SOPHOS Antivirus

Discussion in 'Computer Security' started by Frog, May 27, 2004.

  1. Frog

    Frog Guest

    Just wondered what the general consensus is about an Antivirus program
    called SOPHOS?

    We use the thing here at work, and it doesn't look that flash to me;
    Doesn't even do a memory scan before doing a HD scan.

    Is anybody out there using it? And if so, what do you think of it?


    Thanks
    Charles
     
    Frog, May 27, 2004
    #1
    1. Advertisements

  2. Frog

    Billy K Guest

    Yeah I do... I've never seen it disinfect a virus, the only option you have
    is to move or delete any infected files.

    The default setup does not do anything once a virus is found, and I don't
    know if it does anything about the registry modifications viruses make.

    I think its a poor program, yet they claim to have won many awards
     
    Billy K, May 27, 2004
    #2
    1. Advertisements

  3. Frog

    Don Kelloway Guest

    It's my opinion that Sophos is a excellent AV product. Especially when
    used for it's primary purpose of detecting viruses. As for disinfecting
    viruses I can only offer that I do not subscribe to this philosophy. If
    it's a virus, it's deleted. Plain and simple. No chances are taken.

    According to an article on Sophos' website.

    Independent research and test centre West Coast Labs has awarded Sophos
    Anti-Virus for Windows (NT server, XP Professional and 2000 platforms),
    version 3.79, its highest anti-virus certification: Anti-Virus Checkmark
    Level 2. The award demonstrates Sophos's excellence in detecting and
    disinfecting all known in-the-wild viruses.

    http://www.sophos.com/companyinfo/news/checkmark379.html
     
    Don Kelloway, May 28, 2004
    #3
  4. Frog

    An Metet Guest

    Thanks for the reply.
    One thing I've noticed today at work, is that if you choose to do a full HD
    scan, it doesn't scan the memory at all !!!!!
    Doesn't even appear to have an option to select memory scanning either!
    I suspect I have a virus on my work machine, yet Sophos isn't finding it

    Strange isn't it; I haven't run across anybody thats even heard of the
    program.


    Many thanks
    Charles
     
    An Metet, May 28, 2004
    #4
  5. Frog

    Billy K Guest

    Mate, the guy who sang the praise of Sophos must have been a Greek... Sorry
    mate but I am far from convinced the product does it's job.

    The product does not protect my work environment from any viruses. I should
    know because I sit there setting it up and am bewildered that viruses are
    still hitting my environment.

    I have AVG free edition installed and this detects viruses yet SOPHOS sits
    there like a fat technician chomping on donuts !!!

    Any technician recommending this product really needs to try something free
    like AVG just to see how badly they are being jarded!!
     
    Billy K, May 28, 2004
    #5
  6. Frog

    Don Kelloway Guest

    Though I am not Greek may I suggest that you ensure that you are running
    the latest SAV and signatures? As of fifteen minutes ago the current
    SAV is 3.81 with 90301 signatures.
     
    Don Kelloway, May 28, 2004
    #6
  7. Frog

    Billy K Guest

    Sorry for before, I'm just an admin who is honestly very disapointed with a
    product.

    I work in an envirnoment that deals with other International firms mainly in
    Asia. We use Sophos anti-virus on servers and clients. All updates come
    through automatically from a share which is updated as soon as any updates
    become available. We definately run current updates.

    Every major virus to hit the net, we get it. Your right though, Sophos
    detect all of these, however fails to deal with the virus accordingly.
    Having the file deteled, moved, shredded, copied and etc is not really a
    fantastic option. My question is, how do these files become infected in the
    first place if Sophos was doing it's job.

    We have a concern that Sophos will one day delete some important document
    because we have it set to delete viruses. In the environment I work in we
    get multiple viruses a week, we have to keep it on the highest possible
    setting.

    The disinfect option is just there for good looks. I've never had a file
    disinfected. The interface with the 3 modes, Immediate, Scheduled, and IC
    client is just not practicle. The same configuration must be made 3 times.

    The SAV administration tool is OK, gets the IDE updates out there, but this
    must be the only reason large organisations use SOPHOS. It does have easy
    deployment.
     
    Billy K, May 29, 2004
    #7
  8. Frog

    Martin Guest

    Every virus will get through a reactive virus scanner sooner or later.

