Do any security pros have experience with products from vendor opswat?
-
Do any security pros have experience with products from vendor opswat? General impressions of the company also appreciated.
-
Do any security pros have experience with products from vendor opswat? General impressions of the company also appreciated.
I don't know if anything has changed in the field, but at least as of a decade or so ago OPSWAT was basically the only game in town if you wanted an on-prem multi-engine AV scanning system. Their licensing model historically had different pricing tiers, where cheaper tiers had cheaper engines starting with ClamAV, and pricier tiers brought in more expensive but ostensibly better engines. Basically, if you want to know what a bunch of AV engines think about a file but you don't want to upload it to a 3rd party service like VirusTotal for OPSEC reasons, you might look into OPSWAT's products. It's not cheap. But then again it isn't really marketed to regular consumers or even medium-sized businesses.
One thing to keep in mind is that most modern AV engines are generally weak when it comes to static-only file scanning. AV engines tend to do a lot better when run with dynamic scanning as the malicious files are opened and executed. Also, modern AV engines might rely on uploading of suspicious files to the AV vendors for cloud-based scanning for best performance, and tend to perform worse when limited to local-only scanning. I don't know whether or how OPSWAT's current products address that limitation.
-
I don't know if anything has changed in the field, but at least as of a decade or so ago OPSWAT was basically the only game in town if you wanted an on-prem multi-engine AV scanning system. Their licensing model historically had different pricing tiers, where cheaper tiers had cheaper engines starting with ClamAV, and pricier tiers brought in more expensive but ostensibly better engines. Basically, if you want to know what a bunch of AV engines think about a file but you don't want to upload it to a 3rd party service like VirusTotal for OPSEC reasons, you might look into OPSWAT's products. It's not cheap. But then again it isn't really marketed to regular consumers or even medium-sized businesses.
One thing to keep in mind is that most modern AV engines are generally weak when it comes to static-only file scanning. AV engines tend to do a lot better when run with dynamic scanning as the malicious files are opened and executed. Also, modern AV engines might rely on uploading of suspicious files to the AV vendors for cloud-based scanning for best performance, and tend to perform worse when limited to local-only scanning. I don't know whether or how OPSWAT's current products address that limitation.
Super helpful! Thanks. Do customers use opswat at the edge of Networks much? How do they perform there?
-
Super helpful! Thanks. Do customers use opswat at the edge of Networks much? How do they perform there?
I don't know, I haven't had any reason to poke in this area for a few years. They seem to advertise NDR products and ICAP integration. I suspect there are at least a few challenges with operating at the edge:
You'll need something that will do break-and-inspect of your encrypted traffic (otherwise you're stuck with just the small percentage of traffic that's unencrypted). Break-and-inspect systems carry their own serious problems.
Whatever is pulling files off the wire is going to have to be highly performant. Maybe that's a cluster of OPSWAT appliances, or maybe you're using something like Zeek/Corelight for on-the-fly file carving. In fact, I'd recommend pairing up any inquiries into OPSWAT with a chat with Corelight. They'd likely be knowledgeable in this area.
You're probably going to have to be very selective about how many and what kinds of files you're scanning. I'd have questions about what volumes they can operate at from a technical perspective, as well as a licensing perspective. And you've got multiple layers of licensing here, including both OPSWAT's subscriptions as well as whatever AV engines they're arranging for you. Maybe this is an easily solved problem, or maybe you're going to have to do some sort of scripting in-between your break-and-inspect/file-carving and your OPSWAT multiscanner.
Again, it's been a long while since I've worked in this space.
-
I don't know, I haven't had any reason to poke in this area for a few years. They seem to advertise NDR products and ICAP integration. I suspect there are at least a few challenges with operating at the edge:
You'll need something that will do break-and-inspect of your encrypted traffic (otherwise you're stuck with just the small percentage of traffic that's unencrypted). Break-and-inspect systems carry their own serious problems.
Whatever is pulling files off the wire is going to have to be highly performant. Maybe that's a cluster of OPSWAT appliances, or maybe you're using something like Zeek/Corelight for on-the-fly file carving. In fact, I'd recommend pairing up any inquiries into OPSWAT with a chat with Corelight. They'd likely be knowledgeable in this area.
You're probably going to have to be very selective about how many and what kinds of files you're scanning. I'd have questions about what volumes they can operate at from a technical perspective, as well as a licensing perspective. And you've got multiple layers of licensing here, including both OPSWAT's subscriptions as well as whatever AV engines they're arranging for you. Maybe this is an easily solved problem, or maybe you're going to have to do some sort of scripting in-between your break-and-inspect/file-carving and your OPSWAT multiscanner.
Again, it's been a long while since I've worked in this space.
@DaveMWilburn @dangoodin The ICAP integration is how I've seen it used. Most often on NAS devices or explicitly engaged during file transfer flows. I'm a few arms lengths away from the management of the product so I am limited on any deeper insight.
-
R relay@relay.an.exchange shared this topic
