Anti-virus (Sophos, FireEye)

Owned by Sevan Madadian
Last updated: Jul 20, 2021
6 min read

Sophos

Sophos Antivirus protects your computers from the latest viruses from email, CD, floppy disk, network shares, instant messaging, web download etc. Using patented InterCheck technology, Sophos's "on-access" scanner provides constant real-time protection with minimal system overhead.

Please see the below link for further details on Sophos including download links.

https://www.it.ucla.edu/it-support-center/software-downloads/sophos-antivirus

 

FireEye FAQ:

What is the HX Agent?

FireEye HX Agent Endpoint Security is a software program that is designed to detect and analyze known and unknown threat activity on endpoints. The HX Agent provides detections through data-driven behavioral analysis, leveraging FireEye security intelligence. This intelligence is sourced from FireEye’s cloud resources, as well as on-campus FireEye sensors deployed across UCLA. It also delivers Endpoint Detection and Response by gathering detailed information on areas traditional endpoint solutions miss. 

What does the HX Agent do? / Why do we need this?

The HX agent delivers advanced detection capabilities that will help UCLA IT Security to respond to threats that bypass traditional endpoint technologies and defenses. It uses detailed intelligence to correlate multiple discrete activities and uncover exploits. Complete endpoint visibility is critical to identifying the root cause of an alert and conducting a deep analysis of a threat to determine its impact and risk.

The functions of the agent include the following:

1.Malware Detection/Protection (Not Supported for MacOS [10.9-10.11] or Linux)

FireEye's Endpoint Security Agent malware protection feature guards and defends your host endpoints against malware infections by automatically scanning all files (upon read/write/execution) on your host endpoint for malicious code. Malware includes viruses, trojans, worms, spyware, adware, key loggers, rootkits, and other potentially unwanted programs (PUP). Malware protection uses malware definitions to detect and identify malicious artifacts. 

2.File quarantine

Malware protection has two components: malware detection and quarantine. Malware detection, which includes MalwareGuard, utilizes two scanning engines to guard and defend your host endpoints against malware infections, the Antivirus engine, and the MalwareGuard engine. Quarantine isolates infected files on your endpoint and performs specific remediation actions on the infected file. This is similar to traditional off-theshelf antivirus solutions.

3.Exploit Detection/Protection (Not Supported for MacOS or Linux) 

Exploit detection uncovers exploit behaviors on your host endpoints that occur during the use of

Adobe Reader, Adobe Flash, Internet Explorer, Firefox, Google Chrome, Java, Microsoft Outlook, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. The following are examples of the exploit types that can be detected in these applications:

  •  Return-oriented programming (ROP) attacks

  • Reverse shell attempts in Windows environments

  • Heap spray attacks

  • Application crashes caused by exploits

  • Structured Exception Handling Overflow Protection (SEHOP) corruption

  • Drive-by downloads of programs

  • Null page exploits

  • Microsoft Office macro-based exploits

  • Java exploits

  • Access token privilege escalation detection

  • First stage shellcode detection

4)Real-Time Indicator Detection

Threat activity intelligence is collected by FireEye and made available to the Endpoint Agent products as indicators of compromise (also referred to as indicators or IOCs) through FireEye’s Dynamic Threat Intelligence (DTI) cloud. Endpoint Security uses the Real-Time Indicator Detection (RTID) feature to detect suspicious activities on your host endpoints. RTID monitoring uses FireEye indicators to detect the following:

  • Unauthorized use of valid accounts

  • Trace evidence and partial files

  • Command and control activity

  • Known and unknown malware

  • Suspicious network traffic

  • Valid programs used for malicious purposes

  • Unauthorized file access

5)Host Containment (Not Supported for Linux)

The host containment feature is a function that will ONLY be performed with the approval of IT

Security Office manager and/or CISO in the event of a high severity detection, and the Security Office is unable to engage the system administrator for immediate containment action. This function enacts a host firewall that will restrict all network access to the host with the intention to prevent lateral movement or data exfiltration by the threat actor. 

6)Incident Response Triage Acquisition 

This is a function that allows IT Security and FireEye analyst(s) to execute acquisition scripts on the host as it pertains to a detected threat. The scripts vary in content based on the operating system (OS). See Data Acquisition Scripts section for specific details on the content.  

What can the HX Agent see and who has access to it?

Under normal business operations, FireEye and UCLA IT Security will not access any data on a host. In the event of a detected security incident, the HX Agent has the ability to determine the following:

  • Which vectors an attack used to infiltrate an endpoint 

  • Whether an attack occurred (and persists) on a specific endpoint

  • If lateral spread occurred and to which endpoints

  • How long an endpoint(s) has been compromised

  • If intellectual property has been exfiltrated

This information is provided to FireEye and UCLA IT Security for investigation. No additional data can be reviewed without confirmation of an incident and specific authorization and approval through UCLA IT Security policy.

