back to article Sophos waters down 'NHS is totally protected' by us boast

Sophos updated its website over the weekend to water down claims that it was protecting the NHS from cyber-attacks following last week's catastrophic WannaCrypt outbreak. Proud website boasts that the "NHS is totally protected with Sophos" became "Sophos understands the security needs of the NHS" after the weekend scrub-up. …

  1. Anonymous Coward
    Anonymous Coward

    Ransomware is ...

    probably a licenced extra...

    1. Steve Davies 3 Silver badge
      Joke

      Re: Ransomware is ...

      Roll up, roll up only £99.99/month per infected machine. Get yours now!

      [see icon]

    2. Anonymous Coward
      Anonymous Coward

      Re: Ransomware is ...

      ...already easily stopped by software such as Sophos Intercept X which is based on their purchase last year of HitmanPro.alert.

      Clearly they need to roll this out more widely, but then it also needs the tight-arsed beggars controlling the NHS purse to invest in better detection such as via this or similar products, or isolate at-risk networks from the internet completely.

      1. Danny 14

        Re: Ransomware is ...

        Thing is, intercept-x (we use the onsite version) is cheap. We pay less than a fiver per machine as an "add on" to endpoint. It hasn't triggered over the weekend but has triggered for other things in the past.

      2. Anonymous Coward
        Anonymous Coward

        Re: Ransomware is ...

        I'm not intimate with this virus or Sophos products, but to state "Ransomware is already easily stopped..." is probably what Sophos thought, so... But, to flag any 1 type of software as easily stopped is a little crazy considering a computer sees ransomware no different than a calculator or this picture I'm looking at right now (Sophos would flag this pic!!).

        1. PrivateCitizen

          Re: Ransomware is ...

          Sophos would flag this pic!!

          It depends...

          X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

      3. veti Silver badge

        Re: Ransomware is ...

        ... already easily stopped by patching your Windows machines, unless of course they're running Windows XP in which case either pay Microsoft to support them or cut the f***ing internet cable with an axe.

        Either way, Sophos is useless.

      4. Hans 1

        Re: Ransomware is ...

        it also needs the tight-arsed beggars controlling the NHS

        Their backside does not appear to be as tight when it comes to MS, they fork billions over to Redmond!

        With that alone, they could run their own distro, complete with kernel hackers and co!

    3. Anonymous Coward
      Anonymous Coward

      Re: Ransomware is ...

      Funny you should say that, a series of customer PCs and servers once got locked down due to some Sophos update colleagues were applying and went wrong, Sophos thought it was a virus and refused to be removed! (I don't know all the details but the customer us on some other solution now..)

    4. Infernoz Bronze badge
      Flame

      Re: Ransomware is ...

      inevitable until the OS supports user application level permissions and comprehensive delta sand boxing of all external content (SMB, Browser, Email) not white listed, without the document/software being aware it is in a sandbox and monitored lures provided to assist malware detection.

      It is about bloody time that each applications had sensible default, limited filesystem access permissions, to limit the damage they or scripts they run can cause, because a lot of applications don't need to and shouldn't have access to a whole users profile, or even some external resources, without at least an admin. mode dialog. to OK or whitelist this! We shouldn't have to rely on separate security software to maybe do this, it should be OS security functionality!

      Using a modern transactional, regular delta snapshot filesystem like ZFS would better help recover from unnoticed nasties like this, easier than dated, logging filesystems like NTFS and the bolt-on file versioning in some newer versions of Windows!

      1. John H Woods Silver badge

        ZFS

        My home ZFS server snapshots every minute, with another process tidying snapshots. Only root can delete retained snapshots and root can only log in physically. I cryptolockered the lot from a windows VM and could easily recover every file.

        The emphasis on the NHS problem is incorrect in my opinion. You could have the most up-to-date O/S and A/V and still potentially suffer a similar attack. The most effective mitigation is surely at the storage level.

        I believe medical, legal and financial documents should be kept in file systems that retain every version indefinitely. Even without ransomware, you've still got to protect from insider attacks and user incompetence. Keep every single version, and remove user access (at least write/Delete) to older versions. Storage is cheap and data loss is expensive!

