Pelocha

Level 1
Unfortunately Trend Micro is littered with bugs and holes. Including the corporate editions. I'm somewhat convinced Trend Micro will actually reduce the security of a system.

Hackers Tear Apart Trend Micro, Find 200 Vulnerabilities In Just 6 Months
All security software installed on Windows makes your machine more vulnerable. All software installed on Windows makes your machine more vulnerable. Even a music player. Vulnerability is not the same as a bug. And you were talking about bugs. ???
 

Nestor

Level 8
In the end why we have to bother for any security product? All we need is CIS or CCA, have some signatures, good or bad does not matter, whatever can't catch go to container, you erase it, simple as that, end.. No need to worry! ☺☺
 
Last edited:
  • Like
Reactions: JB007 and Pelocha

Slyguy

Level 43
In the end why we have to bother for any security product? All we need is CIS or CCA, have some signatures, good or bad does not matter, whatever can't catch go to container, you erase it, simple as that, end.. No need to worry! ☺☺
Containment/Default Deny is great. However for regular joes, it's not practical in most cases. It causes an incredible amount of havoc for them. Things like standard user accounts, default deny, etc, and you dump so much time into supporting that user. So unfortunately, the ideal solution isn't always viable.
 

Raiden

Level 13
Verified
Content Creator
Wow a lot has happened since I posted last in this thread.

I won't lie, I am a little disappointed in Sophos in regards to how they are "marketing" Intercept X in SHP. I assumed like many of you here, that while it may not have all the features of Intercept X, it was still based on the the same code, implementation, etc... as their enterprise offering. I do hope that they keep their word and implement it properly, especially with the ML. IMO, I think having the ML in SHP would not only help their consumers, but also their enterprise customers. I am assuming that the more information its fed, the better it can become.

As for the MH testing, I am glad that @Evjl's Rain is testing it and would like to commend him for doing so! Would I like a better result, sure... but we have to take the test with a grain of salt and understand what it means. The same goes for any other product tested on the HUB or else where for that matter.

I say this with the upmost respect for the great work the testers here do on the HUB, so please I mean no disrespect at all. We all have to realize that all tests HUB, AV-comparatives, AV-Test, etc... are all going to have their limitations and may not always truly represent true real world usage. I am no security expert and I honestly do not know how to perform malware testing, but from my years of reading, my understanding is that it is not always that simple. We could say that the HUB testing ignores the web components of the various products, thus eliminating a feature that may have other wise stopped the malware from coming on to the system in the first place, or it may have made no difference at all. As for the professional tests, one limitation that comes to my mind (thanks to cruesister :) ) is that they don't publish how old the samples are, thus are we getting a true representation of the products capabilities? Just because a product doesn't do well, doesn't mean it won't do its job in the real world. As good as a product may be there still has to be some form of education and common sense when it comes to surfing the web, reading emails, etc... You cannot always blame the product if it were to fail you. One issue I have with tests that say x product got 100%, (IMO) is that it creates bad habits/false assumptions. I am sure there are people out there that go, well I can download and click on anything and everything cause my security program will save me every time. No product can protect you 100% of the time

In the end, I think testing these products do help give us an idea of how they may perform, but realize that we shouldn't always be buying/using our products solely on these tests alone. There are many, many more reasons as to why we choose/use the products that we do. Otherwise, we might as well just stop using what we all have and switch to Kaspersky, as its seems to do the best in the vast majority of tests out here. Don't get me wrong, I like Kaspersky and personally, I feel like they deserve the great results, they offer great protection there's no auguring it, but its just an example of why the test result may not always be everything when choosing a product.
 
Last edited:
D

Deleted Member 3a5v73x

Just because a product doesn't do well, doesn't mean it won't do its job in the real world.
As good as a product may be there still has to be some form of education and common sense when it comes to surfing the web, reading emails, etc... You cannot always blame the product if it were to fail you.
I agree with this and and when it comes to real world, first defense layer in SHP is Web protection, to properly see SHP in action, one must directly enface malware from its host origin, if it's not blocked and download gets started, second layer is Download Reputation Download Reputation: Frequently Asked Questions - Sophos Community (article not specifically for Sophos Home users, but can be used as general reference). The reputation scores are currently based on the prevalence, age and URL source of files which are then compared against data created by SophosLabs. I personally like Download Reputation set to Strict, so lets say downloads from google servers will have a good reputation. If you still download something unknown with low reputation, then all other real-time protection layers comes into action, either it's picked up by read > execution > etc. It's users fault for not being confident and making sure that files/programms are safe to run, I use isolation software for that, either Sandboxie or Shadow Defender.
 
