Sophos Enterprise Security

I should start this review with a confession. I used to work for Sophos. During the five years I spent release testing Sophos’s products, its Windows offerings went from a simple, standalone scanner with some basic network messaging capabilities to a fully fledged enterprise suite, with the addition of centralized management, reporting and updating, desktop firewalls and gateway mail scanners. However, huddled safely in the ‘non- Windows’ corner – concentrating my testing efforts on UNIX, Linux, NetWare and even OpenVMS products – much of this change passed me by, and this is in fact my first in-depth look at the latest version of the full cross-platform, multi-component suite, Sophos Enterprise Security.

Sophos focuses on corporate, educational and governmental markets, a tactic which, while denying it much of the brand recognition afforded to players in the home-user sphere, also allows greater focus of products and somewhat simplifies the support requirements.

The company’s reputation among the corporate community is solid and respectable, and recognition is boosted by a voluble and vigorous media presence. For security and virus watchers, the Sophos name is rarely out of the news, and was particularly visible during Microsoft’s recent Vista release – after much ado from larger rivals McAfee and Symantec over access to Vista information, Sophos weighed in with criticism of the others’ design and coding skills, sparking a brief spat in which a McAfee spokesman referred to the company disparagingly as a ‘small, single-product vendor.’ Coinciding with the eventual release of Vista, Sophos ruffled more feathers with its announcement that a selection of viruses remained fully functional on the supposedly more secure platform.

For a ‘small, single-product vendor’, Sophos has a fairly sizeable inventory. The company branched out into spam filtering with the purchase three years ago of Canadian developer ActiveState and its PureMessage anti-spam product, and since then has added a firewall, rootkit detection and application control functionality to its range, as well as producing email and web appliances. The core anti-virus engine is made available for integration into third-party products, a recent example of which is the addition of AV functionality to Webroot’s SpySweeper product.

Sophos’s current flagship offering, the Enterprise Security suite, is accompanied by a small business version, which seems to have been rebranded Sophos Computer Security when combining only the anti-malware and firewall components and Sophos Security Suite when mail gateway products are added. These small business versions are available as free trial downloads for evaluation purposes.

The Enterprise Security box that arrived for this review was a rather attractive affair, the top half in matt white with simple fonts and a few sparse symbols, the bottom a more colourful mix of blues, blobs and swirls forming the background for some 3D versions of the icons – an envelope representing mail, a shield for protection and so on. On the reverse, amongst a handful of badges from other testing organizations, sits the VB 100% logo, the stamp of any respectable AV product.

Sliding open the drawer of the box, I found a handful of pamphlets inside, separate user guides for the gateway and desktop products and a multi-lingual EULA, along with a little booklet entitled ‘A to Z of computer security threats’. This swish little black number takes the form of a glossary of security terms and buzzwords. Most entries provide some useful information succinctly – some terms were new even to me (‘bluesnarfing’, apparently, is the theft of data from a mobile phone over a Bluetooth connection). Towards the end is some general information on how various types of security software operate and how best to minimize exposure to a range of threats. The content is also available as a PDF download from the Sophos website.

The EULA provided somewhat less enjoyable reading, and also fewer surprises. I was a little confused by the section regarding the use of Sophos products at home, and whether or not the permission to do this applied to the firewall and to small business customers, but was pleased to see that Sophos offers this service to those keen to protect their home computers but prevented from purchasing the software for themselves.

At a glance, the setup guides seemed straightforward and simple, with the text and screenshots unadorned by gimmicky graphics and the structure laid out around tasks. Assuming my role of a gung-ho systems administrator eager to install protection to my network, however, I decided to skip any in-depth study of these documents and rely on my natural skills to divine how best to go about the installation process. Putting the manuals aside for later emergency reference, I moved on to the more exciting items in the box.

