in reply to Re: Sophos hates PAR::Packer!
in thread Sophos hates PAR::Packer!

Thanks for your comments marto!

Yes, we know how to authorize suspicious behavior items but it requires 1) knowledge of how to do it and 2) authorization from IT. - and - Yes, Sophos is the king of false positives - according to some comparisons it detects over 10-100x as many false positives as competitors.

The software that I am referencing is getting frequent updates and though we can get the authorizations to do the exceptions, it is a general pain-in-the-rear and makes distribution significantly more difficult. I was hoping for a general solution that doesn't trigger Sophos every time.

My guess is that the Sophos detection may be a result of the way PAR::Packer does a two-step by first unpacking the software and then running the thing it unpacked.

Dave

Replies are listed 'Best First'.
Re^3: Sophos hates PAR::Packer!
by Anonymous Monk on Aug 31, 2009 at 20:28 UTC
    Sophos doesn't have to kill every process that is identified as suspicious. Ask if your IT will change the behavior from blocking to simply warning. If I'm not mistaken, the default Sophos policy for suspicious files is "Do nothing" (other than warn and log), so a "general solution" would be to go back to the default policy. Only if your industry is very sensitive, like finance or medical records, would blocking by default seem like the best policy. Around here, 100% of "suspicious" stuff has turned out to be benign, so we just warn, log, and authorize (so that warning and log noise goes away).
[reply]

In Section Seekers of Perl Wisdom