Sophos Anti-Virus

Skeeedunt

Platinum Member
Oct 7, 2005
2,777
3
76
Basically, I have the option of using a site-wide Sophos AV license for a few computers at work, or buying licenses for something else (Kaspersky, NOD32, whatever). I'm not really sure what to make of the few reviews I've found, so I was wondering if anyone has an opinion of it. Thanks in advance for any input.

 

Skeeedunt

Platinum Member
Oct 7, 2005
2,777
3
76
Originally posted by: John
Check out schadenfroh's detection rate thread.

http://forums.anandtech.com/me...y=y&keyword1=detection

Thanks John. I did read through that thread, but I only saw Sophos mentioned in two places - in the pcmag article scoring a less than impressive 81.75%, and in your post as having "passed" the VB100 test.

Honestly, I'm not really sure how to interpret the results. Kaspersky failed the VB100 test, but seems to be regarded as one of the best. I know detection rates aren't everything either, and without a broader set of reviews to get a consensus, I'm not sure who to trust. The Sophos site has links to plenty of positive reviews, but they might be a little biased :p
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
I went and snagged about 50 in-the-wild malware samples (trojans, rootkits, downloaders and a few exploits), and I'll do a small comparison test and post screenshots of the results once I can get them through the Jotti online scanner, which is currently under heavy load.

In the meanwhile... do you have your users on non-Administrator user accounts, and have you gone over the systems to remove all unnecessary software and checked them with the Secunia online checkup and Microsoft Baseline Security Analyzer?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
All rightie then, here are the results.

  • Each of the ten Zip files contained five pieces of malware, except for #10 which contained six.
  • A "perfect" result for one Zip file is if Jotti shows five separate results (or six, for the 10th Zip file). For example, in the first pic, F-Secure scores a 5-for-5 result because there are five malware names listed.


    http://pics.bbzzdd.com/users/mechBgon/J1.GIF

    http://pics.bbzzdd.com/users/mechBgon/J2.GIF

    http://pics.bbzzdd.com/users/mechBgon/J3.GIF

    http://pics.bbzzdd.com/users/mechBgon/J4.GIF

    http://pics.bbzzdd.com/users/mechBgon/J5.GIF

    http://pics.bbzzdd.com/users/mechBgon/J6.GIF

    http://pics.bbzzdd.com/users/mechBgon/J7.GIF

    http://pics.bbzzdd.com/users/mechBgon/J8.GIF

    http://pics.bbzzdd.com/users/mechBgon/J9.GIF

    http://pics.bbzzdd.com/users/mechBgon/J10.GIF


    Final results: remember this is mostly signature and heuristics detection with a little behavioral detection showing up here and there. If the software has HIPS-like features then stuff might get stopped when it tries to write to the Registry, molest your HOSTS file, or whatever, although you would want to configure the software not to ask the users what to do or they might override the protection.

    Sophos detected 26 of the 51 samples in this set.

    Kaspersky detected 33 of the 51.

    NOD32 detected 25 of the 51.

    AntiVir detected 38 of the 51.

    Avast detected 9 of the 51 :eek: ouch!

    AVG Antivirus (and I think this is the "full" version, not the weaker AVG Free Edition) detected 25 of the 51.


    What I would take away from this, is that antivirus software should be just one layer in the defense. Non-Administrator user accounts are definitely worth a look if your situation allows for it.

    Oh, and the type of Trojans, exploits, etc in this set can be basically categorized as the Horny Unsupervised Employee family of malware, although with stuff like MPack out there, it could come to normally-safe sites as well. Depending on the company and its strengths and weaknesses, you might get much different results when looking at, say, email worms.

    An additional note: detection doesn't necessarily mean protection or removal. For example, I gave AntiVir a try against a NewMediaCodec infection, and while it detected certain files like crazy, it could not kill them off, which made for a rather frustrating time answering the same futile dialogue box 12 times in a row every 60 seconds.
 

John

Moderator Emeritus<br>Elite Member
Oct 9, 1999
33,944
1
0
Kaspersky failed the recent VB100 due to a signature that was pulled which was not added back in time. There's no doubt that VB100 is more about marketing than actual performance.

Recent discussion about poor Sophos detection rates

It was so bad that they demanded that IBK (AV-Comparatives.org) pull his review, and his lab is one of the most respected in the industry. There are better alternatives such as Kaspersky, Avira, AVG Anti-Malware, AOL AVS (KAV 6.0 lite), Avira, etc.
 