Three CDs were included, two were labelled ‘Sophos Endpoint Security’ with one sub-titled ‘Network install’, including the management system, and the other ‘Standalone install’, carrying versions of the products ready to set up on single client machines. The third CD contained PureMessage and related gateway bits. The network CD includes both the ‘Enterprise Console’ client and policy management system and ‘EM Library’, which handles downloading, storage and dissemination of software and updates. The standalone CD is packed with goodies, including products for a wide range of platforms including some familiar old faces, NetWare and UNIX products, and the PureMessage CD also includes ‘MailMonitor’, a more basic package offering virus scanning only, for Lotus Notes mail systems. All of these, along with a branded mousemat thrown in for good measure, I carried boldly into my lab.

The network which will play sheep to my administrative shepherd is perhaps a little small by enterprise standards. The VB test lab does not, unfortunately, stretch to the ‘tens of thousands of computers’ which Sophos promises can be managed by a single console. Doing my best to simulate a reasonable setup, however, I created a layout with a main server running Windows 2000 Server and managing such things as my domain, websites and email infrastructure, a second server to manage a separate domain, and a handful of clients running various XP and 2000 versions, with a few more available virtually for good measure. A trusty Linux machine provided the semblance of a hostile and dangerous outside world.

Slipping the network install CD into my server, I saw the familiar Sophos install browser, feature of several recent comparative review experiences; checking it out a little, I learned it was in fact ‘Sophos Viewer 1.1’. The opening screen politely told me to insert the CD into a machine with a web connection, and click install. Other sections provided some basic setup hints, links to further information on the Sophos website, and access to a large stash of manuals in PDF format, all included on the CD in multiple languages.

Ignoring the advice about connecting to the web, I continued with the installation, past a EULA, a section offering the chance to customize the installation (leaving out components should I so desire), and then began its installation, taking five minutes or so over setting up and configuring the administration items, including SQL server setup and installation of Enterprise Console and EM Library.

After a reboot, a username was required for EM Library, and on entering one incorrectly the program shut down, leaving me staring in confusion at an empty desktop. Reopening the application from the program menu, I managed to enter some proper credentials (I could have allowed the software to create its own admin user for me, had I so desired), and I was able to play around with the installation and management of protection around my little network.

Not much playing around was possible at first though – the CD contains only the admin tools themselves, and no actual anti-virus or firewall software. This had to be obtained by downloading ‘packages’ for each product and platform as needed into the EM Library facility, which then stores and manages the installation datasets, allows the admin to spawn ‘child’ libraries to other systems, and controls liaison with Sophos for updates to definitions and applications. A daisy chain of libraries can easily be created, allowing various portions of a WAN to carry local copies of all the data, updating down the internal chain with only a single copy actually connecting to the outside. Client machines are then managed by the Enterprise Console section.

For those familiar with earlier versions, EM Library itself seems little changed. Both it and the Console are MMC snapins, and EM Library still presents a simple set of buttons on activation, for the selection of a source from which to update, either Sophos itself or an internal library; for the selection of which products are required; and to specify which should be ‘published’ to the console for other libraries or the Console to make use of. As it installs from the CD however, the system contains nothing to publish, so steps had to be taken to achieve this without the option of a web connection. After a brief wrestle with one of the other CDs in the set, which does contain standalone installs of all the scanning products, I resorted to the documentation, of which more detail below.

Once my initial library was populated, the task of ‘publishing’ the data to make it available to other instances was a straightforward, if rather time-consuming one, and after an age spent watching a little red ball bounce up and down to show things were still in progress I was finally able to get my hands on the administration console.

Machines were detected pretty easily on my small and simple network, for larger systems a more defined probing over specific domains or IP ranges would probably be more efficient than the basic ‘have a look around’. Once picked up, machines can be added to groups for which separate policies can be set, including regularity and sources of updating, firewall and on-access scanner configurations, scheduled scans for malware etc. Installation of selected products is then initiated, by machine or group, and on my setup went pretty smoothly, with the only snags being down to my hasty setting up of domains and users. Manual installation is necessary for anyone still using pre-2000 versions of Windows.

