Using Sophos to Eradicate Malware with Cloud Storage Security

Amazon Simple Storage Service (Amazon S3) is widely used to run cloud-native applications, build data lakes, archive data, and backup critical data. In fact, it houses over 200 trillion objects, making it an appealing attack vector.

As cybercriminals develop more sophisticated malware they also develop new targets and new ways of distributing it. In addition to focusing on securing traditional avenues and existing security layers, you need to consider the security of the data that runs through Amazon S3.

As a data owner, it's critical to take steps to protect the data for which you’re responsible to ensure the entities accessing and using that data are protected from malicious files. In fact, as dictated by the AWS Shared Responsibility Model, it’s your responsibility.

One way you can do this is by scanning and analyzing the data in Amazon S3 for threats such as viruses, ransomware, and trojans with Antivirus for Amazon S3 by Cloud Storage Security.

Antivirus for Amazon S3 leverages the power of Sophos to identify and analyze malware at petabyte scale across all S3 buckets; it uses:

  • Sophos' award-winning anti-malware technology, the Sophos Antivirus Dynamic Interface (referred to herein as Sophos Anti-Malware Engine)
  • SophosLabs Intelix™, which analyzes files in real time using static and dynamic analysis when it is unclear whether they are truly a problem

In this article, we discuss the advantages of using Sophos within Antivirus for Amazon S3 to detect and detonate potentially malicious files in order to keep your customers, partners and employees safe.

It’s important to point out that organizations cannot use Sophos products unless they have an original equipment manufacturer (OEM) partnership with Sophos. The partnership between Sophos and Cloud Storage Security is, in part, what makes Antivirus for Amazon S3 stand out from other solutions and a do-it-yourself development.

 

Proactively Stop More Threats

Organizations from around the world are using Antivirus for Amazon S3 to catch infected data, with 9 out of 10 Cloud Storage Security enterprise customers, and all public sector customers, choosing to use the Sophos Anti-Malware Engine as part of their antivirus strategy.

Antivirus for Amazon S3 is a Fargate, container-based solution that is deployed directly from AWS Marketplace into your own AWS infrastructure so your data never leaves your environment. It’s a highly scalable solution that offers multiple scanning models, all of which can use Sophos.

The Sophos Anti-Malware Engine is a well-known enterprise solution that offers speed, security, great accuracy, and extra-large file scanning.

 

The Sophos Anti-Malware Engine provides the ability to scan extremely large data sets more quickly and meet increasing demand for the ability to scan very large, multi-gigabyte files.

 

Maximum File Size 5TB
File Types

Over 300 Sophos-Supported File Types

Speed

Fastest

  • Scans ~20,000 1MB files per hour
  • Scans ~80 2GB files per hour
Vendor Updates Per Day 4+ times
Agent Checks Every 15 minutes
API Endpoint  Yes

 Figure 1: Sophos Anti-Malware Engine Technical Specs

 

By integrating the Sophos Anti-Malware Engine into our scanning models, we removed the complexity from deploying and managing virus scanning for any application or data ingestion workflow that leverages Amazon S3 as the data store. This means any organization can benefit from Sophos’ advanced and exceptional performance within their own AWS environment.

 

Figure 2: High-level architecture Depicting Sophos Anti-Malware Engine Integration

Figure 2: High-level architecture Depicting Sophos Anti-Malware Engine Integration

 

Reduce Time to Detect and Investigate

When you need to investigate files that have been flagged as potentially malicious, Antivirus for Amazon S3 offers static analysis and dynamic analysis through SophosLabs Intelix.

 

Powered by machine learning, decades of threat research, and petabytes of intelligence, SophosLabs Intelix provides the superpowers you need to quickly investigate and verify problem files soon after they are discovered by the Sophos Anti-Malware Engine within Antivirus for Amazon S3.