    If things are as bad as you say, you should maybe be looking at why you are
    at such a high risk. No virus scanner is going to stop viruses, only
    mitigate the damage and contain them.
     
    Martin, May 29, 2004
    #8
  9. Frog

    Leythos Guest

    You need to look at two things right away:

    Firewall - use a firewall that allows for SMTP attachment filtering.
    This one feature can eliminate 99% of the virus infected inbound email
    to your system. This only works if you have your own email server(s),
    but I'm assuming that you do.

    Anti-Virus - get Norton AV corporate edition and use it. Setup the
    updates for every 4 hours on the server and have the server push the
    updates to the desktops. We have Symantec AV Corporate edition setup to
    FORCE updates and scan's of users computers. You can even install (push)
    the AV software to every desktop using the remote installer (right from
    the server).

    Using these two methods we've eliminated ALL (100%) of inbound virus
    attachments from all the companies we manage.

    After you do the above, you need to look at HTTP filtering, filtering
    what sites users are permitted to access, and blocking ALL outbound
    access that is not strictly for business needs. You can even block IM
    and those sharing apps that people like to run from their computers to
    connect to home.
     
    Leythos, May 29, 2004
    #9
  10. Frog

    Mailman Guest

    I am getting a bit fed-up with Leythos' "advice". In the best case it is off
    topic (the OP was asking about Sophos, not opinions on security in
    general), now it's outright misleading.

    By definition a firewall has no mail filtering function. What you describe
    above is an SMTP proxy + anti-virus filtering. They'll both work fine
    without any firewall whatsoever, exactly as any firewall will work without
    any proxies being involved.

    Unfortunately an SMTP proxy will be effective only if you make sure your
    users have no access to ANY other mail servers - which PHBs are less than
    likely to accept ("I occasionally absolutely unconditionally NEED to look
    at my private HotMail/AOL/Whatever account!").
    In my experience Norton has repeatedly failed to identify viruses. Even
    worse, their way of filtering mail raises serious questions about data
    security and confidentiality. There are enough good anti-virus programs
    that will update automatically (or on command) and filter well without
    passing your confidential information through Symantec's servers, not to
    mention their outrageous subscription fees.

    BTW - in a proxy role Sophos can be quite effective: after all what you need
    is just to identify the presence of a virus (in order to block the
    attachement/message), not clean it.
    Just means you were lucky. No anti-virus can catch 100% for the simple
    reason that a virus needs to be seen and analysed before a signature can be
    defined. Anyone who _guarantees_ to block 100% of incoming stuff is a good
    candidate for buying prime beach-front property in northern Mali.

    All of this completely ignores the at least as serious issues of worms and
    trojans - which most anti-virus programs (including your beloved NAV) will
    not identify at all.
    At last some reasonable advice: do not allow indiscriminate outgoing
    connections (your users will scream bloody murder at this point: "Are you
    out of your mind? No IM and no Kazaa?"), use a filtering proxy for outgoing
    HTTP, disable all ActiveX (again a less than popular thing), disable
    executable content (HTTP downloading).
     
    Mailman, May 29, 2004
    #10
  11. Frog

    Leythos Guest

    You don't have to like my advice, I didn't charge you for it. The OP
    described a problem that presented more than just an AV issue - he
    specifically said he was getting infected many times over.
    There are a few firewall appliances that have all sorts of PROXY
    services built into them - HTTP, SMTP, etc... They make a security
    managers job easier and don't really increase the cost of the appliance
    in comparison to other appliances without them.
    I was under the impression that he was asking about a company based
    problem, not a simple POP based solution outside the company. If a
    employee needs to check his home/aol account during the course of
    business they can have the business related email sent to their company
    account. If you want to do personal things while at work, well too bad.
    The availability of personal email (from non-company servers) while at
    work is just another hole in the security layer.
    And as I said, NAV Corporate and SBE provide all that you state SOPHOS
    does. Virus protection software is mostly reactive, meaning that a def
    is not available until after the virus is created, but some AV products
    can find suspicious files and applications based on things other than
    definitions.
    I don't care about cleaning it, all I care about is removing the virus
    infected file/attachment from the system/email, and SBE make's it very
    easy to do this.
    No, it means that we understand the threat fully, have found reliable
    methods to control it, and still are able to do business without any
    hindrance.

