Sophos Home Premium - June 2019 Report

davisd

Level 3
Verified
Jan 27, 2019
108
Does SHP do https scanning? If so does it use a certificate?
Please read older Sophos Home threads, some of the questions you are asking are already answered before.

The web filtering feature on Sophos Home works by intercepting all website requests from browsers and then that website url is sent to SophosLabs, then Sophos returns a website category for the url and then that category is compared to the web control policy that was set in the web filtering page. Compatible web browsers, are: Microsoft Internet Expolorer 10 or later, Microsoft Edge, Google Chrome, Mozilla Firefox, Apple Safari.

Traffic scanning scans in&out connections to your system, by default ports 80(HTTP) and 443(HTTPS) are scanned, if you allow other ports to be open, then they are scanned as well.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Please read older Sophos Home threads, some of the questions you are asking are already answered before.

Ok saw that, but I guess I don’t understand how they are scanning https. Maybe I am not learned enough.
 
F

ForgottenSeer 72227

Please read older Sophos Home threads, some of the questions you are asking are already answered before.



Thanks @davisd, I totally forgot that it was posted there, it's been a while lol.(y)
 

Glashouse

Level 4
Verified
Well-known
Jun 4, 2017
174
There is a big difference if someone is just checking if an URL is bad or if the content which is transferred is scanned.
I talked the Sophos support some time ago and they told me that HTTPS interception is not planned...
Even downloading an Eicar via HTTPS is first seen from SHP when the file hits the disk...
So no, there is no scanning of HTTPS.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
There is a big difference if someone is just checking if an URL is bad or if the content which is transferred is scanned.
I talked the Sophos support some time ago and they told me that HTTPS interception is not planned...
Even downloading an Eicar via HTTPS is first seen from SHP when the file hits the disk...
So no, there is no scanning of HTTPS.
Thanks, that’s what I was trying to understand. They are just blocking bad IPs. The support person I talked to didn’t seem to know that was what I was trying to ask.
 

Zartarra

Level 7
Verified
Well-known
May 9, 2019
349
Some extra information about the scan options (I asked it at Sophos support to be certain ;)):

The "Scan Computer" button located in the GUI is using Hitman Pro which requires an internet connection as this is an online scanner.

The "Scan with Sophos Home" option that is available in Windows Explorer uses the Sophos Antivirus scanner which does not require an internet connection as it uses that latest downloaded virus definitions.

I tested the HTTPS scanfunction again. Glashouse nailed it. Other products are using HTTPS scanning (UTM and XG) but at the moment HTTPS scanning option is not available in SHP.
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Premium Scan vs Full Scan.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Premium Scan vs Full Scan.
Super helpful, thank you!
 

ncage

Level 3
Verified
May 20, 2017
107
what I do not like is that it consumes too much and has a lot of processes, but the detention is good if they refine the resources and the processes would be a great option for many people.

I do agree it has quite a few processes but i actually like it. It's almost to *nix philosophy on do one thing & do it well. Each process from my use has been extremely light. Coming from Bitdefender where is also quite a few processes (but not probably note quite as many) but the thing about bitdefender if your lucky the security service is consuming less than 200MB but usually its between 200-400MB. I've even seen it go above 400MB before. I can load an entire OS (Linux + a DE (Xfce or Mate)) and consume about what bitdefender is consuming which is absolutely crazy. Though i think bitdefender is one of the better AVs.

Does SHP do https scanning? If so does it use a certificate?

Pretty sure it doesn't. I looked for a cert after installing it and couldn't find one. Its probably like emsisoft that just uses DNS to block which i actually prefer. I don't like to MITM. Too many companies have screwed up their certs in the past. On top of that uninstall any AV product and see they they always leave crap around (like their certs). Which could be dangerous. At least i haven't found one that has cleaned up after itself yet (not saying there isn't one).

Really interested in this topic because i'm thinking on switching to it. So far i really like it but i just want to see how the 0 day protection (interceptor x) pans out. While they say interceptor x is implemented in the product the fine grained controls are not there. Right now i'm using both bitdefender & emsisoft. While i'm love emsisoft i'm not willing to pay what it would cost me for the licensing fees. If i had just a few computers it wouldn't be a big deal i have money (especially when you consider VMs) and and i'm just not going to spend 100s of dollars every year. Bitdefender is great (especially with their family plan) but its soooo heavy. Most of my VMs i use dynamic memory on and a lot of memory the vm is using is coming from bitdefender so i need something lighter. The only other thing is i think some of the free AV are good but as you know when your not paying for the product then you are the product and i'm not ok with that. To bad emsisoft doesn't offer a family play like bitdender.
 
