1

A sophos intelix file hash lookup for an unknown file hash returns a reputation score of 30, although the file hash is not yet known by Sophos. When we then upload the file for static file analysis, we get as well a score of 30. Is this intended? I would rather prefer that the file hash lookup result indicates an error (file unknown). Are we expected to submit all files for static analysis, where the file hash lookup returns a score of 30?

function GetFileHash($FilePath) {
    $Hash = certutil -hashfile $FilePath SHA256
    
    return $Hash[1]
}

function LookupFileHash($Hash, $AccessToken) {
    $Headers = @{ "Authorization" = $AccessToken }
    $Response = Invoke-RestMethod -Headers $Headers -Method Get -Uri "https://de.api.labs.sophos.com/lookup/files/v1/$Hash"
    $Result = $Response | ConvertTo-Json

    return $Result
}

Within foreach loop:

$Hash = GetFileHash $_.FullName
$LookupResult = LookupFileHash $Hash $AccessToken

Use case: Checking own compiled files and 3rd party files during build process.

  • When building .NET Windows desktop applications, check own and 3rd party files from nugets (especially nuget.org), 3rd party runtimes and SDKs before generating the installer msi file.
  • When building Electron based applications, check all included 3rd party binaries before generating the installer. So we have a mix of own compiled files (potentially including harmful libraries) and 3rd party binaries from multiple sources (nuget, sdks..) that should be checked before packaging.
Wolfgang
  • 123
  • 7

1 Answers1

1

Files not in the SophosLabs dataset will get a score of 30, meaning unknown. This score will vary over time based on information available to SophosLabs. See the file lookup response in the API documentation.

Should you submit files that get a score of 30 to static analysis, well; unfortunately, this depends on your use case.

For example, if you are using the tool to check documents uploaded to a web application from a customer, then I would use static analysis. In this case, most (if not all) of the uploaded documents will be unknown.

Alternatively, if you are using the tool to validate a custom block list for a Sophos product, using the file hash alone will indicate whether or not the file is known to SophosLabs.

I will happily revisit my answer if you update the question with more use case details.

James Wilson
  • 1,541
  • 7
  • 20
  • Use case: Checking own compiled files and 3rd party files during build process. Example 1: When building .NET Windows desktop applications, check own and 3rd party files from nugets (especially nuget.org), 3rd party runtimes and SDKs before generating the installer msi file. Example 2: When building Electron based applications, check all included 3rd party binaries before generating the installer. So we have a mix of own compiled files (potentially including harmful libraries) and 3rd party binaries from multiple sources (nuget, sdks..) that should be checked before packaging. – Wolfgang Jun 14 '23 at 06:27
  • 1
    Thanks for the clarification. For pre-compiled libraries / binaries the cloud lookup may help. However, for the own compiled files I would definitely use the static analysis as SophosLabs are highly unlikely to have seen these files before. – James Wilson Jun 14 '23 at 15:50