    We didn't even have a problem when the Zip's infections came out - they
    started as password protected Zip files and our rules block unscannable
    Zips while letting scannable (uninfected) Zips in.
    I never said that NAV/SBE would be the only solution, I said that it was
    part of the solution which includes PROPER FIREWALL RULES/METHODS. I've
    found that NAV Corporate will catch more than just plain old virus
    files, it even catches ones that spawn from malicious web sites when
    people use IE without patches. We tested 8 different products before
    choosing NAV Corporate, and cost was not part of the factor, strictly
    based on protection ability.
    Actually, you might be surprised to learn that very few people actually
    have a business requirement for browsing the web, downloading files from
    non-approved sites, sharing files with unknown persons or running IM
    while at work. After implementing web blocking for clients we found a
    marked increase in productivity at most offices - funny how that works.

    There are a lot of things that can be done, and AV software is only a
    part of it. Just because I have found a reliable, easy to use, very
    effective AV product that has a proven track-record in use across world.
    While you may like SOPHOS, I like NAV Corporate and SBE for Exchange for
    clients and servers.
     
    Leythos, May 30, 2004
    #11
  12. Frog

    Don Kelloway Guest

    Though I understand what you're saying, I can't offer any comment other
    than to say that I do not subscribe to the philosophy of fixing virus
    infected attachments. If it's a virus, it's deleted. Plain and simple.
    My reasoning behind this is that I only rely on an AV product for it's
    detection abilities and nothing more.
     
    Don Kelloway, May 30, 2004
    #12
  13. Frog

    Anonymous Guest

    Hi
    I have used sophos AV for 4 years, and have never been infected once.
    Sophos blocks several viruses per week, including some of the viruses
    which hit the headlines.

    True. Sophos does not look that 'flash', but sophos is designed to
    detect viruses, and have minimal resource usage, not to look pretty and
    colourful like NAV or McAfee, which are designed to look good, waste
    memory, and not detect viruses!.

    Sophos scans memory when InterCheck client loads. There is no need to
    scan memory for viruses again because InterCheck will detect any known
    viruses as infected files are executed, before the viruses become
    resident in memory.
    When SAV is updated, InterCheck restarts, and scans the memory for any
    new resident viruses which were not previously detected when the memory
    was scanned before.

    As for Sophos's detection capability, it currently has 24 VB100% awards,
    which places sophos AV as second best AV in terms of detection.
    As of 12:34AM 3\6\04, SAV 3.82 detects 90921 known viruses, which is
    larger than most other AV vendors (compare this to Nortons pathetic 67606
    viruses).
    SAV also has Check-Mark levels 1 and 2

    SAV has very good performance. SAV is one of the fastest AV scanners I
    have used, and uses very little memory.
    It runs fine on an old 16Mb win95 machine.

    SAV is updated frequently too. Sophos release IDE files within a few
    hours that a new virus is discovered. IDE files are very small and
    compact, so bandwidth is reduced.

    SAV also has superb administrative and alerting features.

    In conclusion, I am a very happy Sophos user and have not had an
    infection for several years, and I don't plan to switch AV scanners soon.
     
    Anonymous, Jun 3, 2004
    #13
  14. Frog

    Anonymous Guest

    Hi
    I forgot to mention Sophos' strong point in my previous post: Support!
    Sophos has the best support in the AV industry.
    When you need help, you are not in a massive que, waiting 6 hours to
    finally get through to some Indian callcentre who tells you to reinstall
    your AV program, then call back later if it does not work...., you get
    through to a team of well trained people who know the software inside
    out, and are always very friendly and helpful.
     
    Anonymous, Jun 3, 2004
    #14
  15. Frog

    m Guest

    I work for a reseller of Sophos antivirus (not going to mention any names).
    I use it day in day out at lots of different companies, varying in size.

