Sophos Intercept X with Sophos Endpoint Advanced is a security platform designed with several key features. Most prominent is a deep learning detection approach that blocks ransomware from executing without relying on signatures. We, therefore, give credit to Sophos' claim of 'predictive protection' which leverages deep learning technologies to improve detection and response times required for today's fast-evolving threats, such as ransomware. Without the need to constantly update definitions, Sophos feels nimble to us. It can quietly run alongside any endpoint protection from any vendor thus providing more than a little flexibility in your environment and boosting endpoint protection.
The initial layer of protection is the platform's Intercept X, a security mechanism which can detect the presence of phishing emails. Its anti-exploit technology prevents the delivery of ransomware with other threats and stops hackers from using first-entry techniques used in the attack chain. Better never to test how robust are your recovery processes if given the choice to prevent infection before the onset.
Intercept X leverages two function sets which we explored. The first is CryptoGuard technology, which we observed in previous testing installments, a signatureless behavior monitor that detects rapid file encryption and terminates active ransomware attacks. This behavior analytic is a last line of defense that monitors all processes. It also detects the malicious encryption attempts and rolls back any impacted files to their safe state. CryptoGuard is responsible for protecting against attacks that are launched from a remote machine and targets files on a protected desktop or server. Disk and boot record attacks - as used by Not-Petya and other ransomware families - are also stopped. Intercept X also leverages its branded Sophos Clean tool, a feature focused on eradicating all traces and remnants of the malware which previous security software signatures may have missed.
Beyond the Intercept X layer, the platform extends its comprehensive Endpoint Advanced run-time memory analysis, which can detect components of ransomware and other malware in memory to address file-less attacks that can be used to perform ransom attacks or to compromise a system as a step in a ransomware attack. Intelligence updates via Sophos Live protection in Sophos Endpoint which uses in-the-cloud technology to instantly decide whether a file is a threat and can take action to prevent any threats, as well as improving detection of new malware without the risk of unwanted detections.
Threats across all critical attack vectors can be detected while using Sophos Endpoint web security, web control, and URL blocking, and application controls. We were prevented from browsing malicious websites that can be used to host a ransomware attack or deploy malware as a precursor to the ransom attack thanks to Sophos Endpoint Advanced web protection. Better yet, we would dial-in application lockdown settings, to prevent malicious behaviors from authorized applications in the case of a breach.
Enhanced support is included with the Endpoint products, although there is a basic no-cost support offered. This includes 24/7 multi-channel support, includes updates and access to support knowledgebase and forums, the higher tier support options are Enhanced Plus and Technical Account Management which all provide phone and email support.
by Matt Hreben with collaboration from Dan Cure; tested by Matt Hreben