 

Figure 3: SophosLabs Data Sources and Data Curation

Figure 3: SophosLabs Data Sources and Data Curation

 

SophosLabs Intelix™ offers programmatic access to vast troves of existing SophosLabs intelligence as well as the ability to conduct analysis in real time and generate new intelligence.

 

While the Sophos Anti-Malware Engine empowers you to proactively stops more threats, SophosLabs Intelix offers a layered approach to security and allows you to deeply inspect suspicious files.

When a potentially malicious file is found, Antivirus for Amazon S3’s default behavior is to move it to a quarantine bucket and publish findings to the Problem Files section within the Antivirus for Amazon S3 console. From there, you can trigger static or dynamic analysis via the SophosLabs Intelix integration. If you determine the file that was flagged as potentially malicious is a false positive, you can move it back into the source bucket. If it is not a false positive, you can delete or detonate it.

Figure 4 Document Flow Depicting Quarantine and SophosLabs Intelix Analysis

Figure 4: Document Flow Depicting Quarantine and SophosLabs Intelix Analysis

 

Static Analysis

Antivirus for Amazon S3 employs the power of Sophos’ proprietary machine learning models, global reputation, and deep file scanning so you can analyze a file without executing it in real time or downloading it onto your local machine. The speed of analysis, depth of reporting and clear verdicts are key benefits to helping you identify threats quickly and improve investigation and response times.

Initiate static analysis with a few clicks of your mouse within the Antivirus for Amazon S3 console to generate a rich report that helps you determine the nature of the infection or to identify whether a file needs to be investigated further via dynamic analysis.

Static analysis includes a VirusTotal report that lists findings from other vendors in the security community so you can compare their results for the file against the results provided by Sophos.

 

Figure 5: VirusTotal Report Generated from Static Analysis

Figure 5: VirusTotal Report Generated from Static Analysis

 

Dynamic Analysis (Sandbox)

To perform dynamic analysis, Antivirus for Amazon S3 grants users the ability to detonate malware in real time using the Sophos Cloud Sandbox, which applies the latest analysis techniques.

Sophos provides unmatched visibility into malicious files by recording every activity and behavior to reveal the true nature and capabilities of a potential threat. This means you can determine whether a problem file is actually malicious or if it’s a false positive without risking harm to your own system.

Additionally, advanced anti-evasion technologies thwart malware that attempts to detect if it’s in a sandbox or running in a virtual machine, leaving malware with no place to hide.

A detailed Activity Tree of what took place when the file was detonated is provided upon completion of the analysis. It shows a play-by-play breakdown of:

  • Files being written
  • Processes being created/executed
  • IP addresses connecting to send data or to which data is being sent to
  • Port numbers over which activity may be happening

 

Protect Your People and Data

Not only does scanning for malware build defense in depth, ensure data cleanliness, and prevent infection, it's also a requirement of many laws and compliance frameworks such as SOC 2, PCI DSS, NIST, ISO 27001, etc.

Whether you’re looking for security assurance or need additional intelligence to obtain further clarity on the findings, using Sophos within Antivirus for Amazon S3 ensures that you are protecting against malware with an industry-trusted AV engine.

In fact, the organizations that use Antivirus for Amazon S3 choose to use Sophos within it because:

  • It’s a name-brand, enterprise solution
  • It’s more secure than open-source alternatives
  • It’s fast and efficient, meeting performance needs
  • It scans the maximum file size permitted by Amazon S3 (i.e., 5TB)

Learn more about how Sophos and Cloud Storage Security work together at AWS re:Inforce in Boston, MA July 26 – 27, 2022. Find Cloud Storage Security at booth #8 or schedule a discussion in our private meeting space on the event floor.

Cloud Storage Security is an AWS Partner with AWS Security Competency status, an AWS Qualified Software offering and a Public Sector Partner designation. Antivirus for Amazon S3 is available in AWS Marketplace where you can scan 500 GB in 30 days for free with a fully-featured trial.

This article was co-authored by Sophos.