[German]Actually, antivirus vendors should be happy when attentive users submit malware samples that are not detected by their scan engines so far. Especially if it is known that it is a malware file, a quick reaction is recommended. An administrator emailed me a case before Christmas that, at least in this process, raises doubts about whether it makes sense to submit samples.
Advertising
German blog reader Michael U. is an administrator and recently came across some malicious software that was not detected by his Sophos virus scanners. The normal person thinks "I'll submit the file to their support, they'll look over it and include this in the virus signatures". But far from it, as Michael wrote me via email on 12/23/2021:
… as a diligent reader of your blog I know the one or other story, but this time the following happened to me.
I had sent a virus sample to Sophos in 2021-10-19 which was not yet detected by their scanner. Instead of analyzing this sample and adding it to their database, Sophos for some reason opened a support ticket by itself.
I have seen the mail correspondence with Sophos support, who responded to the submission of the malware sample by opening a ticket, but did nothing further.
Hi Michael,
Submitted file is malicious ppt file
PPT file having macro which try to connect urlDetection add " Troj/PptDl-IQ"
Detection will publish in next alertThank you for contacting Sophos.
Only after Michael checked several times did the above mail arrive at some point, in which it was acknowledged that it was a malicious PowerPoint document with a Trojan. Michael wrote me about this:
Finally it took almost a week until this malware was detected by the Sophos scanner.
A very long time in my opinion, because nowadays malware can spread very quickly and cause a lot of damage if it is not detected by the appropriate antivirus programs.
At that time Sophos explained to me ("due to an internal issue, submission team was not able to accept samples from their end.") that there was an internal error and therefore the sample was not processed. So far so good, bugs happen and if they are fixed and the problem does not occur in the future then everything is fine.
But unfortunately this still seems to be the case, because on Monday of this week I sent again two samples with potential malware to Sophos, which have not been analyzed by Sophos until today (Thursday).
It is not possible to reply to the old support ticket (why doesn't it just reopen automatically?) and opening a new one via support@sophos.com is not possible either.
In the first automatic reply email, I am referred to https://sophospartner.force.com/support/s/, but I cannot log in there, even though I have a Sophos account as a Sophos customer. I then had to re-register there and have been waiting for someone to unlock me since then.
So at the moment I have no way to send a written request to Sophos. Actually, Sophos should be happy if an attentive admin sends them dangerous samples and they analyze them as soon as possible and add them to their database. Instead, they also make it particularly difficult to get in touch with Sophos.
Even Microsoft's free antivirus scanner already detects these two files (here and here). I really wonder what advantage a "professional" antivirus solution, which does not cost so little money, has over Microsoft's scanner, apart from the central administration.
Michael says: The fact that their support is not easily reachable via e-mail and that you can't express your displeasure there is particularly frustrating. Thanks to Michael for the information. Question in the round: Are there similar experiences?
