Sophos Frequently Asked Questions
- Does Sophos has heuristic scanning?
- Detection Methods
- Pattern Matching
- Virus Descriptions
- What are the default settings for detecting/cleaning?
- How often does Sophos AV get updated?
- What can I do when Remote Update fails?
- Where can I get it and how do I install it?
YES, Sophos AV does incorporate heuristic scanning for unknown viruses in the wild. You won't see an option to enable/disable heuristic scanning for the reason that it is always on in the background. Below are further details on the subject.
How viruses are detected depends on their type. During the scanning process, the engine analyses each file, identifies the type and then applies the relevant technique(s). Underlying all methods is the basic concept of looking for certain types of instruction or certain ordering of instructions.
In the technique of pattern matching, the engine knows the particular sequence of code and is looking for an exact match which will identify the code as a virus. More often, the engine is looking for sequences of code which are similar, but not necessarily identical, to the known sequences of virus code. In creating the descriptions against which files are compared during scanning, Sophos virus researchers endeavor to keep the identifying code as general as possible so that - using heuristics, as explained below - the engine will find not just the original virus but also its later derivatives.
The virus engine can combine basic pattern matching techniques with heuristics - a technique using general rather than specific rules - to detect several viruses in the same family, even though Sophos researchers might have analyzed only one virus in that family. The technique allows a single description to be created which will catch several variants of one virus. Sophos tempers its heuristics with other methods, minimizing the incidence of false positives.
Emulation is a technique applied by the virus engine to polymorphic viruses. The emulator in the virus detection engine is used on DOS and Windows executables, while polymorphic macro viruses are found by detection code written in Sophos' Virus Description Language (see below).
Polymorphic viruses are encrypted viruses which modify themselves in an effort to hide themselves. There is no visible constant virus code and the virus encrypts itself differently each time it spreads. When it runs, it decrypts itself. It is the output of this decryption which is the real virus code and it is this which is detected by the Sophos virus detection engine after running in the emulator.
Executables that are sent to the engine for scanning are run inside the emulator which tracks the decryption of the virus body as it is written to memory. Normally the virus entry point sits at the front end of a file and is the first thing to run. In most cases, only a small amount of the virus body has to be decrypted in order for the virus to be recognized. Most clean executables stop emulating after only a few instructions, which reduces overheads.
Because the emulator runs in a restricted area, if the code does turn out to be a virus, it does not infect the computer.
Sophos exchanges viruses with other trusted anti-virus companies every month. In addition, every month customers send thousands of suspect files, about 30% of which turn out to be viruses. Each sample undergoes rigorous analysis in the highly secure virus labs to determine whether or not it is a virus. For each newly discovered virus, or group of viruses, Sophos creates a description.
For further info visit http://www.sophos.com/products/es/endpoint/sav.html
By default, Sophos AV for remote users will detect a virus and prevent that file from being accessed until the user defines the action setting to clean or delete the file. Sophos AV is not set the same as a computer that is associated to the ACU campus network domain (employee computers). Computers that are part of the campus network domain are centrally managed and are set to automatically clean/delete any incoming viruses automatically.
The Sophos AV for the remote user has more flexibility in setting the action preferences when a virus is detected. The same settings that are mandated for campus computers are not mandated to the remote user s computer. The default action setting is set to detect the virus and restrict access to the infected file (form of quarantine). Darrell Fauvel is finishing exact instructions for enabling the automatic deletion of detected viruses. These instructions will soon be posted onto the web.
Sophos AV is updated via the Remote Update client that is installed on your computer. You can tell that you have the Remote Update client running if you see a icon appearing in the lower right corner of your screen, near the clock time. By default, Remote Update is set to check for Sophos AV updates every 60 minutes when connected to the internet. You can verify that Sophos AV it is up-to-date by right-clicking the icon and selecting view status from the popup menu. Within the status screen you will see an Update Details section. In the Update Details section you will a Status: entry that reads Sophos Anti-Virus for Windows is up to date .
Most likely, the failure is due its connection attempt being restricted by some form of installed firewall software on your computer. To resolve this issue, disable your firewall software long enough for Remote Update to check for updates. Following the check, re-enable your firewall software back on. If you are familiar with the settings of your firewall software, you can set it to allow Remote Update to run while your firewall is still enabled.
If after disabling your firewall and Remote Update is still not able to successfully check for updates, the problem could be an issue with internet traffic. Try to run Remote Update later. If problems still persist, call Team55 at 674-5555 for assistance.