Q. What is the average size of a typical malware file?
Of course there is no definitive answer to this question, and different kinds of malware can have vastly different sizes, but for those wanting an answer I ran a quick calculation over some of SophosLabs’ monthly collections of malware samples.
Going over the best practices for configuring your threat protection policy for Intercept X in Sophos Central. Attend our webinar March 31st, 2021 at 2pm EST/11am PST, to learn about different configuration scenarios to configure for! Sophos stops everything malicious and provides us with alerts, so we can respond quickly—and that’s worth its weight in gold.” Cliff Hogan, CIO, D4C Dental Brands Switching to Sophos Central was a simple transition and 80% of the work was carried out within just one week.”.
In January 2005 the average size of a malware sample was 126 kB. In June 2010 it is 338 kB.
This growth in size is pretty much what one would expect, and can be for several reasons. Long gone are the days of hand crafted assembler code designed to be as small as possible. As computer memory, disk space and internet bandwidth grow, so does the output of a typical compiler. Software libraries become larger, and software (both legitimate and malicious) tends to contain increasing amounts of complexity and functionality.
Q. Can you give some examples for specific kinds of malware?
Mal/Dloadr-Y is a downloading Trojan with functionality to change firewall settings, download a configuration file from a remote website, then download further malware as dictated by the configuration file. Samples of Mal/Dloadr-Y are typically 25 kB to 30 kB in size.
FakeAV Trojans are rogue anti-virus applications that display fake infection warnings to try and scare users into paying for cleanup. There are many different families of FakeAV, and even within a family there can be a large variation in size. For example, samples of Mal/FakeAV-DO range from about 300 kB to over 1 MB. These variations are partly because FakeAV authors frequently change packing or encryption techniques. Furthermore, in some cases each sample contains random amounts of junk data in an attempt to evade detection.
Viruses, although often relatively small in themselves, can infect legitimate applications of any size. For example, a typical variant of W32/Scribble-B contains about 20 kB of viral code, but infected applications can be just a few kilobytes or many megabytes in size.
W32/Scribble-B also injects a malicious iframe into htm, php and asp files. The iframe is just one line of html (about 80 bytes) but the infected web pages can be of any size. However, the iframe is always added at the end of the file, so it is easy to find and is detected as Troj/Fujif-Gen.
Q: As Malware gets larger, does Sophos’ scanning get slower?
From a customer point of view, this is the wrong question. Whilst SophosLabs has an ever increasing collection of malware (and increasingly powerful hardware to extract and analyze lots of data from it) the existence of malware on a customer machine should be a pretty rare thing. If the virus engine spends a few milliseconds identifying a malicious file that is no big deal. What matters is that it scans over a typical clean file in not milliseconds but microseconds. So the real question is: as legitimate software gets larger does SAV get slower?
Actually, individual file size has very little impact on Sophos’ scanning speed. Here in the labs we put a great deal of thought into optimizing the performance of our detection identities. Instead of linearly scanning through whole files for fixed patterns, each identity targets only those parts of the file where it needs to look.
To take an analogy, suppose you have misplaced your cell phone. Rather than starting at one end of the house, and slowly working your way to the other, searching everywhere with a fine comb, you probably stop and think: Where am I most likely to have left it? Where did I last use it? Where have I been since then? There is no need to check the attic if you haven’t been up there all week. Quite quickly you will identify the most important places to look. Even better, if you have access to another phone you can call your cell phone, and listen out for where it is ringing from.
Sophos’ identities use all sorts of shortcut techniques like that. For an executable file, one obvious place to check is the point from which code execution begins. The virus engine automatically loads some of this code, and many identities start by checking it. If it doesn’t match an expected pattern then it doesn’t matter whether the file is 10 kB or 10 MB, many identities don’t need to look any further. Even identities designed to detect such nasties as polymorphic (changes every time, so there is no fixed pattern to look for), mid infecting (viral code is not at the entry point) viruses use a clever combination of emulation and statistical pattern checking to only scan in a few key places.
Q: Is there an upper limit on the size of file SAV scans?
I was quite surprised to learn that some AV scanners have quite stringent limits like this, presumably in order to optimize their scanning performance. Some even have a configurable global setting where you can chose between a low limit (better performance, but risks missing some malware) or a higher one (finds more malware, but slower scanning.)
That is far from ideal. We have already seen how different malware families tend to have different sizes. So in SAV, instead of a global file size limit, each individual identity can (if necessary) specify appropriate limits according to the kind of malware it is trying to detect. As we have already observed, an identity to detect a virus has to scan files of any size, but can be optimized by knowing what to look for and where to look. Meanwhile, many generic identities to detect particular malware families can make use of size optimizations. A typical family of internet banking Trojans might be, say, between 3 and 4 MB. That is just one of several pieces of information that an identity might use to quickly eliminate 99.9% clean files from further scanning. Further investigation will only happen on those files that warrant it.
If we start to see new variants of that family increasing in size then SophosLabs can at any time issue an update with new size ranges. Similarly we can update many other checks to reflect the changes we are seeing. That is the reason why many of our generic detections ask customers to send in samples. Even when we proactively detect a new sample, we want to keep monitoring trends and staying one step ahead of the game.
So Sophos customers do not need to worry about typical size of malware files, nor do they need to worry about setting file size limits. SophosLabs is always monitoring the trends, and making any necessary performance decisions for you.
With the recent launch of SAV 9.5 the labs are getting more data than ever before. Whenever a generic identity detects a file, the size of that file is one of the key pieces of data that can be automatically sent back to SophosLabs. Automatic feedback only happens if customers consent to that option, but we have been very pleased by the number of customers turning it on. Sophos is already a leader in proactive detection, and with this new feedback data we can fine tune that detection to be even better! Thank you for helping us to help you.
In this tutorial, we will show you how to set up the Sophos Connect Client for your employees as a Sophos Firewall administrator. This requires SFOS 17.5 or later.
Sophos Connect Client - Series
This article is part of a series that will give you all the knowledge you need to get started with the Sophos Connect Client.
- How to configure Sophos Connect Client on XG Firewall (SFOS)
Log on to your XG firewall as an administrator and go to the
Sophos Connect Client page from the menu. On this page we will now go through the settings in 12 steps and make the necessary adjustments.
Also note the following graphic with the steps drawn so that you can follow the instructions more easily:
1. Activate Connect Client
It’s easy to get started. Check the box to enable the Sophos Connect client service.
Sophos Fully Synchronized, Cloud-Native Data Security
2. Select Interface
In this step, you will need to select the interface on which you want the traffic to arrive on Sophos. This is usually a WAN interface with a public IP address. If you have multiple WAN interfaces because you have more than one internet provider, choose either the faster one, the more reliable one, or the one with less traffic. Decide for yourself which criterion is most important to you.
3. Authentication type
You can choose two options here:
- Preshared key - Define a password yourself.
- Digital certificate - Select a certificate with this option.
4. Define Preshared Key
For this tutorial we decided to use the method with Preshared key, which has to be defined here. If you have chosen the Digital certificate method, you can select a certificate from your appliance at this point.
5. Local ID (optional)
If you have multiple tunnels, you can define a local identification here so that the correct tunnel can be identified. There are the following options:
- IP address
- Certificate (only if you have chosen the digital certificate at step 3)
6. Remote ID (optional)
Here you can make the same selection as in step 5.
7. Allowed user
If you have already captured users on your XG, or if you have synchronized the entire Active Directory, you can select the users/groups that can use the Sophos Connect Client here.
Define a name for this IPsec connection here. In our example we called the connection homeoffice.
9. Assign IP from
The firewall assigns an IP address via DHCP to all users connecting via the Sophos Connect Client. In this step, you can define the IP range to be assigned. Select a range here which is not yet used on the firewall.
10. DNS Server
It is often the case that VPN users want to connect to internal servers. For this it is a good idea to work with the FQDNs like in a corporate network. Enter your internal DNS server here.
If you don’t have an internal DNS server or don’t need this function, you can also specify an external DNS server, like for example:
- Cloudflare: 188.8.131.52 and 184.108.40.206
- Google: 220.127.116.11 and 18.104.22.168
- Quad9: 22.214.171.124 and 126.96.36.199
- OpenDNS: 188.8.131.52 and 184.108.40.206
11. Session Timeout
Experience shows that users do not always consistently disconnect a VPN connection when it is no longer needed. Here you can decide for yourself how you want to handle open connections. The Sophos Connect client gives you the option of automatically disabling the connection when there is no more traffic after a certain amount of time. In our example, we have configured the following:
- Disconnect when tunnel is ide: activated
- Ide session time interval: 120 seconds
This will automatically close the connection from Sophos Firewall if no traffic has been registered by the client for 2 minutes.
To save your settings now, all you have to do is click on
Set firewall rule
So that the firewall now also allows the data traffic of VPN users, a firewall rule must be set up for this. Switch to the
Firewall page via the menu and click on
Add firewall rule >
user/network rule. Take a look at the following screenshot and try to set the rules the same way.
- Source Zone: VPN
- Destination Zone: LAN
Sophos Golden Image
By default, the Sophos Connect Client routes all traffic through the IPsec tunnel. This means that Internet traffic is also sent through the tunnel. We first have to allow this on the firewall and then create another rule.
- Source Zone: VPN
- Destination Zone: WAN
After you have configured the Sophos Connect Client on your XG firewall using this guide, you may want to continue right away and download and install the Connect Client for Windows or macOS next.