Advice Request Anyone on the new Sophos Home Beta?

[ForgottenSeer 72227]

I just tested it against one sample "Trick bot' for which it didn't have signature
It blocked it successfully with dynamic detection "ML.PE.A" after 2-4 mins it's remnant was deleted and detected as "ML.PE.C".
Moreover they added some tamper protection..I did see it in action .
Ok with the improvements..however testing in the long run would give us more insight

That's good to hear! Hopefully someone will test it in the HUB and so we can get a bigger picture of it's new capabilities. Im also glad to hear about the tamper protection. That, along with the quarentine were it's 2 biggest issues in the previous version, glad to hear that that part has been addressed so far.

I’ve kept it on my old machine. It flagged some executables that misused register shifts, I know they’re not malicious but interceptX static analysis looks quite strong.

That said, to install it in a new machine I’d want to see

1) something like WD’s protected folders , on top of the existing anti ransomware features
2) totp/u2f 2FA on their web dashboard
3) to be able to configure more real time protection, eg I’d want something like WD’s “Block at First Sight”.
4) AMSI
5) ASR-like functionality in its behavior blocking
6) test files so that I can verify each advertised feature works as intended
7) block autorun, not just autoplay
8) Allow hardening of hips rules

All I’m asking is features that are there for free alternatives

Integration of mobile devices into the web dashboard would also be nice

Those are some good suggestions. Aside from the AMSI integration (which according to a previous member they are looking to add it, so hopefully we will see it in the next major version) and the 2FA for the login screen, you can pretty much get these capabilities with going with the likes of OSA, VS, Syshardener, etc... I guess it really comes down to whether you are ok running an extra 3rd party program (ie: VS) along side SHP, or not? I agree that it would be nice to have everything built in to keep things simple, but that may never happen fully. I've ran VS and OSA (not at the same time) along side SHP without any issues in the past, so it is do able.

As for adding a "Block at First Sight" feature, I believe with the latest version SHP already has this. If I am not mistaken (maybe @Andy Ful can confirm, as he is well versed in all things WD and W10 security) BAFS is Microsoft's version of cloud/ML capabilities. So in essence with the addition of "ML" in this version of SHP, technically it already has this capability.

 

[notabot]

That's good to hear! Hopefully someone will test it in the HUB and so we can get a bigger picture of it's new capabilities. Im also glad to hear about the tamper protection. That, along with the quarentine were it's 2 biggest issues in the previous version, glad to hear that that part has been addressed so far.



Those are some good suggestions. Aside from the AMSI integration (which according to a previous member they are looking to add it, so hopefully we will see it in the next major version) and the 2FA for the login screen, you can pretty much get these capabilities with going with the likes of OSA, VS, Syshardener, etc... I guess it really comes down to whether you are ok running an extra 3rd party program (ie: VS) along side SHP, or not? I agree that it would be nice to have everything built in to keep things simple, but that may never happen fully. I've ran VS and OSA (not at the same time) along side SHP without any issues in the past, so it is do able.

As for adding a "Block at First Sight" feature, I believe with the latest version SHP already has this. If I am not mistaken (maybe @Andy Ful can confirm, as he is well versed in all things WD and W10 security) BAFS is Microsoft's version of cloud/ML capabilities. So in essence with the addition of "ML" in this version of SHP, technically it already has this capability.

BAFS can be set to block unless cloud gives the file a pass Enable Block at First Sight to detect malware in seconds

The block level is configurable, I’ve set it to Effectively whitelist .

Sophos doesn’t have a similar setting, Sophos in general has little configurability.

Running 2 products is not the same, I want a single point of configuration (for WD this is GPO for me) and I don’t want to worry about compatibility issues for OSArmor. why would I need a second product to get functionality I can get in a single product ( WD ), using a paid product makes sense only if the bar moves higher. Lack of testability is also important

 

[Andy Ful]

...
If I am not mistaken (maybe @Andy Ful can confirm, as he is well versed in all things WD and W10 security) BAFS is Microsoft's version of cloud/ML capabilities. So in essence with the addition of "ML" in this version of SHP, technically it already has this capability.

