Yesterday we released the latest version of Sophos Endpoint Security and Control. This latest version contains a host of new features and functionality that I’m very excited about because it adds a whole host of new ways we can offer even better protection. I’ll be discussing some of these over the coming days.
One of the advantages we have in SophosLabs is that we (on the whole) are focussed on business users rather than consumers. For example, the latest product introduces the concept of suspicious files. This is an extension of our Behavioral Genotype technology that allows us to be even more proactive.
Behavioral Genotype uses pre-emptive analysis to analyse files before they run to determine if they have behaviour seen in malware. There is always a balance between proactive detection and false positives (identifying something as malware when in fact it isn’t), suspicious detections allows us to cast the net wider without impacting productivity.
Let me give you a specific example, a large proportion of malware is compressed or “˜packed’ in one way or another. The malware authors use a variety of tools to hide the content from security products. As vendors reverse engineer these “˜packers’ and add decryption for them, the malware authors move to a new one. One of the ‘genes’ we use to identify new malware is to simply identify that it is packed with a packing tool that is only ever used by malware authors.
This has led to a growing trend to use commercial packing applications to hide the malware. Shareware and freeware applications use these “˜packers’ to both compress and protect the intellectual property (by making it difficult to reverse engineer). The fact that they are difficult to reverse engineer is obviously a challenge for security vendors.
However, for corporate and enterprise customers that want to manage their environment, the fact that a shareware or freeware application is being installed and run is something that the administrator will (probably) want to manage, this is not the case for consumers of course. This is where we come in, by detecting applications packed with a commercial packer as “Suspicious” and allowing the administrator to decide whether or not to authorise that application gives much greater control (and security) to their organisation.
There are a host of other suspicious behaviour detections that are now available, and the management console allows the functionality to be run in “alert” only mode to identify which applications already exist in an organisation so that they can be pre-authorised before enabling the blocking of any further suspicious detections.
We will of course continue to add functionality to be able to unpack these files so that we can detect the malware hidden inside, but it does provide an extra level of protection.