Sophos

[zoomzoom]

Thanks for this! OpenVPN will be one of the first services I enable. I have it on my ASUS router and couldn't do without it with my job the way it is, I've GOT to have access to my home network when I'm traveling.

I forgot to add this, so I edited my post above to include it:

• This PSK [Pre-Shared Key] must be shared with all clients, so either scp the file, or vim /var/sec/chroot-openvpn/etc/openvpn/tls-auth.key, select the text, copy it, then paste it into a text file named tls-auth.key. This can either be referenced in the client config, or it can be pasted inline in the client config file.

 

[joeschmuck]

Web Filtering is a content filter, not a malware

I may be wrong (not the first time) but if I leave off Web Filtering and website (lets say www.msn.com for example) is authorized to load however it likes also while having 15 ads as well, one of those could be a restricted site due to malware and thus the Web Filter would stop that specific ad from loading and disable the link. Lets take it one step further... I load a page like Google and enter some search criteria and click on a link to malware. Won't Web Filtering take care of that?

This comes directly from the Sophos site:

Protect your Kids Web Surfing Habits - Use Web Filtering to stop sites from infecting you with viruses and spyware, keep your kids from surfing to bad sites, and get full reporting on the activity in your home.

 

[diedrichg]

I got ESXi 6.5 up and running without breaking a sweat. I have been spending all day learning my way around the new HTML5 web GUI. I set up a NFS share on my FreeNAS machine so that I could backup the VMs and to provide a way to access installation ISOs. I'm most impressed with snapshots so that if a software install goes sideways in a VM then I can simply roll back.

 

[zoomzoom]

I got ESXi 6.5 up and running without breaking a sweat. I have been spending all day learning my way around the new HTML5 web GUI. I set up a NFS share on my FreeNAS machine so that I could backup the VMs and to provide a way to access installation ISOs. I'm most impressed with snapshots so that if a software install goes sideways in a VM then I can simply roll back.

For the UTM, you can also set up a backup schedule through WebAdmin to email you encrypted config backups at whatever interval you choose. I highly recommend doing so, as there's no effective way to manually run a backup script due to Sophos' customization of Confd. In the first few weeks you're customizing the WebAdmin, I'd configure daily config backups, and once you're at the point of it being fully configured, incl. all applicable static IPs set, the intervals could be safely set to every 1 - 4 weeks.

 

[zoomzoom]

I may be wrong (not the first time) but if I leave off Web Filtering and website (lets say www.msn.com for example) is authorized to load however it likes also while having 15 ads as well, one of those could be a restricted site due to malware and thus the Web Filter would stop that specific ad from loading and disable the link. Lets take it one step further... I load a page like Google and enter some search criteria and click on a link to malware. Won't Web Filtering take care of that?

This comes directly from the Sophos site:

It will, except for home users, it's far more efficient to install Sophos Endpoint by downloading it through WebAdmin in lieu of Web Filter, as it provides the same level of protection, but without the lag caused by the Web Filter. Sophos' Web Filter is intended for corporations, and while it will block malicious content, it's primary function is content filtering to restrict access to content employees have access to on company time. The only use case a home user has for the latter is if children have access to the network... otherwise it's like utilizing bacula as a home user instead of crashplan.

• Configure anti-virus and HIPS -> Web Protection
  • Whereas Web Filter through the UTM will redirect your to a UTM splash page, SEC will simply issue a popup altering you access to the webpage has been blocked due to malicious content.
  
  
• Unfortunately, their HIPS algorithms for file scanning are sub-par, so it should either be disabled or used in conjunction with a quality internet security suite's HIPS.
  • You can run the antivirus and HIPS features of SEC alongside your primary antivirus/HIPS/ant-malware program(s) by adding the quarantine folders of each to the other's file/folder scanning exclusion.
    • Sophos': C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\*

 

[joeschmuck]

It will, except for home users, it's far more efficient to install Sophos Endpoint by downloading it through WebAdmin in lieu of Web Filter, as it provides the same level of protection, but without the lag caused by the Web Filter. Sophos' Web Filter is intended for corporations, and while it will block malicious content, it's primary function is content filtering to restrict access to content employees have access to on company time. The only use case a home user has for the latter is if children have access to the network... otherwise it's like utilizing bacula as a home user instead of crashplan.

