Having cleared my backlog of email relatively quickly, I decided to dig deeper into how SophosLabs performed over the Christmas period.
Looking at the outbreak of PushU-D discussed earlier I was able to find the first occurence of a particular variant on our spam traps. I specifically chose a sample that wasn’t proactively detected as either spam or malware to find the worst case scenario.
A sample with the MD5 d64df555078672b2237edd477168adec first arrived on our traps at 19:46 PST on 26 December.
At 20:02 PST message was blocked as spam
At 20:57 PST detection was published for the malware.
So although it took 1 hour 11 minutes to write, test and publish detection for that particular variant (still one of the fastest response times in the industry), customers were protected within 16 minutes. The same variant is still being seen on our spam traps and I was able to find at least another 10 variants that were subsequently detected proactively.
The outbreak occured on the Australian shift so kudos to them although the spam message was blocked automatically without the need of an analyst.