Hi guys, when Invincea was bought by Sophos I was excited about Invincea's sandboxing feature to be included to Sophos Endpoint Protection.
This however doesn't appear to have been planned.
Useful scenarios include:
- Running unknown/suspicious applications in a sandboxed environment.
- Opening email attachments
- Opening downloaded files
- Manual use by security admins (Specify programs to run in sandbox, or temporarily whitelist a blocked program/file forcing it to run in sandbox for investigations.)

That last one is particularly useful, as we've recently had a case where some emails were flagged by Sophos and quarantined. Sophos would block us from opening the emails, which meant we were unable to investigate the emails in order to create a rule to filter them out.
We had to disable Sophos to complete our investigation, which is very non-user friendly.
Having a simple option of allowing to run a quarantined/blocked program or file from sandbox would solve this issue while keeping the system secure.

We have 'sav-update' installed on our mail relays so they automatically download the latest detection IDE's.
It would be a good feature to know that the latest IDE is supposed to detect X-trojan, X-virus or X-worm.
We had an example where one of our customers asked if we now detected the Troj/Agent-ARJS Trojan and I had to reply 'I think so' rather than a definite 'yes'. If I could search the IDE's with the Unix 'strings' command looking for say Troj/Agent-ARJS and found a hit then that would be brilliant.
It should be a simple case of just putting a comment field in the IDE so that 'strings' picks it out e.g.

# strings gozi-ct.ide |grep -i TRO
Troj/Gozi-CTSECTide

Thanks

Andy