Chris de la Force IT Services
Sophos what we pay for what we don t pay for (but should we?) what we hate (abridged version) what s new for 2009? overview of campus system what happens when licence expires? Conficker Chris top tips for campus / home safety
Anti-virus (we switched to this version 5.0 bloody awful!) PUA aka spyware detection (added in 6.0 finally usable) HIPS Host Intrusion Prevention System (added in 7.0 to detect buffer overflows - nice)
Suspicious behaviour detection (added in 7.0) Anti-rootkit (added in 7.5 by running scheduled scan only) Internet Explorer protection (sneakily added in Sophos 7.5; should have been in 8.0) PhishAlert (available everywhere but Europe!)
MS Windows (specifics on next slide) Apple Mac OS X 10.4+ (Intel or PowerPC) GNU/Linux (separate on-access/on-demand versions available) UNIX, NetWare and OpenVMS (bothered?) NetApp Storage Systems Windows Mobile 5/6 (at extra charge)
32-bit: 2000 SP3+/XP SP1a+/2003/Vista/2008 64-bit (but in 32-bit mode): XP SP1a+/2003/Vista/2008 Itanium 64-bit: 2003/2008 Legacy (definition updates only): 95 OSR2/98 SE/NT4 SP6a
The Vista version (Sophos 7) works fine Windows 7 Security Center uses a different check method and reports it s out of date. Will be fixed for Windows 7 in Sophos 8.
Application control (e.g. P2P/games/browsers/IM/toolbars) Device control (e.g. USB storage, Bluetooth/wireless/IrDA, disc drives) Firewall (managed by AV policy) Mobile device protection (any Windows Mobile 5/6 device e.g. HTC phones)
Network Access Control (not compatible with Infoblox so can t have it) ZombieAlert (free to Platinum members; JANET does this for us) Coming soon (Q4): Encryption ( SafeGuard ) file and device level protection Patch manager (only allow specific software versions to run)
Annoying updates very slow and intensive Annoying startup updates during login Annoying remote installation assumes well managed AD containers (not us then ) Annoying remote uninstallation you can t! Annoying disinfection sometimes doesn t Annoying console can t delegate (yet) Annoying behaviour everything is suspicious! Will it improve in Sophos 8 this year?
Sophos Anti-Virus 8 - prevents saving unencrypted documents or sending emails if they contain bank/user account details Also prevent saving restricted files to unauthorised external devices. Integrates with Vista/7 Bitlocker Sophos administrative roles - delegation Sophos Data Distribution System faster updates
At the moment, there is one account which controls everything. An admin in Law could remove all AV software in ITS, for example. Enterprise 4 allows each OU to be controlled by a different account, and a different levels. E.g. Law install account, Law cleanup account ITS reports account, ITS update account
Smaller updates Faster reinstall via locally-held warehouse in [App Name]\data\warehouse Load-balanced scalable update location (multiple primaries) Digitally signed updates rather than checksum But it s for Windows clients only
1. Contact primary server. If response takes 1 min then contact secondary server for 1 min. 2. Download updates to local cache and checksum. 3. Restart Sophos service unless SAV version changed. 4. If version did change, download whole new package, clear cache and reinstall Sophos. Result slowest AV updates in history.
1. Contact primary load balancer. Update from least loaded server in pool. 2. Download signed updates to local warehouse. Reject unsigned files automatically. 3. Restart Sophos service unless SAV version changed. 4. If it did, only reinstall if new version download size is smaller than total changes. Result quick updates, skip some reinstalls.
Sophos beta will be Q3 this year (not usual Q2). Victims Volunteers: 1. RDG-HOME only 2. IT-supporters only 3. Trashable machines only (if it dies, you fix it) 4. Windows XP/2003/Vista only (32/64-bit) Email me to be put on list. Regulars assumed.
Do we stick with it or evaluate other CHEST offerings (would have to be a massive saving)? If we stick with it, do we pay for extra features (which ones do you want? Where is the cash?) If we don t stick with it (why not?), we need 6 months to trial other software. Should Reading and Henley use same vendor?
