Sophos Anti Virus for Linux – Malicious Traffic Detection when enabled, can cause High CPU usage

This article confirms the expected behaviour of Malicious Traffic Detection when it is enabled as part of Sophos Anti Virus for Linux

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux

Central Sophos Anti-Virus for Linux Version 10.4.1

Malicious Traffic Detection

Malicious Traffic Detection (MTD) on Linux server can be a very effective tool and is a valuable feature in many environments. In certain situations though, it can consume a notable amount of CPU time, this means it is not always an appropriate feature to enable.

Although MTD only actually queries packets like TCP, HTTP and HTTPS, and exclusions can be set to ignore data to specific addresses, every single packet needs to be touched to confirm what type of data packet it is or where it is going. This means that making configuration changes to reduce the scan look-ups “may” in some circumstances help a little, there is nothing that can be done to reduce the work load in making that initial scan.

For this reason, systems with a high network presence, like web-servers or file-servers, may experience periods of very high CPU usage as all the network data is touched. Sophos recommends testing the MTD feature on your Linux Servers before rolling it out fully. Note: The CPU peak usage may lag behind the network peaks..

Related information / See also

Sophos Malicious Traffic Detection: Frequently asked questions (FAQ)

Introduction to Central managed Sophos with Malicious Traffic Detection functionality


  • No Related Posts

Management console Email

I do not need a solution (just sharing information)

We have a customer that former had Email Protect cloud, and now have to transfer/upgrade to Email Safeguard cloud.

As far as I have understood the difference is more or less in what options you have (aka Email Protect was only antivirus and antispam, while Email Safeguard also includes data protection and image control).

Could anyone confirm if the management console is the same for these two products?



[NetScaler Gateway Trace Study] – EPA Preauthentication Pass and Fail

First EPA Preauth test – Check for Avast Free Antivirus on Windows client:

First EPA Preauth test - Check for Avast Free Antivirus on Windows client

Search for GET /epaq HTTP/1.1 in trace and follow SSL stream to check if the CSEC scan matches the policy:

Search for GET /epaq HTTP/1.1 in trace and follw SSL stream to check if the CSEC scan matches the policy:

Search for GET /epas HTTP/1.1 and follow SSL stream to see the CSEC pass/fail code. In this case, it passed and shows code 0:

Search for GET /epas HTTP/1.1 and follow SSL stream to see the CSEC pass/fail code. In this case, it passed and shows code 0

The CSEC code will be encrypted by default on NS11.0 64.34+. To see the CSEC code, uncheck ‘Client Security Encryption’:

To see the CSEC code, uncheck 'Client Security Encryption'

There are a lot of antivirus products and choosing the wrong one is a common mistake. Here we have selected ‘Other ALWIL Software Antivirus’:

Here we have selected ‘Other ALWIL Software Antivirus’:

This fails, giving code 3:

This fails, giving code 3

You will see complex compound EPA policies with more than one check. For instance, here is a check for a MAC address and Avast Free Antivirus on Windows client. However, I have chosen the wrong antivirus product:

Here is a check for a MAC address and Avast Free Antivirus on Windows client

In the trace we see code 30, which means one fail and one pass:

In the trace we see code 30, which means one fail and one pass

You can check the nsepa.txt on the client (C:Users\AppDataLocalCitrixAGEEnsepa.txt) and it will also show the CSEC. This is also useful for checking the EPA Library version. Older EPA libraries will not support newer products:

You can check the nsepa.txt on the client (C:Users\AppDataLocalCitrixAGEEnsepa.txt) and it will also show the CSEC.

If we look for epaq in the trace again and follow the SSL stream, notice the CSEC shows the policy in reverse order. This tells us that the antivirus check failed and the mac check passed:

Notice the CSEC shows the policy in reverse order


Russian Antivirus Tech Bad News for Everyone

Earlier this month, the head of the NCSC (National Cyber Security Center)told government officials in the UK that they should not use antivirus programs made with Russian technology in the midst of threats to national security and state secrets.

NCSC’s Ciaran Martin wrote to Whitehall chiefs to warn them that Russia could utilize antivirus software to “target UK central Government and the UK’s critical national infrastructure.”

Ian Levy, NCSC’s technical director, had this to say, “Given we assess the Russians do cyber-attacks against the UK for reasons of state, we believe some UK government and critical national systems are at increased risk.”

