Sophos Intercept X Endpoint Protection


    Sophos Intercept-X Endpoint Protection remains an excellent hosted endpoint protection solution since the last time we tested it a year ago. The product ranges in price from $20.00 to $40.00 per user per year depending on the features you select at the time of subscription, but it’s sold strictly through partner channels which may turn off some buyers. Still, Sophos is a great solution for any sized business as it’s capable of protecting both of the main desktop operating systems (OSes) as well as mobile device platforms. You can even decide to add server protection licenses, which means you get some Linux support, though desktop Linux environments need not apply. That slight ding aside, Sophos checks all the boxes a business might look for and does so at a very competitive price. For this reason, it retains our Editors’ Choice award in the endpoint protection category along with competitors Bitdefender GravityZone Ultra and ESET Endpoint Protection.

    Once your account is created (which is a process that will likely vary from partner to partner), getting started is a breeze. Logging into Sophos Central greets you with the Dashboard. Up at the top are the most recent alerts (if there are any), which is good because it puts them in quick and easy view of the administrator should there be a problem. Below that is a usage summary, showing which devices are protected, and which ones have been inactive for a considerable period of time. If a device drops off the map for a while, it could be a cause for concern, so this is another nice statistic to have at a glance. If you are using the Email Security component, which requires pointing your domain’s MX records to Sophos, you can also get a summary of email threat activity. Web statistics are off to the right, so if there’s some phishing attempts, you’ll be sure to know about them, too. An interesting addition is a “news” stream at the bottom, which tries to keep you up to date on new threats and how to combat them. We like educating users out of trouble, so this won us over.

    To get started quickly, you can hop down to the Protect Devices section. From there, you can click the appropriate download link for the systems you want to protect. Apple macOS and Microsoft Windows 10 are both supported for desktops and laptops, but Android and iOS mobile devices are also supported via a device enrollment wizard and get the same first class citizen treatment as desktops in terms of protection. After the agent is installed, which takes only a minute or two, your device is officially protected by the system. If you are using a mobile device, the mobile enrollment wizard is on the same page. Adding users is similarly easy under the People section. You can add users one at a time or import them from a CSV (comma separated value) file or from Microsoft Active Directory, though this step is more involved.

    Next from the Dashboard is the Alerts page. This is where all threats will be cataloged and displayed as they’re discovered. Similar to a task manager, as these threats are resolved, you can click and check them off the list. If a particular threat is cited more than once, it can be grouped with a simple toggle switch. If any threat requires manual cleanup or additional activity, you can click into the threat’s hyperlink and see what the next steps are.  Most of the time, all you need is a simple restart to clear the issue.

    The Devices section is also fairly simple to use. To view the details of a specific system, you just click on it. From there, you can get a quick summary of the products installed, recent events, current system status, and policies. Security Health under the status tab is fairly detailed and can give you a quick rundown if anything is amiss, such as out of date software or an active threat. The policies will also let you see at a glance which policies apply to that device.

    By far, one of the most useful components of Intercept X is root cause analysis. It’s great to say that your systems are protected, but it’s often more useful to know how and why an attack happened. This can help with not only protecting your systems in the future, but also educating users on what they should or shouldn’t do. For instance, if Bob downloads an unsanctioned application that happens to have some ransomware hitching a ride, that can be brought to light in the next security meeting. There are quite a few components involved, but Sophos broadly groups it into three parts: Overview, Artifacts, and Visualize.

    Overview describes the threat and gives you the rundown on where it was found and when. Artifacts tells you about the changes that it tried to make to the system, while Visualize shows you a diagram displaying the path of infection and how the malware tried to interact with the rest of the system. Besides being one of only three products in this roundup having this kind of analysis available, we feel Sophos Intercept-X does the best job of presenting the data because it’s not only clear, it’s also very easy to pick up and with a minimum of technical fuss.

    However, that’s not to say that Sophos Intercept X has become easier to use since the last time we reviewed it. In fact, if there is a real downside to the new Sophos, it would be the overwhelming number of options when it comes to policy configuration. To really understand what you’re placing in a policy, you’ll need to be prepared to eat a significant learning curve. The good news is that all the default policies have the important features on to start with, so you don’t necessarily need to get crafty here, though administrators for large networks likely won’t be able to avoid it. There are seven categories of policies you can add, ranging from Application Control to Web Control and each have their own unique set of settings to tweak.  Each policy can apply to either users or devices, so there is a lot of flexibility in when and where you apply settings.