BAFS uses the cloud/ML capabilities for executables that were downloaded from the Internet, or were originated from the Internet zone. So, after downloading the file via the web browser, BAFS checks the file and deletes it, if recognized as malicious. If you download the file via script or downloader application, then BAFS does not check the downloaded file, but it can be checked via cloud/ML on execution.

 

[notabot]

BAFS uses the cloud/ML capabilities for executables that were downloaded from the Internet, or were originated from the Internet zone. So, after downloading the file via the web browser, BAFS checks the file and deletes it, if recognized as malicious. If you download the file via script or downloader application, then BAFS does not check the downloaded file, but it can be checked via cloud/ML on execution.

Setting the Blocking level is the differentiating factor , WD does not support real whitelisting but with high+ Or zero tolerance it gets close to effective whitelisting. in Sophos there’s no way to configure the level (only download reputation can be set to strict , like Smartscreen)

As it stands I see little reason to use a product that seems to offer less than WD both in features and configurability

With the feature list I provided the product would become competitive, whether they want to do it or not is up to them

 

[Andy Ful]

Setting the Blocking level is the differentiating factor , WD does not support real whitelisting but with high+ Or zero tolerance it gets close to effective whitelisting. ...

Not for Windows Home, Pro, or E3. The advanced modules in the cloud, like detonation in the sandbox, are available only for Windows Enterprise E5. So, if the never seen malware happen to attack Windows Home (Pro, E3), then the Cloud Blocking Level works as a kind of configurable cloud AI heuristics. It was tested on Malware Hub, with far from whitelisting results. But, it can be very effective, if the malware was already detected by another computer with Windows Enterprise E5, because all computers with Windows Home, Pro, or E3 are automatically protected, too. So, the advanced cloud modules are indirectly (but not directly) useful even for Windows Home.
The smart whitelisting is available only via SmartScreen Application Reputation and via WD Application Control. Application Control has an additional application reputation capabilities via 'Intelligent Security Graph Authorization' feature.
I tested it, and it is different from SmartScreen and cannot be bypassed by the user, except when adding the blocked application executables (EXE, DLL, drivers) to the WDAC whitelist. The advanced user can use it to lock down the computer (not usable on Windows Home).

It seems to me, that Sophos Beta cloud capabilities are similar to WD cloud delivered protection, except configurability.

 

[notabot]

Not for Windows Home, Pro, or E3. The advanced modules in the cloud, like detonation in the sandbox, are available only for Windows Enterprise E5. So, if the never seen malware happen to attack Windows Home (Pro, E3), then the Cloud Blocking Level works as a kind of configurable cloud AI heuristics. It was tested on Malware Hub, with far from whitelisting results. But, it can be very effective, if the malware was already detected by another computer with Windows Enterprise E5, because all computers with Windows Home, Pro, or E3 are automatically protected, too. So, the advanced cloud modules are indirectly (but not directly) useful even for Windows Home.

that’s why I called it effective as opposed to real whitelisting, in Sophos we just have no clue what the cloud component is doing though

The smart whitelisting is available only via SmartScreen Application Reputation and via WD Application Control. Application Control has an additional application reputation capabilities via 'Intelligent Security Graph Authorization' feature.
I tested it, and it is different from SmartScreen and cannot be bypassed by the user, except when adding the blocked application executables (EXE, DLL, drivers) to the WDAC whitelist. The advanced user can use it to lock down the computer (not usable on Windows Home).

It seems to me, that Sophos Beta cloud capabilities are similar to WD cloud delivered protection, except configurability.

For the cloud component in specific it’s configurability and testing as well

There’s are other minuses, MS has 2FA, Sophos doesn’t , ASR-type functionality is missing, WD has taken the extra step with the sandbox to reduce the AV’s own attack surface while Sophos hasn’t. Protected Folders is also something I like in WD and Sophos could add on top of behavioral rsnsomware protection.
For the other modules there are no testing files either and lack of participation in tests is not reassuring either.

Overall I don’t feel it’s on par with WD at the moment, the only pluses are the convenience the web management dashboard and possibly the web filtering. Hitman Pro is nice but anti exploit is needed for 4-5 apps and creating Exploit Guard settings for such a small number of apps is not an issue. Windows Defender at the moment just looks like a more complete suite and more importantly it’s more transparent.

If I were to pick a suite instead of WD today probably I’d probably go with another product