Equally, the console provides a full audit trail for any information that is accessed by FireEye or the IT Security Office. 

Where is the HX Agent being deployed?

The HX Agent is being deployed to all UCLA supported systems for added detection capabilities that will help IT Security quickly respond to advanced threats that bypass traditional endpoint technologies. The following operating systems are supported:

  • Windows 7, 8, 10

  • Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019

  • MacOS 10.9-10.15

  • Linux 

  • RHEL 6.8-6.10, 7.2+, 8+

  • CentOS 6.8-6.10, 7.2+,8+

  • Ubuntu 14.04, 16.04, 18.04

  • SUSE 11.3, 11.4

  • SUSE 12.2, 12.3, 15

  • OpenSUSE 15.1

  • Amazon AMI 2018.3, AMI2

  • Oracle Linux 6.10 & 7.6

Will the HX Agent impact my application/system?

Each application and system is unique, and IT Security encourages all admins to install and test the agent in their own environment to validate that system and application performance remains acceptable. Thorough testing has been done to determine the full performance impact on each system prior to implementing to production.

What does it mean to contain a host?

Attacks that start at an endpoint can spread quickly through the network. After the identification of an attack, FireEye HX enables IT Security to isolate compromised devices via the containment feature from the management console in order to stop an attack and prevent lateral movement and data exfiltration. IT Security can then conduct a complete forensic investigation of the incident without risking further infection or data compromise.  

HX Administrator Questions

How do I verify the client installed properly and is running?

For all OS platforms, process(es) named ‘xagt’ should be running and network connections to either:  

IT Security Office can also validate the successful installation and check-in of the agent via the management console. Per the instructions in the Quick Start guide, please provide a list of assets to perform this validation.  

Does the system need to connect to the campus network in order to work?

The client is able to operate remotely via connection to the FireEye HX DMZ management console: HXDMZ-msa-01.fe.security.ucla.edu (169.232.194.49): 80, 443.

Does the client require a restart of the OS after/during installation?

IT Security recommends performing a reboot after install to kick off synchronization and initial scanning of running processes, though it may not always be absolutely required.

Will the software be able to quarantine files?

The HX agent will be able to quarantine files that are observed as malicious/suspicious once preventative mode is enabled. After a period of monitoring (alert only) the solution for potential false positives and/or tuning, the agent will be transitioned to enable preventative (blocking) functions. During the time when the HX agent is in monitoring mode, be aware the environment may not have protection controls in place. During this transition period, the IT Security Office recommends additional antivirus software or preventative tools to ensure there is no gap in security.

Will users receive a notification when something malicious or suspicious is detected? 

Users will receive a notification when something malicious or suspicious is blocked.  

Can we trigger a scan locally on the machine?

Upon initial install, FireEye HX will perform a baseline scan of the systems’ running processes for preexisting malicious artifacts. Active detection mode is setup on every read/write operation immediately after install, so the need for manual scanning is largely redundant. This practice is similar to SentinelOne and other next-generation endpoint protection solutions.

Will the user or local IT admin be required for client updates?

Under most circumstances, local IT interaction will not be required once the agent is installed; the agent will be able to self-update itself.

Will there be a console that can be accessed to see/manage the clients, generate reports, and remediate infections?

At this time, IT Security will be managing and monitoring the FireEye HX management console in tandem with the FireEye Security Operations team, which operates 24/7/365. There are currently no options for a tenant account within the FireEye HX console.

For systems that have an existing AV solution installed, does campus recommend the installation of HX in conjunction? 

System issues can arise if there are multiple AV products, both running blocking mode. During the initial rollout, FireEye will be running in detect mode. To stay fully protected SentinelOne or Sophos can remain installed until FireEye HX prevent mode is turned on.

Note that the IT Security Office will discontinue licensing for SentinelOne and Sophos on the following dates: Sophos: October 28, 2021

SentinelOne: May 31, 2021

 Once blocking mode is enabled, however, the IT Security Office recommends the removal of any antivirus software (e.g. SentinelOne, Sophos, etc.) from the environment. If the unit installs FireEye HX without the removal of third-party antivirus software, it is critical to ensure that all FireEye Endpoint Security processes/files are whitelisted/excluded from alerting. Please reference “CHAPTER 10: Before You Install or Upgrade the Agent Software” within the Agent Deployment Guide in Box.

Will ITS automatically transition clients from detect mode to preventive?

Campus Leadership will determine a date to transition from detect mode to preventative mode. At this time, no official date has been announced yet.  Prior to transitioning, IT Security will be monitoring the FireEye HX management console for potential false positives and baselining the platform to minimize system issues.