Skeeedunt

Platinum Member
Oct 7, 2005
2,777
3
76
Holy cow, thanks for all the research mech :)

I've read through most of your site and try to implement the recommendations you make as best I can (non-admin, full DEP, SRP). I guess I'm still a little shocked at how mediocre even the better AV products can be at times, so every bit certainly helps.

I just started using Secunia's online checkup... I must say it's pretty impressive. Apparently I had about a hundred out-dated Java runtimes on my computer... oops.

Originally posted by: John
Kaspersky failed the recent VB100 due to a signature that was pulled which was not added back in time. There's no doubt that VB100 is more about marketing than actual performance.

Recent discussion about poor Sophos detection rates. http://www.wilderssecurity.com/showt...=170097&page=3

It was so bad that they demanded that IBK (AV-Comparatives.org) pull his review, and his lab is one of the most respected in the industry. There are better alternatives such as Kaspersky, Avira, AVG Anti-Malware, AOL AVS (KAV 6.0 lite), Avira, etc.

Damn, that's too bad... from the quoted stats it sounds like they've been on the decline for a while. Thanks for the link, that site looks like a good resource.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: Skeeedunt
Holy cow, thanks for all the research mech :)

I've read through most of your site and try to implement the recommendations you make as best I can (non-admin, full DEP, SRP). I guess I'm still a little shocked at how mediocre even the better AV products can be at times, so every bit certainly helps.

If it's any comfort, I can take a terribly-vulnerable, out-of-date Win2000 system, loaded with vulnerable, actively-exploited versions of WinAmp, QuickTime, Java Runtime, Flash, IE6 way out of date, etc etc, and if I'm logged onto a non-Admin user account, then the malware in my test files is basically powerless in the end, in real-world attacks (which is how I found the sources for those files). The exploits work, the payloads get delivered and executed, but the simple lack of Admin powers keeps it from succeeding at what it's there to do, whether it's to turn the system into a Spambot, a click-fraud bot, infect it with spyware/adware, stick rootkits on it or whatever. So keep up with the non-Admin thing, it is a valuable proactive defense.

This may change as the bad guys get smarter, and as they encounter Vista in greater numbers, where Admin powers aren't just laying around to be grabbed and exploited (not with UAC enabled, anyway). My SRP page lists several things that I speculate they could accomplish with a temporary one-shot compromise of a non-Admin user account. So there's still value in keeping them from ever getting to that stage, by patching, eliminating unnecessary software entirely, SRP, and user education, among other things.

One thing I'm noticing is that the bad guys love JavaScript. Depending on your scenario, you might want to experiment with a Group Policy that disables JavaScript in the Internet Zone and uses the Trusted Sites zone to allow selected websites to use JavaScript. I have a narrated video how-to if you're interested in experimenting with that idea: http://mechbgon.bluemonday.org/clips/IE7_tuning.wmv You would simply build a GP that forces those settings machine-wide (Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and you'll see your way from there).

I can't remember if I mentioned it in the video, but if you don't actually need Java in your browsers, you might as well disable it altogether until you need Java, too. It's actively used by the bad guys.

Anyway, enough of my rambling on :) Good luck to you and your fleet.
 

Skeeedunt

Platinum Member
Oct 7, 2005
2,777
3
76
If it's any comfort, I can take a terribly-vulnerable, out-of-date Win2000 system, loaded with vulnerable, actively-exploited versions of WinAmp, QuickTime, Java Runtime, Flash, IE6 way out of date, etc etc, and if I'm logged onto a non-Admin user account, then the malware in my test files is basically powerless in the end, in real-world attacks (which is how I found the sources for those files). The exploits work, the payloads get delivered and executed, but the simple lack of Admin powers keeps it from succeeding at what it's there to do, whether it's to turn the system into a Spambot, a click-fraud bot, infect it with spyware/adware, stick rootkits on it or whatever. So keep up with the non-Admin thing, it is a valuable proactive defense.

Certainly nice to know. It will be interesting to see how much malware adapts itself to non-admin tasks... though I've got an irking suspicion that most home Vista users will either turn UAC off entirely, or not know how to use it. Maybe I'm too much of a pessimist though.

The IT component of my job is very part-time, so I don't make many of the domain policy decisions, but I'll pass the recommendation along. I personally opt for Firefox + NoScript, same basic idea though :thumbsup: