Re: Sophos hates PAR::Packer!

I've seen security products do strange things on Windows, recently Windows 2003 servers for a third party web application (written in .net, double yuck) was being 'prohibited' by the clients enterprise security suite. Our clients had already paid (another company) for the web app, the vendor had not received any feedback from other users regarding this issue. In the end since the clients 'security' department had no idea what their enterprise tool (McAfee) was telling them, or how it to work it properly, they ended up adding an exception so that rather than prohibit the app for running, a warning (that nobody in their organisation ever looks at) was raised.

Have you tried authorizing 'suspicious' items:?

"When Sophos Anti-Virus for Windows 2000+, version 7 and above, displays an alert about a suspicious file or suspicious behavior, you can authorize the item either for the individual computer or for a group of computers on your network."

False positives are apparently not terribly rare within such tools. It may be worth checking with the Sophos site, I'm sure you won't be the only person having such problems.

Update: Incidentally one of the overnight updates to McAfee started to quarantine a the contents /System32 on our clients network, due to an error in the update file they deployed. Remember that everyone makes mistakes :)

Martin

Comment on Re: Sophos hates PAR::Packer!

Replies are listed 'Best First'.
Re^2: Sophos hates PAR::Packer! by skeptical (Novice) on Aug 30, 2009 at 16:13 UTC
Thanks for your comments marto! Yes, we know how to authorize suspicious behavior items but it requires 1) knowledge of how to do it and 2) authorization from IT. - and - Yes, Sophos is the king of false positives - according to some comparisons it detects over 10-100x as many false positives as competitors. The software that I am referencing is getting frequent updates and though we can get the authorizations to do the exceptions, it is a general pain-in-the-rear and makes distribution significantly more difficult. I was hoping for a general solution that doesn't trigger Sophos every time. My guess is that the Sophos detection may be a result of the way PAR::Packer does a two-step by first unpacking the software and then running the thing it unpacked. Dave	[reply]
Re^3: Sophos hates PAR::Packer! by Anonymous Monk on Aug 31, 2009 at 20:28 UTC
Sophos doesn't have to kill every process that is identified as suspicious. Ask if your IT will change the behavior from blocking to simply warning. If I'm not mistaken, the default Sophos policy for suspicious files is "Do nothing" (other than warn and log), so a "general solution" would be to go back to the default policy. Only if your industry is very sensitive, like finance or medical records, would blocking by default seem like the best policy. Around here, 100% of "suspicious" stuff has turned out to be benign, so we just warn, log, and authorize (so that warning and log noise goes away).	[reply]