    And yes, its hopeless:
    a) The program itself - server and client - are very unstable, they crash a
    lot, having problems updating, are a nightmare to fix when they go wrong,
    and generally not reliable enough.
    b) As for its detecting virusses, it appears to get most but ONLY it is up
    to working and up to date - the problem is it fails so often that you
    generally find virusses find their way into your network. (By the way there
    is a setting to scan 'normal' or 'extensive', i always set it to extensive,
    but the default - 'normal' might not pick them all up)
    c) When you install it, BY DEFAULT it doesnt take any action when it finds
    a virus. It finds it, tells you about it, and does nothing. True you can
    change a setting so it either deletes, shreds, or moves it, but this is a
    pain if you have more than say 10 PCs. There is an option to change it from
    the server console on the corporate edition but guess what - it rarely
    works!!
    d) The virus signatures (defininitions in NAV terms) only update once a
    month, compared to all the other antivirus products that seem to update each
    week or more.
    e) Sophos technical support are rubbish, usually after 45 minutes on the
    phone, we give up with them and e v e n t u a l l y fix the problem
    ourselves.
     
    m, Sep 6, 2005
    #15
  16. From: "m" <>

    | I work for a reseller of Sophos antivirus (not going to mention any names).
    | I use it day in day out at lots of different companies, varying in size.
    |
    | And yes, its hopeless:
    | a) The program itself - server and client - are very unstable, they crash a
    | lot, having problems updating, are a nightmare to fix when they go wrong,
    | and generally not reliable enough.


    Depends upon how stable the PC is/was when the software was installed. In all the years I
    have monitored AV News groups, yours is the first real Sophos complaint while have read
    gundreds on NAV.


    | b) As for its detecting virusses, it appears to get most but ONLY it is up
    | to working and up to date - the problem is it fails so often that you
    | generally find virusses find their way into your network. (By the way there
    | is a setting to scan 'normal' or 'extensive', i always set it to extensive,
    | but the default - 'normal' might not pick them all up)


    Many AV software are configurable. For example, all file type or selected file types and
    scan archive files. Both settings can influence teh catch rate of the AV application.


    | c) When you install it, BY DEFAULT it doesnt take any action when it finds
    | a virus. It finds it, tells you about it, and does nothing. True you can
    | change a setting so it either deletes, shreds, or moves it, but this is a
    | pain if you have more than say 10 PCs. There is an option to change it from
    | the server console on the corporate edition but guess what - it rarely
    | works!!


    YMMV -- you experience tthis, other may not.


    | d) The virus signatures (defininitions in NAV terms) only update once a
    | month, compared to all the other antivirus products that seem to update each
    | week or more.


    Not True. There is an a engine update per month and daily (and I can tell if it is done
    multiple times per day) there are WEB IDE updates.


    | e) Sophos technical support are rubbish, usually after 45 minutes on the
    | phone, we give up with them and e v e n t u a l l y fix the problem
    | ourselves.


    When NAI bought McAfee their support went down the tubes. Now that McAfee has sold of the
    Sniffer didvision and is cconcentrating on core compentenbcies, their support is improving.
    Symantec's support has always SUCKED ! Actually, good support is hard to find and in short
    supply these days.

    Dave

    PS: If you /*REALLY*/ want to discuss this, post your findings in; alt.comp.virus



    |
     
    David H. Lipman, Sep 6, 2005
    #16
  17. Frog

    Ant Guest

    I don't agree.
    Mine has never crashed. However, they've recently updated the whole
    software package and I don't know how this performs. I'm still using
    the 3.x version which is supported until the end of the year.
    Same can be said for all AV progs.
    Well it seems to work well enough on our network with thousands of PCs,
    but we also have other protection in place like stripping executables
    from email. I can only recall one infection (localised and quickly
    dealt with) in some years.
    No. they're updated as and when necessary, often several times a day.
    Can't speak for phone support, but whenever I've sent fresh malware
    samples by email they've responded quickly by sending me a definition
    file (IDE).
     
    Ant, Sep 7, 2005
    #17
  18. Frog

    Era Guest

    We used it for over 4 yrs now - it never crashed our server!
    The virus detecter is only as good as the latest "signature" - same for
    ALL virus buster!!
    There are reasons for doing it - this is where the system administrator
    comes in!
    Please read your manual or call Sophos! Our "signature" file is updated
    every hour (if there is one - system checks the Sophos server for
    updates, and they do work 24 hours!)
    Are you in change of the system, or you just a user? Someone in "your"
    work place needs to have their skills updated!
    From my own experience, l am quite happy with Sophos
     
    Era, Sep 8, 2005
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.