    Aside from malware protection, Sophos Intercept X is also an excellent performer as a business-class anti-ransomware tool. Intercept-X brings an excellent combination of deep learning and exploit detection to this particular problem, so it can quickly and easily figure out whether a piece of software is up to ransomware mischief. It also employs a feature called CryptoGuard to automatically recover any damaged files and protect against hostile ransomware encryption attempts. Furthermore, when you combine those capabilities with its root cause analysis, Intercept X can track what happens as a program as it executes. So whatever it does can be rolled back later if necessary. Combined with a firewall that knows how to look for various kinds of hostile traffic, this is as good a ransomware protection solution as we’ve seen to date.

    New to the product is the Endpoint Detection and Response (EDR), which shows up as the Threat Analysis Center. Threats can be cleaned straight from this module in addition to isolating affected devices while you figure out where the threat came from. It gives you a helpful summary including whether or not business data was involved when the threat took place, and what the root cause was. Using this information, you can concoct some strategies to prevent attacks that are similar in the future. Bitdefender GravityZone Ultra also has built in EDR capabilities with its Risk Dashboard, but this is another area where we feel that Sophos Intercept X simply implements the capability a little bit better.

    Our first step in testing a business class anti-malware platform is always the phishing test. For this, we use 10 samples from PhishTank, am independent internet resource that lists known phishing websites. After randomly choosing our ten sites, we navigated to each from our test system using Internet Explorer. Sophos issued an alert each time a connection attempt was made, and none of the sites were allowed. It wasn’t very clearly shown to the system’s user why this was the case without them looking in their client logs (which few if any end users would do), but the administrator gets the full picture in the Dashboard. Frankly, we would have been a little happier with some more local alerting.

    The next test involved downloading and executing a fresh malware database against the test system. On executing the extraction program, all samples were detected immediately. Sophos Intercept X provided the malware with no opportunity to execute, which is exactly the outcome you want here and shows Sophos has done good work this past year keeping its systems up-to-date with the latest malware protection.

    Our third test is done using a browser-based exploit. For this we chose a well-known Internet Explorer vulnerability, called MS06-14. Though this weakness was reported as far back as 2006, it’s still used quite a bit because it’s still fairly successful. Done right, malware-carrying payloads using MS06-14 can still get past Microsoft Windows Defender. To test Sophos on this, we built a dummy website that tried to exploit MS06-14; if the attack was successful it would create a remote shell connection. Sophos requires that a browser add-on is enabled for this kind of attack, but once we installed that on our test system’s Internet Explorer instance. it immediately blocked the site as malicious. Much like with the phishing test, the finding was announced in an alert window, but it was not shown in the browser, like Bitdefender GravityZone Ultra.

    Our active attacker test assumes that a machine somewhere on your network has had its remote desktop protocol (RDP) password compromised and now there’s a hostile limited account active on the machine. Our first step after gaining access to the remote machine, is to dump a huge pile of malware on it. To do this, we encoded a wide variety of payloads from Metasploit Meterpreter  Sophos caught every single one of them. Of the 42 that were copied to the desktop via RDP, none remained viable for execution.

    Those are excellent results and they remained that way when we checked those them against third-party findings. AV Comparatives, in their 2019 Real-World Protection Test, found that Sohops blocked 99.5 percent of threats with no false positives. Again, great results that put it on par with players like ESET and Kaspersky Endpoint Security Cloud.

    Overall, we found that Sophos Intercept X does a great job blending powerful threat protection with advanced tools that can put any sized business on a safer, proactive posture. While there’s a good deal of learning involved for its more advanced capabilities, the price it provides any administrator from the generalist to the security specialist with the tools they need to do the job.

    Daniel Brame, MCSD, is a Solutions Consultant and freelance product reviewer for He can be reached at [email protected] See Full Bio


    Donnez votre point de vue et aboonez-vous!

    Laisser un commentaire

    Votre point de vue compte, donnez votre avis

    [maxbutton id= »1″]


    Please enter your comment!
    Please enter your name here