Overview of the Sophos Live Protection architecture in SESC 9.5+
For more general information, refer to the Live Protection Overview article.
Known to apply to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+
Live Protection is a technology that allows live SXL lookups to obtain the latest threat information from SophosLabs without waiting for the product to be updated. It also provides a means to automatically upload samples of files that SophosLabs deem interesting and worth investigating further.
Both functionalities can be enabled or disabled depending on the environment and local policies, although sending file samples is available only if the live lookups are enabled.
How does it work
In some IDEs, SophosLabs include special instructions to trigger a live lookup for more up-to-date threat information. When one of the lookup-enabled identities is triggered, generic information about the threat and the detection is sent to SophosLabs using SXL, a protocol/framework designed and mantained by Sophos that runs over DNS queries. If new information is available the endpoint receives it in the SXL response and adjusts its behavior accordingly. Also if, based on the lookup information, SophosLabs deem the file interesting for further research the endpoint automatically uploads the sample.
When a lookup-enabled detection is triggered by the on-access scanner, on-demand scanner, or runtime HIPS, the SAV service performs a specially crafted DNS query that includes generic information about the file and the detection features, to the sophosxl.net name servers. It then takes action(s) based on the response it gets.
Currently available actions include,
- Ignore the detection, for instance if the file is known to be detected as a false positive
- Treat the detection as malware
- Treat the detection as suspicious
- Request a sample (performed only if allowed by the policy and, please note, only applies to executable files)
If the file is to be sent as a sample and the policy allows automatic sample submission, the SAV service collects information about the file and the detection, packages the file itself and the data gathered into an encrypted package and uploads it via HTTP.
Only files smaller than 10MB are uploaded.