Last edited by a moderator:

Slyguy

Level 43
I agree with this and and when it comes to real world, first defense layer in SHP is Web protection, to properly see SHP in action, one must directly enface malware from its host origin, if it's not blocked and download gets started, second layer is Download Reputation Download Reputation: Frequently Asked Questions - Sophos Community (article not specifically for Sophos Home users, but can be used as general reference). The reputation scores are currently based on the prevalence, age and URL source of files which are then compared against data created by SophosLabs. I personally like Download Reputation set to Strict, so lets say downloads from google servers will have a good reputation. If you still download something unknown with low reputation, then all other real-time protection layers comes into action, either it's picked up by read > execution > etc. It's users fault for not being confident and making sure that files/programms are safe to run, I use isolation software for that, either Sandboxie or Shadow Defender.
I really like your reply. Mostly because you bring up the most important thing - which is what I was trying to say about 'pack' testing. I will admit I do not like pack testing but I also respect the testers for giving an idea of how products perform on packs. I sort of equate pack testing with testing every car on the drag strip to see how fast it is to get you to work. It really doesn't factor everything involved with getting to work and makes the assumption your work is on a straight quarter mile strip. :)

Think about this - VoodooShield would likely score a guaranteed 100% perfect score in the Hub with every pack when set to Always On/Aggressive. Is that fair? Not really. Anymore than it is really fair to judge products where all of their technology can't be levied against packs.

So let's imagine one of the missed samples was actually downloaded directly from the site serving it. We can be somewhat confident that site and traffic would have been snagged by the heuristic traffic scanner. But we can be very nearly 100% certain download reputation would have alerts to it. Thus rendering it a hit on detection in a real world (non-pack) test.

I am pretty confident SHP would protect the average user without any additional software. I'm absolutely certain it would protect clicker users like my inlaws. They aren't downloading packs. They're hitting crappy websites and downloading poorly rated software. SHP's going to nail those.
 

Evjl's Rain

Level 44
Verified
Trusted
Content Creator
Malware Hunter
so in the next, I will upload the missed samples, one by one, to a host and download them, let sophos's reputation checker do its job
I have seen many many malware links from the host of github, gitlab recently so it should be a real life situation. They can be anywhere
I used to get a lot of archived files with a password, 1-2 files were malwares -> webfilter won't do much

not that the hub is also a real life situation, which I see very frequently. Not every user downloads from the internet. I get files from local USB flash drives very frequently, as much as I get from the internet and sometimes, there is no internet connection. The hub test is the best to see how the products work in this case

rely solely on files downloaded from internet is like we accepting the results from AV-testing companies such as AV-comparatives or AV-test
 
Last edited:

Evjl's Rain

Level 44
Verified
Trusted
Content Creator
Malware Hunter
these are some points taken when looking at the results of sophos in the hub:
- it has poor signatures compared to other vendors: Avast, Kaspersky, BitDefender, ESET
- It has a good web filter. Its download reputation checker does work, not always, especially against very new malwares. It works more effectively against a bit older malwares
- Its behavior blocker is nowhere near the best. It's mediocre, quite poor against executable malwares (.exe)
- It doesn't have a self-protection module. Not a good thing. 2 tests revealed that Sophos's files were encrypted making Sophos malfunctioned
- No quarantine
- HitmanPro alert works better than Sophos's own BB although it doesn't delete the malwares after blocking them
- HitmanPro alert sacrifices a few files, up to 3 or more, to determine a ransomware behavior and block them, frequently, it fails to do so and the whole system is infected. (Common! it's 2018! Easily defeated against ransomwares in 2 consecutive tests are unacceptable)
- is the cloud module present or not? I don't think there is
- HMPA is good against macro infections from MS word, excel
- Sophos is good against scripts because those scripts download their payloads so Sophos's web filter has a chance to block them
- Sophos is not so good against fileless malwares

conclusion: I don't think it's worth paying for. Other free alternatives can do the job better
K9 Web Protection is better than Sophos and it's free for everyone
 
