Sophos ESC - Antimalware/Antivirus like the old days?

Discussion in 'other anti-virus software' started by Mayahana, Mar 7, 2015.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I've been running Sophos UTM 9.3 as my Gateway/NGFW (Layer Eight) on my network. Now it includes the ability to deploy up to 10 Endpoint's managed from the gateway. Since the majority of the 'backend' is routed through the server hardware it's exceptionally light, and centrally managed by the Sophos UTM itself.

    It includes both Sophos and Avira engines in Realtime, and a fantastic HIPS. NO BLOAT.. Nothing other than Web Protect, Antivirus, and HIPS. Also there is a built-in Reputation and PUA/PUP detection capability. Very impressive. For those looking for a feather light, yet strong system, this may be worth checking out. But you will need to run a Sophos UTM 9.3 UTM on your home network, but that runs on any old dual core box you have sitting around.
     

    Attached Files:

  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    So far this is the lightest AV I have ever seen. Even lighter than Norton and Trend 2015. Total Ram use is 175Mb, but also some of the tasks seem to be offloaded to the Sophos UTM, which may account for how utterly light it feels. You can easily make exclusions/adjustments from the console within the UTM to deploy to all clients. The system also uses a cache based architecture, the longer it runs, the faster it becomes. There is an option to purge cache, and restore it for the entire system. (handy)

    PUA/PUP detection seems fabulous.
    Reputation System is built in now, and is based on the cloud backend of Sophos.
    HIPS is included.
    Interface is clean, simple, no extras - exactly what you need.
    Web Filtration is .. AMAZING. It's tied directly into the UTM appliance, taking rules from the UTM.
    Advanced Options are amazingly granuluar, you can tweak 'every' aspect of this product.

    One of the sweetest features is you can control almost anything the machine accesses from the UTM. So if you want to block USB drives, you can. If you want to block bluetooth, it's a click away. So far color me amazingly impressed with this dual engine solution. It's how I remember AV's being in the past, with modern enhancements, and NONE of the 'junk' cluttering it up.. Lean and Mean.
     

    Attached Files:

  3. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,013
    Location:
    on my zx10-r
    wish they would release something like this as a stand alone for use without the utm. im sure many people would love something like this. though then it might not be as light.
     
  4. coolcfan

    coolcfan Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    127
    And a UI from Windows XP era. :p

    Just kidding.

    How much does it cost? Sophos doesn't seem to devote in personal security market very much..
     
  5. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    393
    The UTM is free for personal use with up to 50 protected IP:s on your LAN, and it includes 10 free endpoints.
    But as you understand you have to install the firewall on a standalone computer to take advantage of this.

    /E
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It's totally free FOR LIFE for up to 10 computers. All you need to do is install the free UTM on a spare old system in your home to take advantage of it.. Nothing else! Also, due to the advanced caching system, I think that is the reason it feels so featherweight.
     
  7. Arsenal

    Arsenal Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    26
    Currently using PFSense as our firewall/router in our office, and the Sophos UTM does sound pretty good from the description above. There are only 6 of us, so the 50 IP limit would be fine normally, however i would imagine that on occasion we might run close to it temporarily while setting up multiple new machines/VMs and with mobile devices. My question is, what happens when the 51st IP is assigned by our server? Does the UTM just not allow any WAN access to that and any subsequent devices or is there some sort of short term grace period?
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Standard procedure for such things, is to allow one a temporary grace period. Similar to Untangle - you can actually 'consistently' go over it, as long as it's not abusive.

    I am really liking the managed endpoint AV as well. It's powerful, and super lite!
     
  9. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    393
    But then again I think it is only allowed in home environments.
    Not for business use, they have a slimmed down version that are completely free for all, but it lacks a lot of features.

    https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophosessentialnetworkfirewalldsna.pdf?la=en.pdf

    /E
     
    Last edited: Mar 9, 2015
  10. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I can confirm this works perfectly on Windows 10. Installed, updated, ran scans, and has been operational for 2 days on a Win10 machine with no issues whatsoever. So that's good news.

    I'm really impressed with this product. The 'suspicious' and 'pua' categories catch EVERYTHING.. In fact, PUA may catch too much at times, preventing download/installation of virtually anything with bundled junk. For me, I love that, but you can easily enter exclusions on the UTM which are then pushed out to the endpoints.
     
  11. coolcfan

    coolcfan Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    127
    That's cool, really.
     