  2. Snorlax Silver badge
    Childcatcher

    Wait a minute

    I thought it was all Microsoft's fault, as they didn't show sufficient philanthropic spirit in supporting and patching every version of Windows going back to 3.1 for free.

    Even though the NHS knew and discounted the risks in using vintage operating systems?

    It's great for the tech news websites all the same

    1. Magnus_Pym

      Re: Wait a minute

      As far as I know it governments had been struggling with the big question - 'which is cheaper, pay Microsoft to keep XP running or update the whole NHS?' for a number of years. Teresa May was Home Secretary and Jeremy Hunt Health Secretary when they decided to make the balance sheet look a little better and not bother with either. They were warned about the risk at the time and many times since.

      For some reason they seem to be reticent to talk about it now.

  3. Anonymous Coward
    Anonymous Coward

    Further correction

    "Sophos now understands the security needs of the NHS in the light of recent events"

    Maybe Sophos management can tell us why it all went wrong at their annual results shindig this very Wednesday? Couldn't have been timed better.

    1. Voland's right hand Silver badge

      Re: Further correction

      Sophos now understands

      So it did not understand it before. Well... then WTF was it charging it for?

      1. Danny 14

        Re: Further correction

        I guess they were charging for endpoint anti-virus not intercept-x

  4. Anonymous Coward
    Anonymous Coward

    You've got to love the stock markets...

    "Quick, buy anti-virus and malware - it's going to be in demand".

    Some days later the news filters in that people had it, but it didn't help.

    Anyone fancy picking the stock up for a bargain when the price falls?

    1. Anonymous Coward
      Anonymous Coward

      Re: You've got to love the stock markets...

      If they had the right anti-malware products then this would not have happened. Trust a vendor 100% if you want, but better to do your own homework and look at alternatives and ideally have a layered approach to security than a single AV product.

      1. CentralCoasty
        Big Brother

        Re: You've got to love the stock markets...

        "Trust a vendor 100% if you want..." of course they do.... thats why they put all their eggs in one basket with nice contracts - senior management can point at the contract and show they mitigated the risk, whilst the vendor can point to their get-out-of-jail-free clauses and prove they did the right thing.... everyone's a winner... oh... except the public of course.....

        Big Brother icon because... well.... why not?

  5. Rob D.
    Facepalm

    Ferret mk 2

    Now reads 'End-to-End Security to Protect Patient Data'.

    Actually I'm not over sold on beating Sophos up for the NHS actually having problems (not really their fault nor a problem they can completely prevent) - but I do like to see a reduction in the marketing 'smug-level' when overreaching claims are thrown in to sharp relief by a bit of harsh reality.

    From Reddit, the original PR is at https://silver.agency/portfolios/sophos-nhs/ - interesting how long that stays visible since the Google cached copies have disappeared already. Also the withdrawn video is at https://vimeo.com/136184973 at least for now - lots of patients very happy with their suspiciously unbranded health care enjoying unfeasibly good weather for the UK and totally protected by Sophos.

    1. Jason Bloomberg Silver badge
      FAIL

      Re: Ferret mk 2

      I think Sophos should have to take a good deal of the heat if their 'not entirely correct claims' led to a false sense of security and complacency.

      What really pisses me off is that these 'not entirely correct claims' will be taken as ammunition by those who like to tell us that experts know nothing and shouldn't be trusted.

    2. katrinab Silver badge

      Re: Ferret mk 2

      "Actually I'm not over sold on beating Sophos up for the NHS actually having problems"

      I am. We get loads of sales reps touting their latest MagicBox™ that completely and totally makes everything secure. Sophos was clearly doing that, and they should absolutely be brought down to earth.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ferret mk 2

        "We get loads of sales reps touting their latest MagicBox™ that completely and totally makes everything secure. Sophos was clearly doing that, and they should absolutely be brought down to earth."

