blocked as threat

    Added _fake.dmg extension

    Equals ASCII, so scan

    7

    Sophos_4910821_EICAR_test_txt.zip_fake.dmg

    ASCII inside a Binary

    Scanned and blocked as threat

    Added _fake.dmg extension

    Equals Compressed Binary, so scan then scan the ASCII

    :57710
Children
No Data