With my machines installed, I could tweak all the available settings of my on-access scanners and scheduled jobs remotely from the central console, but could not, as far as I could tell, set off an immediate scan for viruses. This must be done on the client side.

The interface to the ‘endpoint’ (an ugly term sprinkled liberally throughout Sophos’s product titles and documentation, often quite confusingly – I can only assume it is used as a euphemism for ‘computer’) product is of course very familiar by now, after appearing in several VB comparative tests and, for a time, being available on my desktop as a Sophos employee (where I rarely, if ever, had cause to look at it).

Again, this has a browsery feel, with ‘back’ and ‘forward’ buttons, some links and information in a column on the left, and a main pane featuring available tasks. This pane I have always felt seemed a little off-balance, as if some space has been left for yet-to-be-added functionality, but it can be made to seem more regular with judicial disabling of certain tasks. Indeed, the administrator has the ability to lock down pretty much everything, leaving the client with a bare-looking options pane, a few greyed-out buttons and little more available for them to do other than scan bits of their system with the default settings. More generous admins can, of course, allow their cattle more freedom.

Back at the top, a detailed reporting system allows the admin to gather data on infections and detections on their users’ systems, and generate tables and graphs to show off to their friends and bosses.

The Sophos website presents a bustling face to the world, its front page split into colourful product information and marketing splashes, accompanied by more sober content in the form of a listing of the latest malware and links to identity downloads. There is also a cluster of news items, carrying stories on the malware and spam landscape as well as Sophos product news.

Familiarity with the site led me at first to follow the ‘Security Information’ link, past a bank of information on security issues, into the virus database, a well-designed and thorough resource. The system does not suffer from the frequent browser compatibility issues, slow-loading data and blank entries that I’ve found to be a source of frustration in other such resources, the tabbed pages functioning smoothly and rapidly to provide adequate details on even quite old and obscure threats, and generally excellent write-ups of the latest and greatest outbreaks.

Remembering my real purpose here, I moved on to the Support area, at the top of which was a knowledgebase. This offered a search facility and a list of ‘most popular’ articles, along with a browsing tab, which provided a somewhat confusing wealth of product names. These would presumably be familiar to an administrator with more experience of these products, as many of the names seemed to overlap somewhat and some were presumably earlier versions of the tools.

Browsing under ‘Enterprise Console’ provided a list of entries rather heavy on the ‘Error code a0490003’ type, interspersed with some more interesting-sounding items on important tasks, such as configuring and using aspects of the suite, including disinfecting viruses across the network and appropriate settings for on-access scanners.

Options for telephone and email support followed, with a lengthy checklist of details to have ready, covering both licensing data and technical details on your setup and problem. An online query form to request information or a call back was also available; for larger customers, Sophos also offers a ‘premium’ support service with guaranteed response times and other benefits. Realising that the licensing data provided to me would be a giveaway, making any attempt at an undercover test of the support offering a little futile, I resolved to do the right thing and RTFM.

Under ‘Documentation’, a wealth of manuals and quick-start guides are available, as well as a downloadable ‘support pack’ for the very product I was testing. This provided a .chm file containing numerous helpful little wizards, as well as links to more detailed information in the appropriate areas of the site. One section, the ‘Requirements Advisor’, even led me with ease to some directions for my very situation (‘a secure network with an air gap’), which involved setting up a management system with full access to the web and spawning a ‘library’ which could then be transferred into the test lab.

The step-by-step guides to various stages of setup and configuration also seemed useful, and the whole thing was slick and straightforward. I added it to my stash of tools for the test lab, despite some worries over how to tell what was a link to another inbuilt page and what would try to connect to the web. I assumed some links had a file size, some of which rather worryingly implied pages of around 6 MB, until I realised that ‘KB 6002’ was a reference to the Knowledgebase article number, while others simply jumped straight online without much warning.