• Configure anti-virus and HIPS -> Web Protection
  • Whereas Web Filter through the UTM will redirect your to a UTM splash page, SEC will simply issue a popup altering you access to the webpage has been blocked due to malicious content.
• Unfortunately, their HIPS algorithms for file scanning are sub-par, so it should either be disabled or used in conjunction with a quality internet security suite's HIPS.
  • You can run the antivirus and HIPS features of SEC alongside your primary antivirus/HIPS/ant-malware program(s) by adding the quarantine folders of each to the other's file/folder scanning exclusion.
    • Sophos': C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\*

Maybe I am learning something new. Presently I have Norton Internet Security (NIS) installed on all my computers. I wouldn't think it would be a good thing to have two AV's running on the same machine, just a bit of overkill, not harmful. Would you recommend removing NIS from the machines and install Sophos Endpoint instead? Presently I'm thinking about using a Win10 VM and running from that for a while using the Sophos Endpoint just to test it out.

And thanks for the advice.

 

[diedrichg]

Maybe I am learning something new. Presently I have Norton Internet Security (NIS) installed on all my computers. I wouldn't think it would be a good thing to have two AV's running on the same machine, just a bit of overkill, not harmful. Would you recommend removing NIS from the machines and install Sophos Endpoint instead? Presently I'm thinking about using a Win10 VM and running from that for a while using the Sophos Endpoint just to test it out.

And thanks for the advice.

Norton, Bitdefender, Avast, Avira, Kaspersky and others are all going to do the same type of web monitoring as the Sophos client utility (if installed and configured).

 

[zoomzoom]

Maybe I am learning something new. Presently I have Norton Internet Security (NIS) installed on all my computers. I wouldn't think it would be a good thing to have two AV's running on the same machine, just a bit of overkill, not harmful. Would you recommend removing NIS from the machines and install Sophos Endpoint instead? Presently I'm thinking about using a Win10 VM and running from that for a while using the Sophos Endpoint just to test it out.

No, you definitely do not want to rely on Sophos Endpoint as your main antivirus/HIPS program, as those two features are sub par in comparison to other antivirus/internet security programs. The reason it's not recommended to run multiple antivirus programs is because each will scan the other's quarantine folder, resulting in issues. Provided you add each program's quarantine folder to the exclusion list of the other, they will run fine together.

• For example, I use Comodo Internet Security Pro and Sophos Endpoint Security and Control, adding the quarantine folder of each to the other's antivirus exclusions list.

Sophos Endpoint Security and Control's Web Protection feature is awesome however, and you can disable Antivirus and HIPS in Sophos Endpoint & just have Web Protection enabled. I recommend this option if running on a PC with a CPU that isn't a quad core and does not have at least 8GB of RAM.

Also, Sophos Endpoint can be synced with Application Control and have it's access settings set via WebAdmin (provided the PC has a direct route to the Sophos router either via LAN or VPN).

Norton, Bitdefender, Avast, Avira, Kaspersky and others are all going to do the same type of web monitoring as the Sophos client utility (if installed and configured).

Kaspersky is a product one should have trepidation about using, as all businesses with Kaspersky contracts have been warned by the FBI & Homeland Security to stop using Kaspersky products, due to evidence Kaspersky is working directly with the Russian Government, forwarding data to them (NSA and DIA have been actively involved in investigating Kaspersky since at least May).

Other products do offer a similar feature to Sophos Endpoint's Web Protection, however Sophos Endpoint uses Sophos' database, of which is more robust that most, if not all, consumer grade AV/IS solutions.

 

[joeschmuck]

@zoomzoom
I have setup the new Endpoint Security policy and group, then I assigned the new group to my computer. (see below for new policy)
My question is... Will the Endpoint Security override the Sophos defaults? Meaning that if I leave the Web Protection turned on and turn it off in the Endpoint Security, will Web Protection still happen or really be turned off on the suspect computer? I hope I asked my question correctly. I suspect Web Protection would still occur at the UTM level.

Thanks

 

[zoomzoom]

@joeschmuck If you're asking:

• Will turning off Web Protection in Sophos Endpoint affect anything on the UTM, or vice versa, the answer is no, as each is it's own entity.
  • From what I gathered around two years ago when I first installed Sophos and was reading through the help documentation in Web Admin, as well as the old Astaro forum (prior to Sophos' horrendous decision to switch the forum over to the main Sophos site in an answer page forum format), Sophos Endpoint's main purpose is to enforce UTM specific rulesets, such as Application Control, on laptops that are only logged into the main corporate intranet sporadically.
  
