Crowdsourcing threat intelligence with download reputation

SophosLabsLast week, we mentioned that application control is now available as part of a Sophos Cloud public beta. The beta also introduces a new next-generation endpoint protection feature called download reputation.

While it may not sound flashy, download reputation is an important step forward in protecting users from advanced threats, like zero-day malware designed to evade traditional antivirus defenses.

Download reputation crowdsources threat intelligence by drawing on the experience of our global customer base to help determine a file’s reputation. In other words, every user with download reputation enabled helps contribute to the collective security of our customers.

Let’s take a look at how download reputation works.

When a user tries to download an executable file from a supported web browser, download reputation asks SophosLabs for information about the file. If the file is known to be malicious, it will, of course, be blocked. If the file is not known to be malicious but has a low reputation — or no reputation at all — the user will be prompted and asked whether to block or allow the file.

Download reputation

So how do we determine a file’s reputation? SophosLabs looks at a combination of a file’s prevalence (how common it is), its age (older files are less likely to be unidentified threats), and the URL from which the file was downloaded. Layered atop this objective information is an important subjective measure: of the users who have been prompted about the file, how many of them blocked it and how many allowed it? If most users allowed the file, it might indicate that this is a legitimate download from a reputable source. If many users blocked the download, perhaps it indicates that users were feeling pressured or deceived into saving the file.

This crowdsourced approach to download reputation protects customers from advanced threats in two important ways. First, it closes the gap between known or suspected malware, which we can block with confidence, and known safe files, which we feel confident allowing to run. Second, it gives SophosLabs early warning if a new threat has emerged that is currently evading detection. This gives the Labs a chance to analyze the file further and develop new detection capabilities if needed.

Try download reputation in Sophos Cloud

Would you like to join the beta of download reputation and application control? If you’re an existing Sophos Cloud customer, just select “Beta Programs” from the “Account” drop-down menu in the Cloud console.

Not yet a customer? Try Sophos Cloud for free, and you can join the beta as described above. If you’re using our on-premise Endpoint Protection, download reputation is expected to make its way to Sophos Enterprise Console later this year.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s