Last edited:

Nestor

Level 8
these are some points taken when looking at the results of sophos in the hub:
- it has poor signatures compared to other vendors: Avast, Kaspersky, BitDefender, ESET
- It has a good web filter. Its download reputation checker does work, not always, especially against very new malwares. It works more effectively against a bit older malwares
- Its behavior blocker is nowhere near the best. It's mediocre, quite poor against executable malwares (.exe)
- It doesn't have a self-protection module. Not a good thing. 2 tests revealed that Sophos's files were encrypted making Sophos malfunctioned
- No quarantine
- HitmanPro alert works better than Sophos's own BB although it doesn't delete the malwares after blocking them
- HitmanPro alert sacrifices a few files, up to 3 or more, to determine a ransomware behavior and block them, frequently, it fails to do so and the whole system is infected. (Common! it's 2018! Easily defeated against ransomwares in 2 consecutive tests are unacceptable)
- is the cloud module present or not? I don't think there is
- HMPA is good against macro infections from MS word, excel
- Sophos is good against scripts because those scripts download their payloads so Sophos's web filter has a chance to block them
- Sophos is not so good against fileless malwares

conclusion: I don't think it's worth paying for. Other free alternatives can do the job better
K9 Web Protection is better than Sophos and it's free for everyone
Evjl's Rain nice review and excelent points about SHP,something needed to be done simce it was not tested.One thing i can't get, is that you mention in the start about "poor signatures".I kept watching SHP in VT and i thought it has decent,close to Kaspersky or even better.Maybe, something is not working right prevent them in protection-module.
 

Evjl's Rain

Level 44
Verified
Trusted
Content Creator
Malware Hunter
Evjl's Rain nice review and excelent points about SHP,something needed to be done simce it was not tested.One thing i can't get, is that you mention in the start about "poor signatures".I kept watching SHP in VT and i thought it has decent,close to Kaspersky or even better.Maybe, something is not working right prevent them in protection-module.
the signatures of SHP on VT should be Sophos AV, not Sophos ML because ML is only available for the enterprise products, for now
I have verified, there is nothing which can alter the results of my testing. I don't have anything enable during the right-click scan. I only turn on my VPN after the right-click scan finishes and immediately perform an update to verify if the connection is still intact in the product or not
 
D

Deleted Member 3a5v73x

@Evjl's Rain I appreciate your every input and everything you'll read here are not anything personal. :emoji_v:

- It has a good web filter. Its download reputation checker does work, not always, especially against very new malwares. It works more effectively against a bit older malwares
It has to be always working and with an any file type you download from the internet. Download Reputation warning should be in-your-face, if it's not, it's a sign that Sophos Home Premium ain't properly connecting with SophosLabs servers (test on vxvaul.. or malc0.. malicous url list), and doesn't matter how old are the files, created a min or a month ago. If it still doesn't work, then it is something on your test systems end, because on my, it works as it is supposed to.

- It doesn't have a self-protection module.
It's a work in progress, they are aware of it.

- No quarantine
It's being worked on as well. No ETA however, it might be in the next major update or months from now.

- is the cloud module present or not? I don't think there is
Sophos: Sophos Home software is built on a cloud based protection setup.
Sophos: The local software communicates with a cloud based database/website database
Sophos: It doesn't have an exact AI built in
Sophos: It is communicating between itself and the cloud with samples and updates
Me: Will Sophos Home work offline?
Sophos: Yes
Sophos: It can work offline for a brief period of time if needed.
Sophos: However it is intended to be online connected as much as possible

- Sophos is not so good against fileless malwares
Sophos: HMP.A handles that
Sophos: It has built in coding in the HMP.A to check signatures as well as to check for certain behaviors.

conclusion: I don't think it's worth paying for.
My personal opinion is that right now it is one of the most worth security products to be paid for, because you get possibly best on-demand scanner together with HMP.A. technologies, good support, non-headache updates/upgrades for your other PCs you manage from dashboard/scan & clean initates, soon more advanced Intercept X built into it, etc., the list goes on. Also, about testing it in the MH. It's hard to accurately interpretate SHP results, because Sophos Home Clean (HitmanPro) scanner is built into it and everything caught by it, I rate as HIT and no matter if Bit or Kas finds infections, it's a cruical technology in a SHP, and if it's scan results and remediation of infections is ignored, then I don't see a point of testing SHP at all.
 