  
• If turning off Web Protection in Endpoint will override the profile on the UTM for that Endpoint device, it depends.
  • In order for the UTM to enforce the UTM managed security profile, the Endpoint device must be on the same network as the UTM (either local or some form of VPN). Say the Endpoint device is a laptop and the user turns Web Protection off while disconnected from the network(s) UTM is serving/operating on, it will remain disabled until the laptop reconnects to the network the UTM is operating on, and once the UTM detects the laptop, it should change Web Protection back to enabled (this is my understanding at least).
    • There was a great thread on the Astaro forum that covered this, but that forum was taken down within a few months of all content being migrated to Sophos' site, however you should be able to find an answer to this either view the WebAdmin help section (click the ? in the top right hand corner) or via the Sophos website (either the help page for Endpoint or the forum).

 

[jgreco]

Would you recommend removing NIS from the machines and install Sophos Endpoint instead? Presently I'm thinking about using a Win10 VM and running from that for a while using the Sophos Endpoint just to test it out.

Sophos Endpoint isn't really one of the major products available out there. Isn't even ranked on many comparisons.

https://www.av-test.org/en/antivirus/home-windows/windows-10/juni-2017/

I'm not sure that it is going to be any better than just letting the default Microsoft Defender run. Additionally, there have been lots of reports of very basic coding errors in a lot of the AV products out there, and you may not be doing yourself any favors running a product like Norton.

https://www.theregister.co.uk/2016/11/29/buggy_security_software_ills/

You probably need to run multiple AV's to get a more comprehensive level of protection against viruses, but then you're also just introducing new vectors for attackers to get into your computer.

 

[zoomzoom]

@jgreco Sophos Endpoint should definitely never be utilized as the primary Antivirus/HIPS program as that part of Endpoint is extremely sub-par (IIRC, scoring in the same 70 - 80% range as Windows Defender), however it's Web Protection feature, implementing the UTM version of Web Filtering, is spot on. The only other thing Sophos Endpoint is spot on with is recognizing programs meant to provide system level access, such as Nirsoft and SysInternals utilities (both of which are amazing utility suites for power users).

As to protection level, any internet security suite with a quality HIPS implementation should be adequate (whatever AV solution one chooses, it should be recognizing 99 - 100% of malware, 98%+ with an exceptional HIPS implementation... one should always compare at least 3 independent testing sources), however due to how intrusive HIPS is, many choose not to utilize the one feature capable of preventing code from running that hasn't yet made it's way into a virus definition. I've used Comodo Internet Security Pro for years, and have continued use of it due to how familiar I am with it's HIPS implementation, and likely will switch to a different product when subscription runs out in 2018 since Comodo isn't able to be adequately compared to other AV products due to a spat they had with VirusBulletin years back.

 

[joeschmuck]

Gents, I appreciate the feedback. While I didn't think I'd get lucky enough to have Sophos Endpoint able to reduce the restrictions while connected to the UTM, I thought I'd ask because I didn't see it in the docs that way at all. And I do recall the change in the Sophos forum, it did suck.

I'll keep using NIS on all my computers and go back to using the UTM as I had been doing previously. The slight lag time of the internet is not significant to me and I'd rather have the extra protection no matter how small it may be. Trying to fix the wife and fathers computers are not worth the extra headache.

@jgreco I've been using Norton for a very long time, maybe 15+ years.

https://www.theregister.co.uk/2016/11/29/buggy_security_software_ills/

You probably need to run multiple AV's to get a more comprehensive level of protection against viruses, but then you're also just introducing new vectors for attackers to get into your computer.

Too bad it didn't list all the programs that were hit. I noticed that Norton was not on the provided list, not saying it wasn't the next one had they posted it. As for how effective a product like this is, well it may not be the #1 product all the time but it gets there often enough for me to trust it.

 

[jgreco]

@jgreco I've been using Norton for a very long time, maybe 15+ years.

Too bad it didn't list all the programs that were hit. I noticed that Norton was not on the provided list, not saying it wasn't the next one had they posted it. As for how effective a product like this is, well it may not be the #1 product all the time but it gets there often enough for me to trust it.

I keep wondering what it is you guys do that you find yourselves at such risk.