        Yes, and so should every PHB (and government minister) who puts all the security eggs in one vendor's basket (or allows Crapita and ilk to do so). Multilayer protection from multiple vendors - and air gap the network if there is sensitive material on it. If the boss says no, write it up. Sooner or later someone has to accept they pay professionals to do a job, if they tried and the PHB & beancounters prevent that, then the PHBeans are the ones who should face the consequences - as should their political masters

  6. Anonymous Coward
    Anonymous Coward

    proof is in the pudding.

    narf.

  7. Mage Silver badge

    Fault?

    It's not Microsoft's fault or Sophos.

    AV is a waste of CPU resource and money.

    User training not to open stuff is better.

    The problem is poor management, not doing the IT properly and not training the users properly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fault?

      It's not as simple as people clicking on things that they obviously shouldn't. This is more sophisicated than that. Users probably could do with better training but all mainstream software needs regular security updates and since there have been no updates for XP for 5 years (when it was already a decade old) someone should have cleaned house and moved these systems to something supportable. A combination of poor management and diverting of resources to try and cover gaps in budgets for most other things hasn't helped. There are currently 40,000 nursing vacancies. IT is not the only thing not going well in our 'strong and stable' land. (Sing to the tune of Jerusalem in place of 'green and pleasant' and Mrs May will make sure everything will be alright, not.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Fault?

        Didn't the NHS have a deal with Microsoft for support on XP even after the official support was ended (which was canned to save money)? Didn't the NHS send round a patch in March that if applied could have stopped this? Seems to me that some serious patching needed to happen and didn't.

        1. John Brown (no body) Silver badge

          Re: Fault?

          "Microsoft for support on XP"

          This keeps getting trotted out, but in the last two years at least, I've not seen an XP PC in any of the hospitals I've visited as part of my job. I know there are still some, but are they on the front line? Considering that all versions of Windows were susceptible if not patched, I'd be interest to see if anyone has done or is doing a breakdown of infection by OS version.

      2. Anonymous Coward
        Anonymous Coward

        Re: Fault?

        There is fault all round.

        1) For MS for releasing software with the SMB-V1 service ON by default. (apparently W10 has this as well but it got patched)

        2) The IT build teams in the various NHS trusts for not seeing the above and making sure that it is disabled and the offending ports blocked. There are probably a number of other vunerable ports and services open as well but I'll give them the benefit of the doubt.

        As I see it, a combination of factors all conspired to allow this to happen.

        I really hope that this is a mega wakeup call for the Industry (Linux and even Mainframes) and that includes those who make and ship Android Phones as well. Don't know how vunerable iDevices are but they might very well be.

        Anyone saying that your system is protected should be prepared to put their money where their mouth is and prove it.

        Really happy that I got out of the Industry last Crimble.

      3. Anonymous Coward
        Anonymous Coward

        Re: Fault?

        Obsolete OSes and timely application of patches are one issue, but this could just as well have been a zero-day.

        Sooner or later you're going to get an infection inside your network. What you want is (a) to detect it quickly, (b) to limit the spread, and (c) to allow the affected parts to be wiped clean easily.

        In other words: compartmentalised, multi-layered security. Here's one way this could be built realistically:

        - each workstation has Qubes OS installed as the bottom layer

        - there's a Windows AppVM for running NHS internal applications. FirewallVM is configured to permit access to the required servers and nothing else. Passthrough of smartcard goes to this AppVM.

        - there's another AppVM for sending/receiving NHS E-mails. It is permitted access to NHS mail servers and print servers only.

        - another for Internet browsing and personal E-mail. This is allowed access to the Internet and print servers, but *no* other NHS resources (including other workstations on the same network).

        Is this in the "too hard to do" category? I don't see why.

        The apps themselves still run under whatever version of Windows they require, so are unchanged. Indeed, this makes it easy to run different apps under different versions of Windows, allowing phased migration of applications.

        As for usability and training: well, agreed that Qubes is not the prettiest Window environment. But you basically get a pop-up Start menu listing the different environments, with a sub-menu for each application within that environment, which is all standard stuff. The apps themselves just appear as windows, with a nice coloured surround. This helps minimise phishing attacks where one window tries to look like a different one.