As a result, the Barclays bank sent emails to 290,000 customers, informing them that they would be doing away with the free antivirus products offered by Kaspersky Lab, Russia’s biggest antivirus company.

This isn’t the first time Kaspersky Lab has come under fire. The United States previously accused them of being used by Russia for matters of espionage, but the security giant firmly denied this.

In November of this year, they staunchlydefended allegations that they knowingly extracted sensitive files from an NSA worker’s computer, with a spokesman insisting that “this level of access allows our software to see any file on the systems that we protect.” Then he cribbed a line from Spiderman to hammer home his point, “With great access comes great responsibility.”

Indeed, it does, which is why people of all nations and government institutions need to realize their own responsibility for fighting off malicious attacks, either by hackers or spies.

It has long been known that antivirus software doesn’t really work the way we would like to imagine it does. Not only is there no clear method for the average online user to know how effective their antivirus software is without understanding code, it also merits mentioning that human error extends beyond the user to the companies who offer antivirus to their customers.

As we saw in January of 2016, a software platform can be installed with awide-open Node.js server on customers’ computers, leaving them completely vulnerable to any website executing a malicious application on their machine by sending an seemingly innocuous JavaScript request.

In recent years, we’ve seen widespread attacks by increasingly sophisticated cybercriminals. According to a report on, ransomware attacksrose 250 percent in 2017, striking a serious blow to the United States.

These zero-footprint attacks use your computer’s operating system against you by relying on legitimate applications to gain access to your computer. Since these cybercriminals aren’t installing new software, any antivirus tool will fail to recognize it. Nearly 80 percent of the attacks we’ve seen in the last year were “fileless.”

Hacker attacks affect one in three Americans each year with attacks occurring every 39 seconds. Cybercrime hits every one from financial institutions, phone customers, small businesses, and government agencies. No one is safe from it unless they take appropriate measures to secure their computer.

Nation-states have been actively deploying cyber weapons against the West in the last decade and their goal is quite obvious — to gather intel on America and its allies. Most nation-states develop five-year plans on their cyber activity strategy. It is a calculated effort, one that has dramatic consequences.

As these incidents have proliferated, businesses and governments have been more adamant about identifying malicious activity, but they have also taken ill-advised measures to remedy the problem. All too often, their go-to solution is some form of antivirus.

Unfortunately, some of the biggest names like McAfee and Trend Micro fail to pick up on malware. They are also ineffective when it comes to new viruses or “Zero Day” viruses. To put it another way, even if you have the most up-to-date antivirus software, 35 percent of the Zero Day malware will be undetected.

When it comes to Russia, their aggressions have been particularly prolific. German Chancellor Angela Merkel has said that her website has been hit by thousands of cyber attacks, many of which came from Russian IP addresses.

Russian probes pose just as much of a threat to the US as any other country and if their allegedcyber warfare “testingon Latvia has taught us anything, it’s that we can’t leave our guard down.

It is time the American government got serious about internet security and privacy. President Trump has flip-flopped on his cyber policy in the last year, first by repealing the FCC’sinternet privacy rules, then by rolling out his Critical Infrastructure Security and ResilienceToolkit.

In the toolkit, the president urges people all across the nation to integrate cybersecurity into facility and operational protective measures and write op-eds in their local papers about the importance of critical infrastructure, but he fails to comprehend the simple way that we can all protect ourselves against potential threats.

Internet privacy is as important as any other form of cybersecurity. By allowing Internet Service Providers to collect and share their customer’s online data and personal information, the government is leaving people open to all sorts of attacks from telemarketing and mail scams to malware, ransomware and more.

Small businesses and government institutions should be proactive about selecting a solution that will safeguard them against the ever-more sophisticated attacks facing their nation. By staying current up on cybersecurity trends and exploring the kind of military-grade encryption that is now available to the general public, we can avail ourselves of applications that amount to virtual bodyguards.

Sam Bocetta is a defense contractor for the U.S. Navy, a defense analyst, and a freelance journalist. He specializes in finding radical — and often heretical — solutions to “impossible”​ ballistics problems. Through Lakeview Capital, he also cultivates funding for projects — usually naval, defense, and UAV startups. He writes about naval engineering, mechanical engineering, electrical engineering, marine ops, program management, defense contracting, export control, international commerce, patents, InfoSec, cryptography, cyberwarfare, and cyberdefense. To read more of his reports — Click Here Now.