With the latest version of the software now available, I tried a few basic scans over areas of the VB malware collection. Knowing from experience that the Sophos engine shows a pretty predictable detection rate over the standard test sets, and a good record of keeping up with the more regularly updated WildList sets, I wasn’t greatly surprised by the scores in these areas. Even many of the samples generally missed during the VB comparative testing are found with the right (i.e. non-default) settings, as some file types commonly set by default in other products are left off the list by Sophos – things like Microsoft Access databases and mailbox files being likely to be bulky in a business setting, and thus causing excessive slowdown in the general-purpose scan.

Disinfection was a more complex process – a large number of detections, particularly W32/Mytob variants and other worms, were often grouped into clusters and labelled ‘part of an infection’. They could not then be deleted after a simple scan of an area; instead the product insisted on a full scan of the machine, to ensure no lingering remnants were left behind. The logging has been made more complicated to match (something that has required some adjustments to the comparative log-parsing scripts to cope), as some detections are now labelled a mere fragment of a full infection, reflecting the complexity of the modern malware landscape.

This latest version of the Sophos product has added some important new detection abilities, of adware and other items which, while not necessarily malicious, are widely thought to be prejudicial to security and unlikely to be necessary in a corporate environment. Sophos has opted to describe these items as ‘PUAs’, short for ‘Potentially Unwanted Applications’, in contrast to the ‘security risks’, PUPs and PUS seen elsewhere, all of which are designed to soothe the legal worries involved in slurring anybody with the widely despised ‘adware’ label.

Checking out a selection of samples of adware and spyware, the product picked up on all of the confirmed items available in my lab, politely remarking that a ‘PUA’ had been spotted and that I might want to remove it. On-access detection of such things is not the default, but again can be switched on network-wide if so desired.

I decided to try out detection of the latest WildList entries on a less well protected machine. The standalone install CD included with the package was rather more recent than that carrying the management products, dated September rather than June, and with the latest available WildList not much more recent, detection was already in place for many samples, including several ‘generic’ detections.

A small selection of samples were missed, including one nasty W32/Rontokbro, which rampaged across the machine, shutting down the software and rendering it unusable, and also disabling things like registry editing. Shortly after this version, Sophos added behavioural detection under its ‘Genotype’ label into its scanning engine to deal with new malware, and it would have been interesting to see how an early-October update would have dealt with these threats; the update taken from the net in mid-December spotted everything I threw at it, without recourse to behaviour blocking.

Sophos’s PureMessage mail-filtering software originated as a UNIX/Linux product, and its Canadian developers continue to focus on those platforms. Windows versions have been added since its acquisition by Sophos, and were provided in my box of goodies; on the same CD is a copy of the MailMonitor email AV scanner for Lotus Notes/Domino systems. Unfortunately, time and other constraints prevented more than a cursory look at this part of the suite.

PureMessage installation is a simple affair, with a few quick questions about where to put the files and which user IDs to use. Once the GUI is open though, things get a lot more complex; a vast array of sections, pages and tabs offer enormous configurability. Mail can be checked for malware, as well as for spam, with a wide range of policy options also available, such as blocking all or just certain types of attachments, filtering mail with certain words or phrases. Detailed choices are available as to what happens to messages put into numerous categories of badness, tagging of mails with various messages depending on what’s been found and removed, reporting incidents etc.

Finally reaching the ‘spam’ tab, I breathed a sigh of relief to find it so simple – a slider for what to mark as definitely spam, another for ‘suspicious’, and some sections for the setting up of whitelists, blacklists and trusted addresses and hosts. All reasonably simple and straightforward. The product is also available, as of quite recently, as a pre-configured appliance, a sister product to which filtering web connections has also arrived on the market in the last few weeks. Pictures and specifications on the website are quite appealing, and I look forward to one of these arriving on the VB test bench some day.