        You probably want to do a bit of tweaking to lock things down, e.g. so users can't modify the NHS appVM template or install their own apps.

        1. Displacement Activity

          Re: Fault?

          Obsolete OSes and timely application of patches are one issue, but this could just as well have been a zero-day.

          Sooner or later you're going to get an infection inside your network. What you want is (a) to detect it quickly, (b) to limit the spread, and (c) to allow the affected parts to be wiped clean easily.

          Well, yes, but you omitted the fundamental problem - don't, by default, assume that your computers have to be on a network. They don't. And, if they do, don't just share everything on SMB/whatever.

          Whoever decided that an MRI scanner/X ray machine/whatever had to talk SMB should be fired. It would take a day to knock up a program to transfer X-ray images over a basic sockets connection, and another week to turn it into a client/server app to find and return any image.

          1. John Brown (no body) Silver badge

            Re: Fault?

            "And, if they do, don't just share everything on SMB/whatever."

            Note, not a networks guy. Is there an out of the box alternative to SMB when using roaming profiles and server based home dir/shared work dirs? Does Windows do NFS and if so is that better/as easy to use in a Windows environment with roaming profiles?

            1. Anonymous Coward
              Anonymous Coward

              Re: Fault?

              If they had used Citrix/Remote desktop then they could have the same roaming functionality and with all thinclients then XP nor it's need for full fat PC and it associated local maintenance and security costs.

              Perhaps if they had gone the more professional route they would have also have locked it down, certainly the savings on hardware and staffing would have retuned enough money to employ a few decent staff rather than 10 monkeys per site.

          2. Anonymous Coward
            Anonymous Coward

            Re: Fault?

            Ok genius.

            Now that the machine is off the network someone still needs to visit it daily to update the antivirus definitions so that it's not popped the next time someone plugs an infected USB stick in.

            Remember people still need to use the bloody machine so data has to come on and off it somehow and you've disabled the network now so the only choice is USB stick.

            Well done you've turned a manageable situation in to an unmanageable nightmar.

            Your second solution is even more idiotic.

            Designing a custom app to take the place of a well understood standard protocol. Introduce a whole new raft of possible security bugs and a nightmare in having to employ your own programmers to adapt it every time your upgrade your OS.

            TAKE MY MOENY YOU'RE HIRE.

      4. Mage Silver badge

        Re: Fault?

        "It's not as simple as people clicking on things that they obviously shouldn't."

        It pretty much is. Coupled with absolutely rubbish IT / Workstation configuration that lets stuff AUTOMATICALLY spread when the first poorly trained user opens it.

        1) In an organisation this size, such attachments should never be delivered

        2) The users should be better trained.

        3) The IT / Network configuration is poor.

        I see people are in denial about the value of AV etc. IT DOESN'T REALLY Work:

        a) It's always behind.

        b) It's rubbish how it works

        c) Does as much damage with false positives

        d) Gives false sense of security

        I admit it works sometimes. But most of the machines I cleaned in 15+ years of IT support of malware did have AV. How many stories of it even stopping computers booting or slowing them to a crawl? One here in last week or too.

        Fundamentally most of the industry is in denial about how workstations should be configured, on site email servers and user training. One step would be to acknowledge that most courses on MS SW and MCSE etc are just marketing the features and selling the products. Very little real world value.

  8. Anonymous Coward
    Anonymous Coward

    Training users

    Unfortunately, no mater how well you train them, there are always a set who fall for "Celeb X has done Y. Click here for more..." - especially when it (appears to) come from "Friend A".

    1. Nuno trancoso

      Re: Training users

      You should be stripping out exe's from emails and replacing them with links to files. Repack the original to an archive and make sure the link has some obvious message like "If you open a virus, you'll be sacked. No if's, no but's, out the door".

      Won't stop them ofc, but will give you cause to get rid of them.

      1. Anonymous Coward
        Anonymous Coward

        stripping out exe's from emails

        It's not as simple as that unfortunately.

