Mucking Up Malware

In that 20-minute time frame, the device ran a configuration test, registered itself with Sophos' network and updated to the latest software that was downloaded from the vendor's software repository. A reboot was required after the initial update.

One thing was a bit puzzling: After returning from reboot (which by the way, the browser did not close out at all—a nice touch) the device gave a message stating that updating was 100 percent complete. But it wasn't. The only option to move forward and finish configuration was via an "Update" tab. And updating wasn't really 100 percent complete because after initiating update a second time, a new slew of downloads took place for the antivirus module.

But that's a minor quibble. After this last update, reviewers commenced with testing.

For testing purposes, client browsers were set up to use the WS1000's IP as a proxy server. Of course, in a corporate environment, this setting can be deployed through Group Policy.

The management interface gives the de rigueur Dashboard view. Information on virus updates, Web traffic, bandwidth consumption and traffic patterns, like spikes during the day, are all visible. Web traffic is represented in a gauge-type format—kind of like an odometer with a throughput reading that goes from 1-1,000 kbps. Latency is also represented this way on a scale from 1-1,000 ms. It is a quick and easy way to get an overview of bandwidth details and a nice deviation from standard pie charts and graphs.

A feature that really caught our eye was the URL test. On this home page, there is a field in which a systems administrator could input a URL. The WS1000 will report back on that URL giving the category of site it falls under (for example, Gambling or Adult) and also will report the security risk for that site.

To test, reviewers entered the Web address of a known hacking site, which was correctly identified and classified as a high security risk. This is a great tool for an Admin to check on a site that he or she may be unfamiliar with and appropriately configure access or denial in the Web-filtering policies.

Although the dashboard is full of good information, it was difficult to see a way to customize it. An Admin may not need to have all the information displayed all the time.

The WS1000 really shines when it comes to scanning capability. Sophos Labs scans every day for high-risk sites and updates its product based on this. Finding the latest threats is what this vendor is all about, and these folks take that very seriously. The WS1000's scanning capability differs from other scanning technologies, such as reputation scanning. Instead, the vendor uses behavioral genotype scanning, which catches unknown and zero-day threats by analyzing content pre-execution and analyzing the behavior of the code—sort of like picking up on the intent of the code rather than what the code has done.

Sophos' research labs make the claim that one in five Web sites are being infected every five seconds and that this figure is up from their finding last year of every 14 seconds. Seventy-eight percent of hacked sites, per the vendor, are legitimate sites.

This, Sophos makes the case, is the very heart of why its scanning technology is more effective than reputation scanning. At these rates, reputations filters would not be able to catch the latest infected site. Sophos' filters were able to detect the recent "Storm Worm Virus" when other solutions had failed.

The WS1000 provides full content scanning; that is, content is scanned as it leaves the network. Data coming back from the Web server is scanned real-time, so there was very little latency during testing.

The appliance also engages in true file-type scanning—a spoof-proof technology that does only look at the file's extension.

The WS1000 features in-the-box reporting. Reports can be set up to go back to Sophos for analysis or can be sent directly to a VAR.

Although Sophos has put out a pretty impressive product with the WS1000, the company is not resting on its laurels. Sophos will have updates to enhance the WS1000's content-filtering capabilities. One such enhancement is dynamic detection of anonymous proxies. As traffic goes through the Web, this feature will be able to detect if traffic is going through an anonymous proxy. Proxies are tricky to detect because they can pop up randomly and on the fly. Another upgrade soon to come is the ability to scan HTTPS content.

Next: ContentWatch ContentProtect Security Appliance CP100