  12. Arsenal

    Arsenal Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    26
    Hmm fair enough, guess i'll stick with pfSense then. Really dislike Sophos' POA approach, I have no interest in being badgered by a salesperson when all i want is to have a vague idea what things cost.
     
  13. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Sophos UTM is very powerful, Layer 8 FW with ATP and WAF. Pfsense is a joke in comparison, same with Untangle.

    But yes, only free for the home.. Expect to pay if you are deploying to a business. But with the power it offers, it's worth it IMO. For the home? It's the equivalent of a 5 figure appliance.
     
  14. Arsenal

    Arsenal Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    26
    Our office is only the two of us, we share the space and pfSense box with another non-IT company with 4 users. Sophos UTM would have to be awfully cheap for us to consider using it over pfSense, which given my past experience with Sophos i'm going to assume it isn't. At some point when i have an old mini-ITX system i might take it home and see what the fuss is about re Sophos but for now i'll just ignore it.
     
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    They'd probably not know it was in such a small office to be honest. I think they don't even care unless you go over 50 years.. I can't verify, but how would they possibly know?
     
  16. Arsenal

    Arsenal Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    26
    So i took the plunge and ran this up on a spare hdd in the pfsense box last night and am pretty impressed with the interface, however my experience with Windows 10 (x64 build 9926) support from the Endpoint sadly doesn't match yours. Anytime i open a web browser (Firefox and Chrome) with it installed the Win10 VM reboots. Not that it really bothers me as i don't demand things to work with a pre-release OS, still interesting that it doesn't match your experience.
     
    Last edited: Mar 11, 2015
  17. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I'm running Win10 on a full system, not a VM, maybe that's why? Not a single issue in a week running the Endpoint on a Win10 box. (non-VM)
     
  18. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,013
    Location:
    on my zx10-r
    this is actually running very nicely imo. going to mess around with it some more but overall its pretty darn nice. i wish more companies would go back to the old days lol
     
    Last edited: Mar 12, 2015
  19. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Agreed.. It has some huge positives;

    1) Old style HIPS. (quiet when it should be, loud when it needs to be)
    2) Solid PUA/PUP Detection.
    3) Good Signatures.
    4) Good Heuristics.
    5) NO extras! (no toolbars, no optimizers, NOTHING)
    6) Simple interface, amazingly deep features for advanced users.
    7) Lightweight. No resources wasted on fancy menus, extra junk.

    I can find nothing to complain about! This is how I remember the good ole' days - products focused on what they need to be focused on, and not trying to be all things to all people. I am rolling with this solution now. so far about a week out with it, and nothing we can find to dislike!
     
  20. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    One question, is Sophos EP is just an option? I may use Sophos UTM after I built new fan-less bareborn but don't want to use their AV for PC or other device as I prefer layered approach with different AVs.
     
  21. Arsenal

    Arsenal Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    26
    A possibility i suppose, although on the face of it i wouldn't have thought that Win10 running under Parallels should be any different to Win8.1 under Parallels from an AV point of view. Might fire up a Win8.1 VM and test it, just for curiosity's sake.
     
  22. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    It's totally optional, of course.. But I choose to have full 'control' over desktops/laptops in this home that I own. Also it's extremely light, easy, and effective. Remember, Sophos endpoint uses HIPS as well.. UTM has Sophos+Avira for a blended solution. Ideally, you are probably better off with a blended solution on the endpoints, as Sophos UTM (Avira+Sophos), and Trend for example, would be unprecedented protection.

    In fact, despite my absolute love for the Sophos ESC, I think layering it with Trend might be stunning. However I don't think I really need it with 2 engines + Web Filtration on the gateway. I could probably go AV-Free safely right now.
     
  23. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I've elected to use this ESC on non-essential, 'spare' computers.

    Keeping Trend 2015 on primary machines, since I have Sophos UTM deployed which has Avira+Sophos, and advanced URL scanning. This is a good layered solution, no real reason to have double Sophos scanning. Trend provides a remarkable level of security without any system weight, and greatly enhances the UTM.
     
  24. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,261
    Location:
    Netherlands
    I know there are NIDS on UTM, but have not heard of HIPS ("The programs don't execute on the UTM, but on the clients in the network). Are you sure it is a HIPS, or does it look for patterns like SNORT uses its rules to determine intrusion patterns. Could you post some pics of the "HIPS" settings?
     
  25. coolcfan

    coolcfan Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    127
    I think HIPS is included in the endpoint software...
     
Loading...