        Businesses send pdfs and Office files which upon opening executes a macro which subsequently downloads the executable. Disabling exe files in attachements is not enough, and Outlook already does this by default anyway.

        Many corporations use macros. All corporations use pdfs. Users cannot be fully trained to spot everything potentially suspicious since no work would get done, that's why good AV and additional products are essential. More companies switching to Linux would also avoid a lot of this, but not completely.

        1. Mage Silver badge

          Re: stripping out exe's from emails

          It is as simple as that. Though not just obviously "exes".

          Anything not sent on internal mail / VPN (i.e. from the public Internet) should only be passed on as plain text. Original quarantined.

          Anything suspicious ditto, even if internal.

          Switching to Linux, non-Adobe PDF readers and non-MS Office Office applications would only be a short term solution. Once popular they would be targeted. The problem isn't inherently Adobe (though they are bad) or Microsoft. It's training and system configuration.

          (Even though here we switched to all Linux etc last December).

        2. Infernoz Bronze badge

          Re: stripping out exe's from emails

          Not just exe's, but any attachment, because embedded scripts and buffer escape exploits are the main malware entry points now!

          Simple, have Microsoft or a trusted security software provider extend Android and iOS application level permissions framework to desktop OS, but with sensible restricted defaults for the filesystem/registry too, like the Application install/settings folders, registry folders and default documents folder, and show an admin. screen permissions dialog., after system snapshot, if it attempts to access anything else, including in non white-listed file shares. We should not always trust applications to police their own access, because they can be compromised!

          There could be application group white-lists/blacklist to save duplication e.g. for Desktop and some other common folders, this could include application installation and settings folders which should usually only be accessible by the owner application.

          Any unknown Application which tries to do any file system action but create new files in it's folder, not sub-folders, or access anything else should cause an admin. screen permissions dialog., after system snapshot, for one-off OK, or white-list or black-list additions.

          This could make life very difficult for lots of other kinds of malware, including camera/microphone/keyboard spyware, browser hijacks and other unwanted software installs too! :)

          1. Naselus

            Re: stripping out exe's from emails

            There is literally no evidence that email was a vector here. The cryptolocker spread by copying itself out to every machine in the subnet over port 445. So no, beefing up email defense would not have had any impact.

        3. Anonymous Coward
          Anonymous Coward

          Re: stripping out exe's from emails

          Opening attachments on a linux box with remote viewing would have mitigate the attack but yes the idea of allowing active content to be attached to emails is just stupid and reeks of bad planning.

          Better to ban all attachments and get the same functionality via posting a link to the content on an internal vetted server in a internal format rather than pdf . If the data isnt on the internal system then it is either not work related or detached from the system and needs securing by people who do know what they are doing.

      2. MrKrotos

        Re: Training users

        "You should be stripping out exe's from emails" yeah thats exactly how this was spread LMFAO!

        1990 called, they want their ways of spreading dodgy code back!

    2. Anonymous Coward
      Anonymous Coward

      Re: Training users

      Or indeed "FedEx delivery issue" when their job is to deal with deliveries or "Invoice 20170515" when they deal with invoices or just "Scan from 4500cx" when that's where their scans normally come from - it's not just feckless twits after nonsense.

      1. Danny 14

        Re: Training users

        we disable office VBA by default, PDFs are via fox not adobe. If a user wants macros then they sit through a lunch job of "DONT CLICK STUFF YOU DONT UNDERSTAND" session.

  9. Anonymous Coward
    Anonymous Coward

    Depending on Microsoft..

    It's poor PR to try and twist this into selling anti-virus software but I'm surprised more people aren't looking at the more fundamental problem of the dependency that was created on Microsoft software in the first place that has resulted in all these machines being locked to XP well out of normal support meaning more and more money is being drained out of the NHS and given to a private company who at this point can charge literally whatever they want.

    These are the type of environments where you really want something custom built or built on technology that means you have real options when it comes to support and more freedom to change. Ideally we want to be training our kids to develop software and be able to support software used in this kind of environment based on open standards etc. Not give the keys of the kingdom to a private corporation and be throwing money down the drain to keep that 'supported'

    I said at the time a lot of these machines were installed that it was a bad idea, nobody listened, and even now the whole thing has come to bite them in the ass, potentially costing lives, nobody is listening.