The client firewall is another new addition to the Sophos stable, available for Windows 2000 and XP machines (32-bit only) and providing standard firewalling stuff. There is a fairly comprehensive configuration, with the usual controls over which protocols, connection methods and programs are allowed and which are blocked, plus an intriguing section allowing applications that launch ‘hidden processes’ to be stopped in their tracks. Another allows one to create a list of applications with accompanying checksums, which will then be blocked if the checksum changes. Again, all of this can be controlled either locally or via policies in the admin console, and ‘interactive’ selection of whether or not to allow things can be switched on or off. I found the log viewer accompanying the program rather nice to look at too.

Among other offerings emerging from Sophos’s busy developers and labs recently is the Application Control utility, available to download and free to existing customers. Lack of time and a lengthy data-gathering form required to access the download prevented any detailed testing of this, but it has made many headlines recently over the inclusion of games in its blocking list. A rootkit detector has also been released as a free download, with a fairly rudimentary installation and interface.

With such a broad range of products and functionality to look at, and with the time constraints imposed by the Christmas and New Year holidays, I feel I have done little more than brushed the surface of the Sophos suite. After some experience of testing scanner products on a fairly basic functional level, looking mainly at detection rates, logging and throughput with usability only really examined as it affects these aspects of the software, reviewing a product from the point of view of a network administrator was rather new to me. Looking at ease of setup, combinations of functionality, policy setting and enforcement, and auditing of security in far broader terms than malware protection alone, all provided both problems and insights.

It is, of course, hard to say whether my limited experience with older Sophos products has affected my user experience greatly (my memories of first using EM Library several years ago are ones of confusion and bafflement), but I found most aspects reasonably logical to set up and configure. Most components, and particularly PureMessage, had an almost bewildering range of configuration options, pages and tabs, most of which are presumably required by some parts of the broad and diverse world of business IT infrastructures. Without enormous experience as an enterprise admin, I am perhaps not in a position to know best, but there were few functions or options that I could think of that were notably absent, though some were less than obvious.

The only major frustration, other than the bouncing ball marking time while the product packages are downloaded and configured, was the lack of a simple one-click scan of a system from the Console. One thing that did seem odd was the absence of a basic set of ‘packages’ on the management CD (half empty at around 250MB), and the lack of an option to create one’s own from the accompanying product CD – one can either have single installs, or download managed versions from the web, with little obvious overlap. I am told that the small business version does come ‘pre-loaded’ in this way, allowing for immediate startup without resorting to the web.

Having looked at a few enterprise versions of other products for VB, I have occasionally had problems with accessing certain functionality at the client end, and had to resort to installing management software on separate machines in order to complete some tests. Sophos’s more modular approach, with different aspects of functionality bundled into different sections of the suite, with the ability to remove control from some users and grant it to others, avoids this kind of problem, although it does leave one with several MMC snapins to administer different sections of one’s security policy. The modules are mostly available, and licensed, as individual entities as well as components of the full suite.

There was a generally solid and professional look and feel to things, without being overly stark and cold, and things like help and documentation continued this mood, being instructive in a friendly, rather than dictatorial way. The penchant for rather flamboyant marketing which has overrun much of the company website, masking the very decent technical content underlying it, has yet to make too big an impact on the products themselves. Of course, malware detection and blocking is the main point of the product, and here all was as reliable as usual, at least when kept up-to-date; the addition of behavioural ‘intrusion prevention’ is a vital move in the age of rapid-spreading malware, and some more thorough retrospective testing of this aspect should be added into VB100 testing in the coming year. Given more time, deeper investigation of disinfection and removal, particularly of complex adware-type nasties, would have been interesting.

Overall, I have found my time playing at administering Sophos surprisingly trouble-free. Of course, many of these opinions are as likely to be revised as confirmed when I get to try out any other large corporate security suites, but I look forward to the opportunity of making such comparisons – all for the good of VB readers of course.