1. Features

Halon provides a malware detection add-on to Halon Protect from Sophos. Unlike other anti-virus solutions, it is designed specifically for in-transit email filtering.

Sophos anti-virus provides protection against known and unknown threats, using proactive technologies to guard against zero-day threats. It has an option to use cloud lookups to improve threat response, reduce false positives and provide up-to-the-minute protection. With efficient memory usage and an architecture designed to leverage modern compute resources, it is a great choice for high throughput applications.

1.1. Behavioral Genotype

Sophos Behavioral Genotype provides immediate zero-day protection from more than 80% of emerging threats. The behavioral rule sets are constantly validated against an extensive library of malware samples and legitimate applications, ensuring accurate detection and reducing false positives.

1.2. QR code protection (Quishing)

QR codes embedded in emails are decoded and checked ensuring they’re safe. The URLs embedded in the QR codes are extracted and scanned by Sophos for malicious or suspicious content.

• Sophos article about Quishing

• Halon blog about Quishing

1.3. Context Mail (CXMail)

CXMail is designed to be highly effective against zero-day malware attacks that are spread via email. The technology applies stricter rules aimed at active content that is delivered in email attachments and proactively identifies polymorphic malicious documents and executables. The higher detection rate of CXMail is achieved by identifying strongly suspicious content that is not regularly associated with email communication.

1.4. Sophos Live Protection

A feature that enables real-time lookups to detect malicious attacks faster and with added accuracy.

• Faster threat response with ‘in-the-cloud’ checking. Uses real-time information on the latest threats from SophosLabs; enabling up-to-the-minute detection.

• Increased accuracy with early-stage detection. Helps thwart malicious code and malware early; more accurate protection with an increased amount of detection data.

• Effective mitigation of false-positives. Remediates false positive entries with cloud information; whitelisting in the cloud prevents erroneous detection of system files as malicious.

• GDPR-friendly telemetry data helps SophosLabs improve detections. The hashes (one-way cryptographic checksums) of attached files sent to Live Protection allows SophosLabs to improve existing detections, find new malware patterns, and target emerging threat vectors.

1.5. Optimized performance

It improves resource usage by requiring only one copy of the malware information database to service all requests. It doesn’t require frequent loading and re-initialization. The “hot updating” mechanism provides continuity of service, loading new definition data in parallel with the previous data.

1.6. True File Type (TFT)

TFT allows Halon Protect to accurately detect the file type of a file passed to Sophos engine. * File detection based on SophosLabs malware detection technology * Maintained and supported by SophosLabs * File types sorted into Group, Type, and Subtype allowing granular control over files * File types mapped to specific threat levels based on potential risk

1.7. Solution components

The solution involves the following components: * savdid daemon * Halon Protect module * Sophos definition mirror hosted by Halon * Sophos datacenter lookup (optional)

1.7.1. savdid daemon

The Sophos Anti Virus Dynamic Interface daemon (savdid) contains the anti-virus engine, and a server for querying the engine over a protocol called SSSP. The daemon is running on-premise at the customer, as close to Halon Protect as possible. It is provided as a Linux package for Ubuntu or RHEL-compatible distributions (.deb or .rpm) via a software repository provided to clients.

For install instructions, please see the Installation section.

Halon also provides a Docker template and Kubernetes sample configurations. Please see https://github.com/halon/halon-docker for more information.

1.7.2. Halon Protect module

Halon provides an open-source module for integration with savdid to provide anti-virus detection by sending queries to the daemons using the SSSP protocol. It is available in Halon’s software repositories and installed using the Linux distributions’ package managers. Please see https://github.com/halon-extras/sophos for more information.

1.7.3. Sophos definition mirror hosted by Halon

The savdid daemon comes with an update routine that periodically downloads incremental updates to the virus definition database from a mirror operated by Halon, hosted on a geo-redundant CDN. The mirror is password protected, with credentials provided by Halon to the customer.

1.7.4. Sophos datacenter lookup

There is an option to enable cloud lookups from the savdid daemon to Sophos’s datacenters called “Live Protection”, as described above.