    I'm not a huge fan of Linux etc. when it comes to home use, but in governments, hospitals, schools and other public services it really should be at the forefront. I fear the future of the NHS is heading firmly in the opposite direction tho, depending more and more on private companies, this is just a small taste of what happens when you allow that.

    1. Korev Silver badge

      Re: Depending on Microsoft..

      There are enough Linux worms and exploits around to not guarantee security. It's feasible that a bug in an NFS implementation could have a similar to effect to the one in Windows' CIFS that "caused" this. You'd also need to get the vendors to release their software for Linux.

      Linux is my OS of choice at work (HPC), but I can see that it's not appropriate for all scenarios at the moment.

    2. Zippy's Sausage Factory

      Re: Depending on Microsoft..

      There's not much for LInux or macOS by comparison because Windows is currently the big dog in the corporate kennel. There's almost nothing for OS/2 because there's not enough users to make writing ransomware for them profitable, but if people suddently switched to OS/2 as a desktop OS (well, eCS then - the modern equivalent thereof) you can bet there suddenly would be a great deal of ransomware available for it.

      It no longer matters what it's running - routers, cameras, baby monitors, routers, interactive toys, smart headphones - if it has some kind of OS on it, someone will be trying to hack it, usually for profit. And will probably succeed.

      This isn't going to be the last of its kind, it's probably just the beginning of a long spate of nastier attacks. Will there ever be a malware attack using zero-day for Windows 10 that makes this look like a walk in the park? Probably - I wouldn't want to bet against it, at any rate.

  10. mark l 2 Silver badge

    I am assuming that the malware writers targetted their malformed PDF to Adobe Acrobat reader users as that is the most common version. Does the ransomware still work if the user was using an alternative PDF reader such as Foxit reader or Sumatra?

    1. Yet Another Anonymous coward Silver badge

      By default Foxit blocks a lot of the more "interesting" features of pdf beyond just displaying documents

  11. Anonymous Coward
    Anonymous Coward

    All IT professionals overestimate how well users are familiar with computers and how well they can be trained.

    In many healthcare settings I've seen nurses have notebooks full of:

    "To do X,

    Click lowermost left, click second up third to right",

    going on in for however many steps the custom software needs to perform things. I've wondered why it doesn't have buttons that does the X, Y and Z that the nurses have made their own 27-step lists on how to do through the convoluted interfaces...

    That is the level of user sophistication we need to design for, ladies and gentlemen.

    1. allthecoolshortnamesweretaken

      Re: level of user sophistication

      Quite.

  12. mivecboy

    Panda

    Panda Adaptive Defence 360 would have stopped this - we had the wannacrypt file in our signature database and the Advanced Protection in Lock mode would have stopped the unknown processes

    1. Dwarf

      Re: Panda

      The register hijacked by sales drones ???

      Perhaps you would substantiate your claim - which version, when was the patch out, how come you knew about if before everyone else etc.

      1. mivecboy

        Re: Panda

        Tech drone, not sales drone thank you - Adaptive Defense 360 blocks unknown and unclassified processes regardless of the source, ie malware, shareware, custom application etc, until they are classified as Goodware, so we would have blocked the encrypter software as an unknown process. We've had zero infections with Wannacrypt on AD360 covered machines.

        Also, the product is 5 out of 5 stars recommended in PC Pro this month. You can bash this as a sales pitch but if it saves people losing data or having to pay ransoms then job done.

    2. Random Handle

      Re: Panda

      >Panda Adaptive Defence 360

      I'm sure it's a wonderful product - but I've always dismissed it out-of-hand simply because it's called 'Panda' - dodo is about the only animal I can think of which would be a worse choice.

    3. CentralCoasty
      Black Helicopters

      Re: Panda

      hummmm... so you knew about it before everyone else.... I see... and you had the patch ready to go.... I see..... so how are your sales figures doing now?... .ohh.... through the roof... I see...... all a very strange coincidence.....

