Apr 13 2020

Review: Sophos Intercept X Handles Threats Easily

Software defeats ransomware with automatic monitoring and file rollbacks

Traditional anti-malware products scan both memory and disk for particular threat signatures, which are updated daily (or even more often). But if a new threat appears before the pattern files are updated, these solutions are unable to detect or prevent the attack. 

In an effort to keep ahead of the criminals, SophosLabs analyzes more than 400,000 new malware samples every day. The challenge is that the vast majority of malware is unique to a single organization, so updating a pattern file is an inefficient, ineffective block for these attacks.

To fix that, Sophos Intercept X sits on top of traditional security software solutions to augment protection. The software prevents malware before it can be executed and stops threats, such as ransomware, from running. When ransomware does get into the network, the Root Cause Analysis tool can help users understand the forensic details.

How Sophos Intercept X Rolls Back Malware Threats

Intercept X uses deep learning to detect new (and previously unseen) malware and unwanted applications. Deep learning is modeled after the human brain, using advanced neural networks that continuously learn as they accumulate more data. It’s the same kind of machine learning that powers facial recognition, natural language processing and self-driving cars, all inside an anti-malware program.

Ransomware has grown at a fast clip since the success of the WannaCry malware infection in May 2016. Ransomware installs itself on a computer and then encrypts the important files, making them inaccessible to their owner. The owner then receives a message from the attackers that, in an exchange for currency, they will unencrypt the files. 

Sophos Intercept X blocks these attacks by monitoring the filesystem, detecting any rapid encryption of files and terminating the process. It even rolls back the changes to the files, leaving them just as if the malware never touched them — and denying the cybercriminals the payoff they want.

Sophos Intercept X

Security Admins Can Investigate Malware Infections 

The software offers several additional protections. WipeGuard uses the same deep learning features to protect a computer’s master boot record. Ransomware attacks on the MBR prevent a computer from restarting (even turning to a backup to restore the machine will be impossible) until the cybercriminals get their money. Safe Browsing includes policies to monitor a web browser’s encryption, presentation and network interfaces to detect “man in the browser” attacks, which are common in many banking Trojan viruses.

Sophos Root Cause Analysis keeps a list of infection types that have occurred in the past 90 days. There’s even a Visualize tab that connects to devices, browsers and websites to track where the infection occurred and how it spread. This doesn’t mean users must take action immediately, but it could help them investigate a chain of events surrounding a malware infection and highlight the necessary security improvements.

One caution with Intercept X: If users haven’t patched their software, especially Java and Adobe applications, it may detect false positives. Be sure to update all software to the most current versions to avoid these accidental alerts, which is a good practice anyway.

READ MORE: Find out how security software often gathers information that empowers a manager to disseminate tips to stakeholders.

Streamlined Endpoint Protection Simplifies Security for Managers

Endpoint protection is wonderful, but managing all those endpoints can be a chore. In addition to the usual laptops and desktops, security managers must pay attention to servers, mobile devices, email and web browsing. The potential threat surface can seem overwhelming.

The Sophos Central console streamlines that management, especially when deployed alongside other Sophos products. From the console, admins can manage Intercept X and endpoint protection either globally or by device. Web protection provides enterprise-grade browsing defense against malicious popups, ads and risky file downloads. The mobile dashboard also shows device compliance, self-service portal registrations, platform versions and management status. 

Server security protects both virtual and physical servers. The Server Lockdown feature reduces the possibility of attack by ensuring that a server can only configure and run known, trusted executables.

Sophos wireless, encryption and email products also tie in to the console, and Sophos Wi-Fi access points can work alongside endpoint and mobile protection clients to provide integrated threat protection. That lets admins see what’s happening on wireless networks, APs and connecting clients to get insight into inappropriate use of resources, including rogue AP detection. 

The Sophos Encryption dashboard provides centrally managed full disk encryption using Windows BitLocker or Mac FileVault. Key management becomes a snap with the SafeGuard Management Center, which lets users recover damaged systems. Sophos email protection provides a guard against spam, phishing attempts and other malicious attacks through the most common user interface of all: email.

Sophos Central isn’t just for admins, either. Self-service is an important feature today, with user demands and IT budgets in constant conflict. Users can log in to the Sophos self-service portal to customize their security status, recover passwords and get notifications. In most IT departments, password recovery is the No. 1 help desk request, and eliminating those calls means technicians can spend more time on complex tasks.

Sophos Intercept X 

Platform: Windows 7, 8, 8.1 and 10 32-bit and 64-bit platforms; MacOS
Storage Requirement: 20MB on the endpoint (on average)
Server Requirement: Sophos Central supported on Windows 2008 R2 and above


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT