Jump to content


Immunet Insiders
  • Content Count

  • Joined

  • Last visited

Everything posted by grahamperrin

  1. Good point — it's maybe a year or so since I saw one. Glancing at http://www.sophos.com/security/analyses/viruses-and-spyware/search-results/?search=WM97+2010&product_search=virus_search_virus_section&submit.x=57&submit.y=8&action=search alongside http://www.sophos.com/security/analyses/viruses-and-spyware/search-results/?search=WM97+2009&product_search=virus_search_virus_section&submit.x=57&submit.y=8&action=search there have been fewer in 2010 than in 2009 but I have no idea whether any became wild. Macro threats spring to mind because my place of work was bitten by W97M.Proverb before protection was available, and dealing with NAI from a Mac perspective was, in 2000, a rigmarole. I'm pleasantly off-topic from the original subject. I suppose what it boils down to is: how I'd like the Immunet Protect client to behave if a disposition asks for a data file (not the profile thereof) — with maybe personal or sensitive information — to be sent to the cloud. This isn't a mistrust of Immunet Corporation. Just a need: a) to know when that type of traffic occurs; and to give, or defer, consent for the file in question.
  2. Thanks, not a priority. Just a slight concern that people will learn "Spero" instead of "SPERO" etc..
  3. DynDNS.com Internet Guide: first impressions Internet Guide is initially confusing, I went round in circles a few times before realising that beyond signing up and logging in, there's the additional step of adding the zero cost Internet Guide Free product to my shopping cart. Then, more confusion: http://setup.dynguide.com/ confirms that my computer "is currently using Internet Guide" and directs me to https://www.dyndns.com/account/services/dynguide/ where (on the contrary) I'm told that I "don't have any Internet Guide-protected networks" and the invitation to add a defense plan fails, "Invalid static IP or CIDR submitted". I'll report this experience in the DynDNS support area … Taking the hint from https://www.dyndns.com/services/dynguide/readme.html#network I created a host service for use with a defense plan. For me, the blocking is too coarse: * either accept the block, or reconfigure the plan to not block * no option for the user to temporarily override a block.
  4. IP filtering, URL filtering Similarly, whilst trialling an Intego product I was warned against visiting a site (AFAICT a site that wasn't 'caught' by Google Safe Browsing) but the product offered no clear explanation; I had no idea what basis Intego had for the warning. Lack of explanation is frustrating. I toy with the idea of running an Untangle server on a spare machine, primarily for the free Web Filter or the eSoft Web Filter. I'd configure this to provide cautions without absolutely blocking — leaving the end user to decide whether to proceed with browsing to the URL. According to http://wiki.untangle.com/index.php/Web_Content_Control_FAQs#Does_Untangle_Use_Blocklists.3F they use URLBlacklist.com (a commercial managed service). There's also a community-oriented URL Submission tool but I can't tell how widespread the benefits are (in an ideal world I'd like submissions to benefit e.g. at least one of the databases listed at http://sanesecurity.co.uk/databases.htm). Thoughts?
  5. I'm trying to reconcile just a few things: the relationship between TETRA and BitDefender — http://www.wilderssecurity.com/showpost.php?p=1724071 — http://www.wilderssecurity.com/showpost.php?p=1728792'>http://www.wilderssecurity.com/showpost.php?p=1728792'>http://www.wilderssecurity.com/showpost.php?p=1728792 — http://www.clamav.net/lang/en/support/faq/faq-win32/ — http://www.wilderssecurity.com/showpost.php?p=1728792 — http://blog.immunet.com/blog/2010/2/17/the-immunet-protect-ethos-engine-a-week-in-the-life.html I don't imagine Immunet Corporation adding 17,500 files definitions a day to ClamAV databases but I do wonder about the mutual benefits. Just curiosity. I'm primarily a user of Mac OS X (occasionally with CrossOver or another flavour of Wine), secondarily I look after a few Windows boxes, and amongst other things re: http://forum.immunet.com/index.php?/topic/139-mac-support/page__view__findpost__p__1649 I wonder: a) do any of the three current engines (ETHOS, SPERO, TETRA) make any use of signatures from ClamAV databases? does investment in Immunet Protect ultimately benefit other communities/products that use ClamAV databases? — if the answer is yes, then that would be (for me) a great incentive to purchase and recommend Immunet Protect. From http://www.wilderssecurity.com/showpost.php?p=1658729 and from http://www.wilderssecurity.com/showpost.php?p=1728792 I understand that ClamAV may eventually move in a different direction from Immunet Protect but for now, I'd like to put my money and my mouth in the direction of products that take the most co-operative approach.
  6. ClamAV is also popular with users of Mac OS X, and is an integral part of Mac OS X Server. Taking a layered approach on Mac OS X with Wine (comparable to approaches on Windows that include Immunet Protect), I use at least: ClamXav Sentry Little Snitch ProtectMac AntiVirus — ClamXav and ProtectMac AntiVirus both use ClamAV, in different and complementary ways. Aspects such as community and open source prompt questions re: Immunet Corporation contributions to ClamAV databases, e.g. http://forum.immunet.com/index.php?/topic/155-does-clamav-and-immunet-have-same-cloud-definitions/page__p__1616#entry1616
  7. At http://www.clamav.net/lang/en/support/faq/faq-win32/ : — and I guess that *nix there is intended to include Linux.
  8. Just one machine on which I have seen a possible problem: an Acer box with Windows XP and Service Pack 3 that I control, only rarely, via RDP. Maybe headless (there's a head near the box but I can't recall whether it's physically connected at the moment — I'll check). The symptom of the problem was: I couldn't make a persistent connection via RDP (using CoRD); the Acer background would appear for a moment, but the connection would very soon drop — at around the time when the Windows log on dialogue (logging in automatically using credentials provided by the RDP client) would normally appear. Microsoft Automatic Updates is set to automatic, daily at 03:00 and my guess is: * the problem began around the time of an update that required an automatic restart of the OS. Considering those key points, and some others, I see no definite relationship between that problem and the (then) installed version of Immunet Protect. However, the presence of Immunet Protect is one of the factors that I consider; this box is one that has relatively few software titles installed. Now running and I'll review this XP machine after Microsoft's next round of updates that requires an automatic restart.
  9. Preamble Sophos preferences for HIPS runtime behavior analysis default to: [√] Detect suspicious behavior [√] Detect buffer overflows [√] Alert only On some machines that I help to administer, preferences (from a centralised installation) vary from those defaults: [√] Detect suspicious behavior [ ] Detect buffer overflows [ ] Alert only Considering (a) the 16 August date of http://vrt-sourcefire.blogspot.com/2010/08/clamav-release-announcements.html announcing SPERO in ClamAV for Windows 2.0, and ( release notes in the Announcements forum (I can't tell when SPERO became a feature of released versions of Immunet Protect), comments below might relate to 2.x versions of Immunet Protect prior to 2.0.14 . My experience with the product combination So far: no problems. Sometimes a software installation will take much longer than expected. That expectation: based on the assumption that whatever I'm installing (typically mainstream stuff, nothing exotic) has previously been installed by another user of Immunet Protect — so I shouldn't have to wait long for a disposition from the cloud. In case of slowness: if I (personally) trust the installer, then temporarily exiting Immunet Protect allows the installation to complete quickly. Until recently I assumed that the slowness was whilst waiting for an in-cloud analysis (by Immunet Protect people and/or machines) of a profile of the installation. Since learning a little more about ETHOS and SPERO engines, now I wonder whether the slowness was local.
  10. Background No mentions of Sophos at Immunet Protect 2.0 Requirements & Compatible Security Package List or Incompatible Software with Immunet Protect & Known Issues; no mentions of Sophos elsewhere in the support area (however: search results there are currently not reliable); and nothing relevant in these forums … so I'll share my experience with this product combination: early versions of Immunet Protect 2.x Sophos Endpoint Security and Control 9 with Sophos Anti-Virus 9.0.5 and HIPS configuration 1.x
  11. The picture's much clearer now, thanks. Just one question remaining re: the push, but I've taken us off-topic from the original SPERO question so it's a separate topic: push to all clients
  12. OK, the disposition approach makes perfect sense. It's this 'push to ALL' line (from about Immunet) that throws me — >> pushes intelligent protection in real-time to ALL Immunet users within milliseconds In what situation would a disposition be pushed to all users, including those users whose raw data (profiled by the local client/engines) has not indicated a need for that disposition?
  13. In this forums part of the support area, there's a top level link to Support — Products | About | Partners | Support | Blog | Contact Us In other places e.g. http://support.immunet.com/tiki-index.php?page=HomePage'>http://support.immunet.com/tiki-index.php?page=HomePage the orientation is different — Products | About | Partners | Blog | Forum | Contact Us The side menu at the support home page http://support.immunet.com/tiki-index.php?page=HomePage gives the impression that search results there include results from forums, but AFAICT the forums are separate. (Now, as I'm drafting this topic, I see that the host is different.) I don't imagine that search results from the different areas can be combined, but it might be good to: a) have a consistent top-level menu, Products | About | Partners | Blog | Support | Forums | Contact us at the support home page, make clearer that forums are separate. Thanks
  14. Thanks! (I did search for the word incompatible but didn't get that article — there's a problem with search results.) Neither article mentions Sophos so I'll start a topic on that subject.
  15. http://support.immunet.com/tiki-searchresults.php?highlight=incompatible&boolean=on&search=Go — a search of the support area for the word incompatible — fails to find Incompatible Software with Immunet Protect & Known Issues, which is currently the most frequently asked question (#1 at the support home page).
  16. Please, I'd like to know: * which products/configurations are not compatible with Immunet Protect 2.x (using all three of ETHOS, SPERO and TETRA) * outline details of the incompatibilities, with any known workarounds/solutions. Sophos Endpoint Security and Control 9.0.5? — must its heuristic preferences be set in a particular way for compatibility with Immunet Protect? Sophos Endpoint Security and Data Protection 9.5? Side note: I recall responding to http://blog.immunet.com/blog/2010/3/20/help-us-define-immunet-protect-20-what-other-av-should-we-su.html but responses were removed, and the copy in Diigo (2010-04-08) was probably cached before all responses were gained. Thanks Graham
  17. At http://blog.immunet.com/blog/2010/3/7/how-immunet-detects-threats-in-a-nutshell.html : Please: are the new signatures that are generated by Immunet all added to the ClamAV Virus Databases? Or will some signatures be proprietary to Immunet?
  18. OK, I now have a clearer picture of SPERO alongside ETHOS — — both engines are heuristic (or heuristic-like) and cloud-based — SPERO is lighter than ETHOS — SPERO takes a more modern decision tree approach … and if I want to know more about decision trees for malware I might read e.g. Learning to detect and classify malicious executables in the wild (2006), An intelligent PE-malware detection system based on association mining (2008) or Malware Detection using Statistical Analysis of Byte-Level File Content (2009). (I don't intend to read those papers. Just getting a half-mile high view of things.) I'm still a little confused about what, if anything, is pushed from the cloud. At http://www.immunet.com/about/index.html : If all files and intelligence are in the cloud, then what is pushed to clients on the ground? Thanks Graham
  19. Can you configure IP.Board to not change the case of titles of topics? E.g. http://forum.immunet.com/index.php?/topic/282-spero-more-information/ should be SPERO: more information not Spero: More Information Thanks
  20. ETHOS is also cloud-oriented. Sorry — whilst looking in the announcements area, and in the blog, I didn't think to look in the product: Still, I'd like to understand more about the machine learning based models. Is SPERO oriented to data from my community?
  21. Seriously, there was previous discussion on the subject, but it's gone, so I posted again http://forum.immunet.com/index.php?/topic/162-immunet-protect-for-linux
  22. Looking ahead, http://diigo.com/0cgxp for highlights from http://vrt-sourcefire.blogspot.com/2010/08/clamav-release-announcements.html
  23. At http://www.clamav.net/lang/en/about/win32/ (undated) and http://vrt-sourcefire.blogspot.com/2010/08/clamav-release-announcements.html (16 August) I see that SPERO is now featured, and that it is a > machine learning based protection engine — but machine learning doesn't convey much, and additional information about SPERO is not easy to find. I look forward to the SPERO-related announcements …
  24. My concern is that some documents must not be in any cloud.
  25. Thanks, can you update http://www.immunet.com/plus/compare/index.html to clarify the difference? Does Immunet Protect FREE not detect macro viruses? PS I have a cached copy of previous discussion re: macro viruses.
  • Create New...