  13. Will Godfrey Silver badge
    Unhappy

    NHS can't move some systems.

    Bespoke code for imaging equipment etc. sometimes requires XP. Getting updates for modern OSs is either eye-wateringly expensive, or impossible. Funding to replace the entire kit is unicorn territory.

    1. This post has been deleted by its author

  14. Duffaboy
    FAIL

    Me thinks your average it manager

    Knows nothing about I.T

  15. Duffaboy
    Facepalm

    The problem is with AV scanners is

    The (trojan) horse has already bolted

  16. jason 7

    The last folks I knew that got hit with Ransomeware...

    ...got hit via MS Remote Access. They were all accessing one machine remotely as part time staff. They had like 5 digit passwords (groan).

  17. Robin Bradshaw

    And yet microsoft provide monthly updates that protect you against the newest threats for free! and people wont apply them.

    1. quxinot

      Possibly because those same unlabeled patches have inflicted users with advertisements for an OS they don't want, break things that work, and change settings in unwanted ways?

      Stop teaching users that updates are mystical things that with unwanted effects, and they'd likely be more willing to update to improve their security. Trust is in very short supply between users and many large software houses.

      It's almost as if it's being made intentionally worse, so that a subscription cloudy version can be sold. After all, that never goes down or loses data, right?

      Disgusting on all sides.

  18. Anonymous Coward
    Anonymous Coward

    Lets raise funds for a new anti-virus program that detects backlogs in patches and updates and then switches itself off with the message "You are too stupid to deserve protection, please send 3850 bitcoin to ............ to uninstall Weasel Antivirus"

  19. Christian Berger

    If the statements of Sophos were true...

    ... Alfred Nobel would personally raise from the dead and create a Nobel Prize for Informatics to hand them to them. You cannot determine what a program is doing by looking at it. It's called the halting problem and it was proven long before computers came into widespread use. If Sophoses claims were true, they'd have disproven something that has been mathematically proven over and over again. It's like finding a triangle on a flat surface where the angles don't ad up to 180°.

    And looking at what an already existing program does, obviously doesn't work. First of all, it already had some something bad, secondly, file compresion/archival software looks just like ransomware, if you only look at what is happening at an API level. It's impossible to get a detection which is sharp enough to lower the false positives to something acceptable while still detecting what you want.

    1. Diodelogic

      Re: If the statements of Sophos were true...

      @ Christian Berger:

      Your description of the halting problem didn't sound right to me...

      "The halting problem is the problem of determining, from a description of an arbitrary computer program and an input, whether the program will finish running or continue to run forever."

  20. Anonymous Coward
    Anonymous Coward

    What absolute crap

    Intercept x would have protected them? Just read the first line

    https://www.sophos.com/en-us/products/intercept-x/how-to-buy.aspx

  21. Steve Knox
    Joke

    Homeopathy for Computers

    Here. -> 1010 <- Install these bits on your computer. They're a memory dump from an infected PC distilled to 5C, so they should provide adequate immunity.

    1. Naselus

      Re: Homeopathy for Computers

      Did you not forget to dilute it with 8 trillion leading 0s?

  22. ShandyMan

    Sophos protecting the NHS ...

    I was under the impression that other vendors released an update to battle this as well (e.g McAfee , ...)

    It should also be noted , sophos released several updates (based on the original variant ) , especially around 1 am from memory , making the previous update redundant. Saying you pushed an update at a specific time doesn't really count when you released several more afterwards (implying the original one wasn't working). Just my perspective (NHS infrastructure person).

  23. EnviableOne

    1. XP infection rate from wanna Cry is minimal

    2. if NHS had it resource to patch, it wouldn't have mattered

    3. Sopos Intercept X and Exploit Provention (EXP) have been out for 6 months and Have yet to be beaten

    4. Intercept X is exploit based and signatureless

    5. No-one woth Intercepet X or EXP got WannaCry

    6. Sophos are prevelent in the NHS.

    7. We had neither patched or Intercept X and did not get Wanna Cry

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like