Detected or not detected?

Although the advent of our Behavioral Genotype technology  has meant that a large number of unknown (zero day) threats are now detected proactively there are still a few that slip through the net.

Troj/Agent-GRF is just such an example. Submitted yesterday by one of our Australian partners it is a very uninteresting Trojan, yet at the time of submission was undetected by the majority of anti-virus vendors… or was it?

Executing the Trojan on a test machine showed that the malware is detected by a number of Sophos HIPS suspicious behaviour rules. In fact the HIPS alerts are so comprehensive that they could be used to describe almost the full functionality of the Trojan. Below is how the detections came up on one of our test systems in SophosLabs.

c:\nv\sample.exe => HIPS/FileMod-001
c:\WINDOWS\system32\msmsgs.exe => HIPS/ProcMod-002
c:\WINDOWS\system32\msmsgs.exe => HIPS/RegMod-001
c:\WINDOWS\system32\msmsgs.exe => HIPS/RegMod-001

The HIPS/FileMod-001 alert indicates the copy of the malware around the file system. HIPS/ProcMod-002 corresponds to the execution of the newly copied file and the two HIPS/RegMod-001 alerts show the setting of registry entries that reference the malware.

All very informative, but how does this help to protect end users from Troj/Agent-GRF and other threats?

Configuring Sophos HIPS so that Alert Only is unchecked gives Sophos Anti-Virus 7 free reign to act on these detections. So in this case Troj/Agent-GRF would last about as long as a bacon sandwich on a building site and would be terminated upon detection of the HIPS/FileMod-001 behaviour, which is one of the first actions the malware takes.

Undetected malware is still out there, but making use of the HIPS behavioral detection feature available in Sophos Anti-Virus 7 provides significant protection from these threats above and beyond IDE updates.