I suppose it helps that:

1) I don't read e-mail with a web browser (or an "HTML-enabled e-mail client" which is mostly weaselspeak for "custom web browser"). I finally made the jump from Dave Taylor's "elm" which I'd been using since the '80's to "mutt", only about 20 years late

2) I access the web primarily through FreeBSD and Windows VM's that are running ScriptSafe, Adblock Plus, Ghostery, and several other extensions

3) Those are primarily accessing the web via a Sophos UTM that restricts a bunch of crap categories

4) There's really nothing of any value on any of the PC's here. They're all basically loaded from a scripted install and they don't have valuable local data on them, so a reload is a time suck but basically a non-event. Most of the interesting stuff runs as defined-purpose VM's on the hypervisor cluster.

I think the last virus here was something back during the XP days. So my question is this, since you both seem to have some insight into the current threat model, what is it that you see as being the primary threat vector(s) these days?

 

[zoomzoom]

@jgreco I haven't had a virus/malware infection since the Windows 7 days 5+ years ago, and the main threat vector I experience is when browsing images via duckduckgo or google. It's ridiculous how many regular, non-xxx images are pulled from malware infested sites, and it's extremely helpful that as soon as you attempt to preview an image which links back to a site with malware, Sophos blocks it.

• If I do get a virus/malware alert nowadays, it's always due to forgetting to delete the folder afters I extract Nirsoft and SysInternals utilities from their password protected 7z file (password is to prevent it being scanned by AV)

I also don't use web based email (I use Outlook 2016) and even on Lineage OS (Nexus 6) I won't open an email unless I'm 100% positive I know I'm expecting it, nor do I open mms messages (I've turned off auto download) unless the person sending them has texted me prior to, letting me know they're sending an mms message (I don't use messaging apps like FB Messenger or WhatsApp, as it's far too easy for malware to be sent between users). I also don't install apps from anywhere but the PlayStore, and while I've been tempted for a long time to use the Xposed Framework, it's inherently insecure and not worth the potential exploit consequences.

My biggest concern nowadays is data privacy and restricting software, both on Lineage (via AFwall+) and on Windows, using strict protocol based rules and restricting software to specific ports and domains

• I don't allow an executable or DLL blanket network access, restricting them both by port and domain/IP/MAC access restrictions.
• I put devices that need blanket network access (games systems, smart home theater receivers & TVs, etc.) on their own vLAN with isolation so they can't access each other unless a specific netfilter rule allows for it from a specific IP/MAC over a specific port.
  • I just redid my LEDE LAN network configuration, adding 7 vLANs for different types of devices. For example, I've put WiFi printers, Android phones, media devices (TVs, game systems, etc.), etc. on their own vLANs

 

[joeschmuck]

So my question is this, since you both seem to have some insight into the current threat model, what is it that you see as being the primary threat vector(s) these days?

I don't see myself as having any real insight to the current threat model at all. I've had to deal with my fair share of viruses, malware, worms, and even ransomware over the many years and I feel it is very prudent to have a good internet security package running on each of my home computers along with frequent backups (the whole reason I got into FreeNAS).

I keep wondering what it is you guys do that you find yourselves at such risk.

Wife & Father... Need I say more? Before-hand I was perfectly fine using NIS alone. These two people have caused me a lot of headaches and once I added Sophos UTM, I haven't had a problem since. Sure I occasionally get a complaint that someone can't get to a specific site but I promptly respond that it likely has some unsafe content and then I'm in the clear. The main complaint I really hear is "The internet isn't working again, did you do something!" and I'm sure we all can relate to that one.

Keep in mind that I'm not a IT guy, I'm self taught when it comes to networking. Of course I have an extensive electronics background and some programming but I'm not up to speed on all the intricacies of configuring and managing a major IT network. This is why I really like FreeNAS forums. I can get a lot of very useful information here, above an beyond FreeNAS itself. This is a great group of people!

Pizza? Pizza Time!

 

[diedrichg]

Does chaining switches in a LAN slow down file transfers within that LAN?

 

[joeschmuck]

Does chaining switches in a LAN slow down file transfers within that LAN?

Technically I would think a little bit of latency would be there but I can't imagine it would be worth mentioning.

 

[Jailer]

Does chaining switches in a LAN slow down file transfers within that LAN?

No but it can make troubleshooting network problems a pain in the rear.

 

[diedrichg]

Me while playing around in ESXi setting up my vNICs and vSwitches all while 700 miles away from home and I won't be back home for five more days:

Me: Hey, what's this Management Network on the vSwitch? Hmm. I'm sure I don't need it. Let's disconnect the vNIC from the vSwitch that has the Management Network.

Putty: Connection lost