Wednesday, May 21, 2008

Sophos Antivirus False Positive, Licensing, Customer Service

This blog entry has been modified from it's previous version, to include the most recent and heinous fail-ness of Sophos.

First off, let me concede that conficker and many other viruses would be a pain in the ass to deal with for ANY virus company. At some point, the vulnerability in Windows ceases to be a factor in getting the virus because it will log keystrokes and attempt to use administrator credentials to access other computers via the c$ share and just drop itself straight onto the target PC. Anti-virus might have a problem dealing with this kind of infection method because it's not anti-virus's job to be a firewall, and destroying the bad files is fruitless because the reinfection attempts continue indefinately. To get rid of conficker, you need to have ALL computers patched up, and clean them all within a pretty narrow time frame. You have to clean conficker from your network moreso than from your computer.

Anyway, having said that, Sophos Enterprise has failed us because the program that runs in the background protecting your computer... does squat. When a virus is detected, the software just tells you via email that the computer is infected and then it pretty much stops there. I'm not going to elaborate on this one except to say in the case of a virus that behaves like conficker, there needs to be at least some next level of attempted protection other than just telling the administrator that computers are infected. The software could for example, at least make housecleaning easier by deleting the bogus Task entries created by the virus. It could also close down the process that is running with the virus, and delete the randomly named file that sources the virus. And here's a novel idea, when on-access scanning detects a virus-infected file on the PC, let's go ahead and let it scan memory for the virus too and shut that down, ok?

What are these anti-virus companies going to do when somebody decides "no more mr. nice hacker" and writes a truly DESTRUCTIVE virus like the ones we enjoyed in the early 90's? Well for one, they are going to FAIL to protect dozens or hundreds of computers on your network. Better have a clean rollback plan or a quick re-up plan because someday, ALL your computers are physically going DOWN with broken OS or deleted hard drive data. And I'll tell you exactly what the anti-virus companies will do...

See, this draught of destructive viruses has softened the standard. "Nasty" viruses now include things like conficker. When a globally destructive one hits in the future, this means that AV companies will get to play the "OMG this virus is SO bad, there was no way to be prepared for it! We ALL got pwnd but we'll be prepared next time with new version x.x.x which only costs $y" The reality is that they should have been sitting on the edge of their seats for such a virus for the last 10 years but have been taking the easy money from you instead of protecting you. Don't believe it? Just wait and see.

Unrelated and previous to the failure to deal with conficker:

Sophos Antivirus threw a false positive on a dll file that is part of our primary health information software, Meditech. Basically, within the span of an hour, our health information was rendered inaccessible due to it being shutdown by Sophos. Ok, so this might be understandable, false positives do happen. Also, Sophos was fairly quick about taking a sample of the file and re-issuing the virus definitions. I'll give them that, and the fact that they really are the best anti-virus company on the market. Best does not mean completely good however...

When I asked them to provide me with some tech details on what exactly was found in this dll that made it appear viral (I want exact binary snipets) they refuse as if that was "classified information". I'd like to have this so that Meditech can be made aware of exactly what parts of their code were being mistaken for viral code. Hell, do they think their virus definition can't be reversed to find out what this code is? Nah, they know that, they just must get giggles knowing that someone will have to work or pay for the information that they could give us freely.

Also, I feel like we were recently "pinged" by Sophos on a licensing issue, when the subject of "user" vs. "workstation" licensing came up. We were under the impression that after adding a certain number of computers to our network, we'd need to check our licensing with Sophos. We were informed for the first time ever that they license "per user" and then proceeded to ask about our user count for the first time ever. Fine, we have fewer users than we do computers, that should save us about 100 licenses when it comes to our servers alone. I personally don't see the logic in protecting a user with an antivirus license as opposed to a computer, because as a co-worker put it, at the end of the day, that user goes home and doesn't have a virus. The computer is still sitting here with it. So Sophos, logic please?
Heck it might not even matter, because it seems like even their own people don't really know how the licensing works either.