Author Topic: Sophos no whiner (Read 8850 times)

Renegade · « **on:** October 26, 2006, 10:12 PM »

http://www.forbes.com/technology/enterprisetech/2006/10/24/sophos-microsoft-vista-cx_ll_1023sophos.html

HA! Take that McAfee and Symantec!

Sounds like McAfee and Symantec want Vista LESS secure so that they can peddle their scareware. "Oh my! A cookie! You've been p0wn3d!"

Darwin · « **Reply #1 on:** October 26, 2006, 10:17 PM »

SpySweeper has just relesed their latest version which now incorporates the Sophos engine as well so you get anti-virus and anti-spyware in one app. Anyone have any experience wtih Sophos? I'm running AVG 7.5 Pro and am happy with it - my subscription is still good for over a year but I can get a year of SpySweeper/Sophos for $10. Anyone have a strong opinion one way or the other?

JavaJones · « **Reply #2 on:** October 26, 2006, 10:31 PM »

Yeah, this has been discussed a fair bit over in this thread too: https://www.donation...dex.php?topic=5827.0

As for Sophos, I've heard very good things about it, but I have no personal experience. Sounds worth it at that price though - Spysweeper is also one of the better antispyware apps.

- Oshyan

Renegade · « **Reply #3 on:** October 26, 2006, 10:35 PM »

I use AVG as well. Haven't used Sophos, but I'd use almost anything over McAfee or Symantec. They really just put me off.

Darwin · « **Reply #4 on:** October 26, 2006, 11:17 PM »

Just to clarify - I already have SpySweeper - the $10 adds the antivirus functionality to my existing subscript (lest the masses go running looking for SpySweeper at $10...!).

f0dder · « **Reply #5 on:** October 27, 2006, 04:51 AM »

Sophos said its products protect computers from attacks by studying a virus's resemblance to older, related viruses, not by examining how the attack interacts with the machine.

In other words, they're only detecting based on known viruses, not doing behavioral blocking? Bad bad.

As I've said before, take a look at http://www.resplendence.com/hookanalyzer . Kaspersky (who aren't whining but leaving it to the bigger companies) have a *lot* of hooks, in order to have good protection. daemon-tools have hooks, etc.

Remember: malware authors will find a way to do their hooking, Microsoft will not be able to keep up with patches, and in the end only the end-users and developers will be hurt. Sure, the bar will be raised a bit, but that's it.

Darwin · « **Reply #6 on:** October 27, 2006, 09:05 AM »

In other words, they're only detecting based on known viruses, not doing behavioral blocking? Bad bad.

Not good. I declined a similar offer from ZoneAlarm to upgrade to their security suite that comes with an integrated AV and will do the same with this offer from webroot. I don't like bloated security apps anyway.

JavaJones · « **Reply #7 on:** October 27, 2006, 07:55 PM »

When was the last time a legitimate virus was caught on your machine using heuristics? I've been on the 'net and using antivirus programs with heuristics for, hmm, 10 years or so. Not ONCE has a *legitimate* virus been caught by those systems. They're always false positives, and sometimes even legitimate viruses are allowed through by these systems! Frankly I'm inclined to believe they're largely marketing FUD, and will continue to feel that way until proven otherwise.

That being said I would be happy to be proven wrong with practical, real-world evidence. Even something anecdotal (like my own "evidence") would be interesting to hear about.

- Oshyan

f0dder · « **Reply #8 on:** October 28, 2006, 07:53 AM »

JavaJones: heuristics is useful for detecting a piece of malware that has been edited slightly (either hex edited or just some minor source changes), or packed/crypted with some random tool - static checks fail there.

I analyze malware every now and then, and it's nice seeing that Kaspersky's heuristics catches at least some of it, since the code is never allowed to run that way.

I haven't had any significant false positives for years - only thing is that some low-level asm code (like "SEH in asm") is detected as "virtools" by Kaspersky and some other scanners, which is pretty lame - there's nothing virus-related to those. Other than that I've had a few false positives while developing my packer/krypter, but that is some pretty suspicious code

After heuristics, there's than behavioral blocking - the last line of defence (since this happens on code that has been allowed to run on your machine). This can stop malware from injecting code in other processes and all kinds of other stuff.

An example: when adding random-IV to fSekrit, I needed to save a bunch of copies of the same text with same encryption key, to see if it worked. Kaspersky alerted me that "this process might be a trojan dropper" and offered me to shut it down.

JavaJones · « **Reply #9 on:** October 28, 2006, 02:10 PM »

So then the answer to my question is never. yes? You've never had a legitimate virus caught by heuristic tests that wasn't deliberately introduced for testing purposes?

Everything else you said I am also aware of, and it all sounds fabulous in concept. Except, once again, I have *never* had legitimate viruses or trojans cought by such behavior monitoring systems. Meanwhile a good antispyware scanner, without system hooks, can do basic behavioral monitoring and catch suspicious activities just fine for spyware/adware. Those *do* get caught on my system, but there's no need for system hooks to do that.

Again I am not saying these functions are not needed, just that as a computer support professional I have never really seen significant evidence that heuristics or behavioral modeling provide significantly more support. The argument then being that I don't think the Sophos engine is a bad one just because they're not doing behavior analysis.

- Oshyan

f0dder · « **Reply #10 on:** October 28, 2006, 05:15 PM »

JavaJones: if I didn't have restrictive filtering in my router, those attacks would have been direct on my system, rather than something I selectively analyzed. If I had the same filtering but used IE to surf the net (some of the "seedier" sites), same story applies. The two times I've been infected was when I didn't run antivirus, let some friend check hotmail and check a site, and got infected from malware in banner ads.

Considering the kind of sites a normal user visit (and the kind of sites I sometimes visit to analyze stuff), heuristics and behaviour blocking is very welcome. Not everybody visits only clean-room sites from a limited user account using firefox in vmware

It's a bad move that Microsot blocks these kinds of things, since malware willfind a way around it. And same goes for driver signing - if I went Vista, I'd have to run in "developer mode" to run 3rd-party drivers for things like daemon-tools, ext2fs (linux) filesystem access, etc. Bad bad.

nontroppo · « **Reply #11 on:** October 31, 2006, 05:02 AM »

Sophos anti-virus does do heuristic/behavioural analysis:

Proactively protect against known and unknown threats

Behavioral Genotype® protection identifies malicious code and blocks it before execution, giving the benefits of a Host Intrusion Prevention System (HIPS).

We have university-wide site licences for it, along with FSecure. It seems pretty efficient and low impact, and fast to scan. Much better than FSecure and closeer to NOD32 in terms of efficiency...

Darwin · « **Reply #12 on:** October 31, 2006, 11:13 AM »

Back to my thinking chair then! Pondering, pondering...

Author Topic: Sophos no whiner (Read 8850 times)

Renegade

Sophos no whiner

Darwin

Re: Sophos no whiner

JavaJones

Re: Sophos no whiner

Renegade

Re: Sophos no whiner

Darwin

Re: Sophos no whiner

f0dder

Re: Sophos no whiner

Darwin

Re: Sophos no whiner

JavaJones

Re: Sophos no whiner

f0dder

Re: Sophos no whiner

JavaJones

Re: Sophos no whiner

f0dder

Re: Sophos no whiner

nontroppo

Re: Sophos no whiner

Darwin

Re: Sophos no whiner