SophosLab Director Mark HarrisAs part of my follow up research into Sophos Anti-Virus’s built in Behavior Blocking / Host Intrusion Prevention System (HIPS) software (as discussed in my blog entry No 64-bit Windows Vista Security from <YourVendor> ?, Give Sophos a Try), I found out that an old friend and colleague from the UK, Mark Harris, was now running SophosLabs (read about it.)

Mark and I re-connected, and I thought this might be a valuable opportunity to dig deeper into the Sophos technology.  Mark agreed to this interview to help educate us on what and how Sophos is adding new types of protection to some of the more traditional anti-virus techniques.

Jeff:  Mark, good to talk to you again. Before we get started with the technology, I'd like to ask a few background questions if you don't mind.  I've known you since our days together at McAfee in the late 1990s, but when did you first start working in the field of security?

Mark:  I started at Dr Solomon’s back in 1996 if I remember rightly, I joined as a software developer working on Dr Solomon’s management console but within a year moved on to set up a new team developing groupware solutions.

Jeff:  10 years ago - I was actually working the UK at that time too, for TIS.  And, of course, we both became part of McAfee through acquisitions a couple of years later.  As a Director of Engineering over at McAfee, what were some of the innovations and key features that you and your team delivered to help customers?

Mark:  I’m not sure I can talk about the detail of some of the most interesting ones, but for most of my career I was working on the solutions for Exchange and Lotus Notes, it was certainly an interesting time as we went through the growth of mass mailers like loveletter and Melissa.

Jeff:  One more question for color. Tell us something interesting about your early security days that people would find strange or interesting today.

Mark:  Products for email scanning hardly existed and were very much seen as the poor relation of the desktop product. This was long before the concept of a multi-tier defence was thought of.  And as I said, the growth of the mass mailer was interesting, and it seems hard to believe now that we used to update the desktop product once a month on floppy disk!

Jeff:  I remember that!  It was the biggest pain after the Dr. Solly's acquisition.  Some customers absolutely refused to transition to an online delivery of signatures - they wanted their monthly set of floppy disks! 

Jeff:  Okay, let's dig into you HIPS / Behavior Blocking solution. Do you have a catchy name for this technology, and if so, what's the meaning behind that name? [readers: there is always a meaning behind catchy security technology names]

Mark:  It is called Behavioral Genotype(r) Protection and it’s built into Sophos Anti-Virus for desktops, laptops and servers and into all our gateway products. Genotypes are the specific genetic makeup of individuals - so in the computer security context, our technology identifies "genes" of an application and looks at the combination of genes that match families of malicious software. In addition, we have also looked at a massive amount of ‘clean’ applications to identify the combinations of genes that they have, thus significantly reducing any risk of false positives.

Jeff:  How is a "genotype" of malicious software different from a traditional virus signature?

Mark:  Traditional anti-virus looks for specific patterns in the code or data or a combination of both. Behavioral Genotype looks at a much larger combination of behavioral and other characteristics, which api’s are used, how the file is laid out, whether it’s compressed and so on. We have over 300 genes that we collect, and it’s the combination of those that identifies the malware.

Jeff:  Okay, understood. Let's step back to something I read on your eweb site - what does "pre-execution environment mean?"

Mark:  To put it simply it means that our security technology can examine executable code and gather all its ‘genes’ without having to run it, so we can identify its “bad behavior". We do this pre-emptively, before the code can executed.

Jeff:  So, since you're examining code as data, in some sense, this is why you don't need to hook or patch the kernel?

Mark:  Right. From a Microsoft perspective, that's good since you don't have to worry about our code destabilizing anything, but it has other benefits for Sophos and for customers.

Jeff:  Why is it good for Sophos?

Mark:  There are several reasons: it means we can build behavioral scanning into our core engine, and because our customers already have our technology deployed and managed, they don’t need another agent to deployed possibly managed through a different console.

We can very rapidly test for false positives by scanning our huge collection of files from legitimate applications, rather than having to laboriously install and run the software and try and use it in ways that might trigger the behavior at runtime. This also means that we can also create new genotypes and publish them at any time, so we can react much more quickly to new and evolving threats. Another important aspect is that we can do this analysis anywhere it is stored, not just on the users desktop.

Jeff:  By anywhere, you mean in other places than just on the running machine?

Mark:  Yes, we can check the code as it goes through an email gateway, for example, or as it is being stored on a fileserver for backup, or even as its being downloaded through our web appliance. That is a type of checking that traditional run-time behavior blocking can't do - they can only stop something just as it is about to succeed, whereas we have the chance to stop things well before that.

Jeff: So, which of your different products integrate the Behavioral Genotype technology?

Mark: Basically all of them, we introduced the technology into our main engine and as soon as our customers updated to that specific version, they got all the benefits of Behavioral Genotype.

Jeff: That sounds good for customers.  How do you handle it if portions of the malware are encoded or encrypted and only unencrypted at runtime? It seems like this would be hard for you, but that traditional HIPS products might be able to handle it.

Mark:  The fact that it was encrypted would be a strong indicator to us to look into it further. Other characteristics, such as random data with a decryption loop and no resources, would be examined and the combination would allow our product to make the right call. In other words, encryption isn't a particularly clever or successful way to try and bypass our security.

In the next version of our desktop product, we will introduce some light-touch run-time behavior detection. This will further extend our belt & braces approach, all without burdening the system. Of course, it is important to remember that we'll have also issued specific protection very early in the process, given our visibility of threats across billions of webpages that are monitored every day.'

Jeff:  Okay, thanks. Now, for a couple of final questions. How quickly is your turnaround time for new, fast-spreading malware? How quickly can I get new updates?

Mark:  We have labs in locations all over the world, we hand over from one office to the next in 8-hour shifts. We have people working 365/24. All analysis, testing, and publishing can be done from any one of these locations, which means we have one of the fastest response times in the industry (and of course I don’t need to get woken up in the middle of the night). On average it’s between 2-3 hours, but I’m working hard to bring that down even more.

Jeff:  What version of your product supports Windows Vista and when will it be available?

Mark:  In the next week we are releasing a new version of Sophos Anti-Virus, version 6.5, including the behavioral genotype technology we’ve been discussing, plus optional application control (that could be a whole other interesting topic to discuss).  It will work on 32 bit and 64 bit versions of Windows Vista

Jeff:  Hey, can you get me a copy for my home 64-bit version of Vista?

Mark:  Unfortunately we only sell to corporate customers, but as part of the licence, users are able to install on their home machines, so perhaps you should talk to your employer about who provides their desktop security products ;)   

Jeff:  I'll do that ;-)   Mark, thanks a lot for doing this with me.  If I get any interesting questions from readers, I'll be sure to follow up with you.