This article provides a high level overview of what Sophos Live Protection is. More details on how it works can be found here.
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+
Sophos Anti-Virus for Mac OS X
Sophos Anti-Virus for Linux
Sophos Live Protection - What is it?
As malware continues to rapidly evolve and grow, Sophos has realized that it needs a way to enhance existing data updates with a system to keep endpoint protection up to date in real-time. This was done to both improve the response time to new malware and reduce the amount of data delivered to the endpoints.
LiveProtection was added to give the endpoint the ability to 'lookup' files in real-time to verify if they are malicious. Over the past few years it has proven very effective at stopping new malware outbreaks and protecting our customers.
Sophos Live Protection can perform the following tasks:
- Perform cloud look-ups against individual files to determine if safe/malicious
If the anti-virus scan on an endpoint computer has identified a file as suspicious, but cannot further identify it as either clean or malicious based on the threat identity (IDE) files stored on the computer, certain file data (such as its checksum and other attributes) is sent to Sophos to assist with further analysis. This is known as 'in-the-cloud' checking: it performs an instant lookup of a suspicious file in the SophosLabs database. If the file is identified as clean or malicious, the decision is sent back to the computer and the status of the file is automatically updated.
- Automatically send sample files to Sophos
If a file is considered suspicious, but cannot be positively identified as malicious based on the file data alone, you can allow Sophos to request a sample of the file. If this option is enabled, and Sophos does not already hold a sample of the file, the file will be submitted automatically. Submitting sample files helps Sophos to continuously enhance detection of malware without the risk of false positives.
How does it work?
LiveProtection will perform a lookup for any file it suspects of being malware; the following events will trigger a lookup
- Whenever a user browses to an unsecured web site (no ssl).
- Whenever a file is added to the endpoint’s quarantine manager.
- Whenever reported internally by the anti-malware engine that a file is deemed suitably suspicious.
- Whenever reported internally by anti-malware engine that a file is to be checked against a allow list defined by SophosLabs. (The allow list is maintained by SophosLabs and contains a list of common and system files which the product should cache to improve performance.)
Lookups - further information
LiveProtection performs a lookup to ensure the most up to date protection as new information could have been discovered about the file since the last time it was scanned.
Lookups contain a limited amount of information and are designed to help SophosLabs analysts to package up specific malware related information (such as function bytes or other properties required) to increase accuracy of detections.
Lookups are performed over DNS and the average endpoint perform a large number lookups per day depending on the level of activity. During scheduled and on-demand scans the number will increase as all files on the system will be accessed which triggers an increased number of lookups compared to normal operations.