Solved: Spero and ETHOS

llomjaria · ‎10-26-2022

Hello,

I am just getting familiar with Secure Endpoint and would like to know more about Spero and Ethos engine.

I could not find DETAILED information about how these engines work and what they do.

Would be grateful if someone provides documentation.

Thanks

Troja007 · ‎11-02-2022

Hello @llomjaria ,
enclosed some infos:

SPERO (Machine Learning): We use hundreds of infos of a file, which we call a SPERO fingerprint. This is sent to the cloud and SPERO trees determine whether a file is malicious. Note, a Spero Hash is a hash based on file characteristics, not the file itself

ETHOS (File Grouping): The engine is designed to detect polymorphic threats by checking specific characteristics of a file. Much malware tries to pack/unpack/re-pack to change itself and to hide from detection. The engine is detection such activity and is able to "group" an unknown file based on its behaviour to a known malware family.

Greetings,
Thorsten

View solution in original post

Ken Stieers · ‎10-26-2022

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3446.pdf
specifically page 53 of that PDF.

llomjaria · ‎10-26-2022

Thank you for the information.

It's useful but not as detailed.

Troja007 · ‎11-02-2022

Hello @llomjaria ,
enclosed some infos:

SPERO (Machine Learning): We use hundreds of infos of a file, which we call a SPERO fingerprint. This is sent to the cloud and SPERO trees determine whether a file is malicious. Note, a Spero Hash is a hash based on file characteristics, not the file itself

ETHOS (File Grouping): The engine is designed to detect polymorphic threats by checking specific characteristics of a file. Much malware tries to pack/unpack/re-pack to change itself and to hide from detection. The engine is detection such activity and is able to "group" an unknown file based on its behaviour to a known malware family.

Greetings,
Thorsten