This article provides an overview of how Sophos Live Protection works. A general overview of what it does and the tasks performed by Live Protection can be found here.
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+
Sophos Anti-Virus for Mac OS X
Sophos Anti-Virus for Linux
Sophos Live Protection
Live Protection is a technology that allows live SXL lookups to obtain the latest threat information from SophosLabs without waiting for the product to be updated. It also provides a means to automatically upload samples of files that SophosLabs deem interesting and worth investigating further.
Both functionalities can be enabled or disabled depending on the environment and local policies, although sending file samples is available only if the live lookups are enabled.
How does it work
In some IDEs, SophosLabs include special instructions to trigger a live lookup for more up-to-date threat information. When one of the lookup-enabled identities is triggered, generic information about the threat and the detection is sent to SophosLabs using SXL, a protocol/framework designed and mantained by Sophos that runs over DNS queries. If new information is available the endpoint receives it in the SXL response and adjusts its behavior accordingly. Also if, based on the lookup information, SophosLabs deem the file interesting for further research the endpoint automatically uploads the sample.
When a lookup-enabled detection is triggered by the on-access scanner, on-demand scanner, or runtime HIPS, the SAV service performs a specially crafted DNS query that includes generic information about the file and the detection features, to the sophosxl.net name servers. It then takes action(s) based on the response it gets.
Currently available actions include:
- Ignore the detection, for instance if the file is known to be detected as a false positive
- Treat the detection as malware
- Treat the detection as suspicious
- Request a sample (performed only if allowed by the policy and, please note, only applies to executable files)
If the file is to be sent as a sample and the policy allows automatic sample submission, the SAV service collects information about the file and the detection, packages the file itself and the data gathered into an encrypted package and uploads it via HTTP.Only files smaller than 10MB are uploaded.
Given the number of files scanned by Sophos Anti-Virus a look-up can be triggered quite frequently. This is not an event that an end user would see but you may see traffic if monitoring your firewall etc.
To limit the number of look-ups SophosLabs also whitelists common files so they will not be scanned, this includes OS files but also common applications. Due to the nature of malware we attempt to reduce the number of look-ups where possible but do not set an arbitrary limit as we do not want to compromise on the protection we offer customers and the rapid response cloud look-ups.