Last edited:

harlan4096

Super Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,948
Some impressions of SHP after my 1st test:
  • Seems it suffers the same or similar issue as BitDefender Free, it takes long to process the threats. It's quite fast in the 1st blocking warning, but until finally deletes and sends the warning of deletion, it may takes until 2 minutes in some cases :unsure::unsure:
  • I don't like the way it shows the reports of demand scans, it impossible (several/many screenshots would be necessary) to get a general view of the samples were detected/removed, and the same for Quarantine reports...
  • To speed up checking events, I managed the Web Console in my main host, while I was testing inside the VM, anyway it is far from being comfortable and fast.
  • I'm not sure... but seems SHP does not include Kaspersky engine (only for exe files as in HMP). I ran in the same VM a scan with HMP stand alone and it detected an exe file via KL engine (UDS) that SHP System Scan did not catch :unsure::unsure:
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Some impressions of SHP after my 1st test:
  • Seems it suffers the same or similar issue as BitDefender Free, it takes long to process the threats. It's quite fast in the 1st blocking warning, but until finally deletes and sends the warning of deletion, it may takes until 2 minutes in some cases :unsure::unsure:
  • I don't like the way it shows the reports of demand scans, it impossible (several/many screenshots would be necessary) to get a general view of the samples were detected/removed, and the same for Quarantine reports...
  • To speed up checking events, I managed the Web Console in my main host, while I was testing inside the VM, anyway it is far from being comfortable and fast.
  • I'm not sure... but seems SHP does not include Kaspersky engine (only for exe files as in HMP). I ran in the same VM a scan with HMP stand alone and it detected an exe file via KL engine (UDS) that SHP System Scan did not catch :unsure::unsure:
I came home to 4 alerts on my machine yesterday. SHP had quarantined some of Andy’s tools. The cloud management in this case is more obnoxious than expected. And I agree how it reports items is disjointed.
 
F

ForgottenSeer 72227

Some impressions of SHP after my 1st test:
  • Seems it suffers the same or similar issue as BitDefender Free, it takes long to process the threats. It's quite fast in the 1st blocking warning, but until finally deletes and sends the warning of deletion, it may takes until 2 minutes in some cases :unsure::unsure:
  • I don't like the way it shows the reports of demand scans, it impossible (several/many screenshots would be necessary) to get a general view of the samples were detected/removed, and the same for Quarantine reports...
  • To speed up checking events, I managed the Web Console in my main host, while I was testing inside the VM, anyway it is far from being comfortable and fast.
  • I'm not sure... but seems SHP does not include Kaspersky engine (only for exe files as in HMP). I ran in the same VM a scan with HMP stand alone and it detected an exe file via KL engine (UDS) that SHP System Scan did not catch :unsure::unsure:

I agree.

I've noticed this too when I try a test from ATMSO. Detection popup really quick, but the actual removal/delete is slow. I find WD similar in this regard.

They definitely can do a better job of the reports. I think it's one of those things where they took an enterprise model and are applying it for the home. I think it's a great idea, a good way to differentiate yourself from the rest, but it still requires some work. V2 was a great improvement, I'm sure v3 will make it better.:)
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
I agree.

I've noticed this too when I try a test from ATMSO. Detection popup really quick, but the actual removal/delete is slow. I find WD similar in this regard.

They definitely can do a better job of the reports. I think it's one of those things where they took an enterprise model and are applying it for the home. I think it's a great idea, a good way to differentiate yourself from the rest, but it still requires some work. V2 was a great improvement, I'm sure v3 will make it better.:)
I’m going to try to give it some time. The cloud management to manage all computers in my home is appealing. This morning my web browsers were dragging, a restart fixed that (which was plenty fast btw). Assuming is was SHP since that’s the only difference and that’s never happened, but not 100%. Still think it’s a step back in terms of performance from the improved WD.
 
Last edited:

ncage

Level 3
Verified
May 20, 2017
107
I came home to 4 alerts on my machine yesterday. SHP had quarantined some of Andy’s tools. The cloud management in this case is more obnoxious than expected. And I agree how it reports items is disjointed.

Ya i had similar experience. I always install sysinternal tools on all my machine. It quarantined 2 of the sysinternal tools: PSExe & PSKill. At first i was quite surprised since these come directly from Microsoft and are signed by Microsoft but after thinking for awhile it makes some sense. These tools are extremely useful but can be dangerous in the wrong hands. I think I've heard they can be distributed by malware for wrong doing.

Andy's tools were probably quarantined because of file reputation (not that many people using it) so taking the stance is better to be safe that sorry.

So far i'm still liking the product and its on my list of possible products to replace bitdefender when my license expires. Hopefully in bitdefender 2020 they have addressed the resource usage but honestly i don't have a lot of hope.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top