Antivirus and Security Software from Sophos

Psst, Mac user! We have a free Mac anti-virus just for you.

Online support

Product maintenance

Contact support

Support services

Resource centers

UK IT Security Events

Get the low-down on our cup winning security solutions to provide you with a defence dream team

Overview of the Sophos Live Protection architecture in SESC 9.5+

Issue
Overview of the Sophos Live Protection architecture in SESC 9.5+

For more general information, refer to the Live Protection Overview article.

Known to apply to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+

Operating System
Windows

Introduction

Live Protection is a technology that allows live SXL lookups to obtain the latest threat information from SophosLabs without waiting for the product to be updated. It also provides a means to automatically upload samples of files that SophosLabs deem interesting and worth investigating further.

Both functionalities can be enabled or disabled depending on the environment and local policies, although sending file samples is available only if the live lookups are enabled.

How does it work

In some IDEs, SophosLabs include special instructions to trigger a live lookup for more up-to-date threat information. When one of the lookup-enabled identities is triggered, generic information about the threat and the detection is sent to SophosLabs using SXL, a protocol/framework designed and mantained by Sophos that runs over DNS queries. If new information is available the endpoint receives it in the SXL response and adjusts its behavior accordingly. Also if, based on the lookup information, SophosLabs deem the file interesting for further research the endpoint automatically uploads the sample.

More details:
When a lookup-enabled detection is triggered by the on-access scanner, on-demand scanner, or runtime HIPS, the SAV service performs a specially crafted DNS query that includes generic information about the file and the detection features, to the sophosxl.net name servers. It then takes action(s) based on the response it gets.

Currently available actions include,

  • Ignore the detection, for instance if the file is known to be detected as a false positive
  • Treat the detection as malware
  • Treat the detection as suspicious
  • Request a sample (performed only if allowed by the policy and, please note, only applies to executable files)
If the file is to be sent as a sample and the policy allows automatic sample submission, the SAV service collects information about the file and the detection, packages the file itself and the data gathered into an encrypted package and uploads it via HTTP.
Only files smaller than 10MB are uploaded.


If you need more information or guidance, then please contact technical support.