Last edited by a moderator:

Moonhorse

Level 27
Verified
Content Creator
I dont think the webfilter is that good, it wouldnt block half of finnish websites about gambling, adult content etc.

The free version with webfilter is nice compared to other antivirus alternatives, because you really can decide wich categories gonna be blocked
 
D

Deleted Member 3a5v73x

Never seen this type of "low action" behavior from SHP and any ransom getting through since v1.2.12. Maybe some failures connecting the servers, neverthless looks bad because all Sophos folder components as well are encrypted and trashed, but interesting part is that it's picked up by "Sophos Machine Learning" in VT, but SHP doesn't detect it, so deffinately something is not working properly. Reported to Sophos and waiting for a more detailed answer on this. Thanks to @Evjl's Rain for the test & @Der.Reisende for providing samples.

Update on this ransomware miss by SHP. It was NOT a ransomware. By further investigation by SophosLabs, it was a file rename trojan, thats why HMP.A didn't react and affected .crypt files could have been recovered if SDU logs in infected system was provided to support. Suggestion to improve protection features against these type of attacks have been sent and they are considering to add self-protection module in next SH/SHP versions. No ETA.
 
Last edited by a moderator:

Cavehomme

Level 1
Update on this ransomware miss by SHP. It was NOT a ransomware. By further investigation by SophosLabs, it was a file rename trojan, thats why HMP.A didn't react and affected .crypt files could have been recovered if SDU logs in infected system was provided to support. Suggestion to improve protection features against these type of attacks have been sent and they are considering to add self-protection module in next SH/SHP versions. No ETA.
What I like about SHM is that it's already a very capable product, albeit with some weaknesses, but there's a capable development team improving it. This is in great contrast to a lot of other AV / security vendors out there. What i particularly like about it is the integration of HMPA which gives safe browsing and keystroke encryption and which I can roll out extremely easily to the rest of my family.
 

Raiden

Level 13
Verified
Content Creator
What I like about SHM is that it's already a very capable product, albeit with some weaknesses, but there's a capable development team improving it. This is in great contrast to a lot of other AV / security vendors out there. What i particularly like about it is the integration of HMPA which gives safe browsing and keystroke encryption and which I can roll out extremely easily to the rest of my family.
I agree!

While its far from perfect (then again no product is), they have a very good base to grow from IMO. They do have some big gaps to fill (ie: self protection), but I really like the fact that their support/dev team are open to suggestions and are actively working on improving the product further from these suggestions. I can say that I am excited to see what happens in the next few major updates :)
 
D

Deleted Member 3a5v73x

It's good that they listen to you! most Avs ignore users!
With every company we just need to find the right approach how to talk with the support team. I would leave any AV company immediately if they were ignoring it's users. To Sophos Home team I am being quite forceful, so they speed up development. They aren't a thousand of employees team in Sophos Home department, maybe that's why you can more easily reach them, Sophos Enterprise team is a lot bigger but still finds a time to reply even if you aren't a paid customer. High level engineers who develop Sophos Home also answers directly.
 
Last edited by a moderator:

Cavehomme

Level 1
After several weeks of daily long use I've had to regretably uninstall SHP from my main laptop, an i7 with 8GB RAM and 256GB SSD and Windows 10 because it does notably slow down general use. Even bringing up the task manager takes 7-8 seconds compared to <2 seconds when just running WD. Browsing is also "stickier". I like the high security offered by SHP, especially HitmanPro / Intercept X, but performance needs to improve significantly. It's also slowing down the other PCs. There's no way a year old laptop with this spec should be sluggish running SHP. It's a pity.