Life in the Labs

I’m a new recruit at Sophos, and thought there might be interest in my experience of starting here. It’s been three months since I started my training as a virus analyst, and I’m still learning new things every day.

I’m located in SophosLabs, a secure section of the UK headquarters, where we respond to emerging new threats in the murky world of spam and malware. I’d guess my role is what most people think of when they think about jobs at an anti-virus company – people send us viruses and we work out how to detect and remove them – but SophosLabs is only a small part of a company of well over a thousand people. Nevertheless, we do play a critical and at times complicated role here, and that means plenty of training.

In my first week I was thoroughly confused: new building, new people, all the standard new job stuff. But it’s a friendly place, and a small team means you get to know people quickly. The free biscuits and freshly ground coffee also helped.

Once I was settled in, the training really began. They start from the ground up here, as people come in from a variety of backgrounds. I suppose I’m fairly standard as a computer science graduate, though my hobbyist assembly experience probably helped with the early exercises: ancient hand-coded DOS viruses from the dawn of time / the 1980s. Most of the techniques used then, when viruses were mostly written for fun not profit, are obsolete now, but it was interesting history and more relevantly, practice with the standard debugging and disassembly tools used at Sophos.

So, assembler work, then on to old Windows malware – somewhat of a shock to me as I’m mostly a Linux user, but I knew it was coming. Again, lots of documentation and advice from smart people who know the tools… in many cases they wrote them. I find malware analysis fascinating – I’ve always enjoyed taking things apart, learning how they work, and here I’ve been given specialised tools to do the boring parts for me and make the hard parts easier.

Sophos uses an in-house language for dealing with malware, which was the next big block of learning. This was a strange idea at first, but it came to make sense: given the level of specialisation of the task, having a custom language can be efficient. As an example, there are operators for directly manipulating the internal structure of Windows-format executable files, which is not something you’d want for many tasks.

I think that’s about half way through my basic training, and a reasonable place to continue from next time. Hopefully someone found that interesting. Please do ask any questions you may have, I’ll do my best to answer them.