Attacks anything lacking update MS08-067 Prevents start-up of security services Blocks DNS requests to AV sites Locks its own files to prevent removal Hides itself if it detects a VM host Spreads as hidden files in recycle bin, via autorun Now uses P2P rather than Windows sharing
I went on holiday Produced list of un-patched machines (KAGM) and suspicious network behaviour (CDW) Domain removal via start-up script Domain scanning policy changed to scan on read/write rather than scan on read Not much ITS can do if you re not on the domain (especially if not managed in an OU)
Chris top tips for home and campus (time permitting)
Use the minimum privileges possible to perform the task required. Possibilities: 1. Use Windows Vista UAC (pause for laughter) 2. Log in as XP User and use MakeMeAdmin as needed (ideal solution) 3. Log in as XP Admin and use DropMyRights as needed (more practical solution)
Running as a User and accessing Control Panel as Admin: C:\Path\to\MakeMeAdmin.exe control.exe Running as Admin and browsing/emailing as User: C:\Path\to\DropMyRights.exe iexplore.exe C:\Path\to\DropMyRights.exe outlook.exe
Never, ever, browse or read email as an admin. Ever. Especially on a server. I mean it. So why does everyone do it?
Run Baseline Security Analyzer on new builds Use our domain update server not MS Run Secunia Online scanner every month Install Windows Defender (it works now) Don t hide known file extensions (even allows this in Windows 7!) Check your Outlook Trust Center Check your IE security settings (they might have slipped to Low ).
Update root certificates and set IE to check for revocation or mismatch (default on Windows 7 at last!) Disable SSL2 support (use SSL3/TLS1) Enable popup blocker and phishing filter Check Sophos browser plugin is installed Delete temporary files on exit Check browser security level
The best way to survive with IE is to combine it with Privoxy, the Privacy Proxy. http://www.privoxy.org/ Runs as local service Point IE proxy settings at http://localhost:8118 That s it, default config is fine for most people Fully customisable through browser (RTFM)
IE 7 64-bit version Pros uncommon so less targeted Cons some website trouble, needs 64-bit OS IE 8 Pros InPrivate mode (aka InPorn mode) Cons some website trouble (esp. on campus)
By default only Sophos Anti-Virus is enabled so you can do a baseline scan first. Afterwards enable: Suspicious file scan Adware scan HIPS behaviour scan (not alert only ) Rootkit scan (scheduled scan only)
We can use more software for home use than on campus. Secunia Personal scanner not Online scanner Use less common browser (K-Meleon/Opera) Vista use Parental Controls (fiddly at first) XP use IE Content Advisor with child accounts Use Windows SteadyState for guest users
Don t be a low-hanging fruit! Avoid common applications as they ll be targeted first, especially if they re aimed at casual users: itunes (use Songbird, Media Monkey, Yamipod) Realplayer (use Real Alternative) Adobe Reader (use Sumatra, Foxit) Quicktime (use Quicktime Alternative) MSN Messenger (use Digsby, Pidgin)
Alternatively, do all browsing and emailing in a Virtual Machine. All you need is: 1. Free VM (e.g. Vmware Player, Sun VirtualBox) 2. Linux ISO image (e.g. Xubuntu, DSL) Boot up the VM off the ISO, take snapshot, browse away, revert snapshot. Can t get Conficker!
Firefox 3 (also available in 64-bit is it becoming too popular though?) Opera 9 (extremely capable, with centralised bookmarks) K-meleon (stripped down Firefox 5 MB! Add only the features you need) Internet Explorer 8 (until it becomes popular) Internet Explorer 64-bit (until it becomes popular, if you ve got 64-bit)
Safari for Windows (do Apple have lots of security experience? No). Google Chrome (do you trust your browsing habits to a company which lives off advertising and data mining? No). Internet Explorer special editions provided by ISPs (you get what you deserve).
Backup your files, and keep the backup safe. Assume that every time you turn on your PC the hard disk will break. Can you recover?
Don t think of your PC as being connected to the Internet. Think of the Internet as being connected to your PC.
First on Sophos in particular Then on top tips Then lunch