Description

This is the first of multiple updates planned during the early access period.  In this release we have added multiple protections to the Intercept product to prevent active adversaries form completing their objectives, from Credential Theft Prevention, to protections against new exploit techniques like eternalblue and double pulsar the exploits used in the wanna cry worm.

This fall we add Deep Learning AI models to detect malware and potentially unwanted applications without the use of signatures.

Join the Community for access to test tools, videos, additional documents and to provide feedback on the features.

For step by step instructions on how to enable the Early Access program from central, check out the getting started guide. How to enable EAP in Sophos Central

The Active Adversary portion of the EAP includes the following new features

  • Credential theft protection – Preventing theft of authentication passwords and hash information from memory, registry and off the hard disk.
  • New process protection techniques
    • Code cave utilization – Detects the presence of code deployed into another application, often used for persistence and AV avoidance.
    • Malicious process migration – This detects a remote reflective dll injection used by adversaries to move laterally between processes running on the system.
    • Process privilege escalation– This prevents a low privilege process from being escalated to a higher privilege, often used by an active adversary to gain system access rights.
    • APC protection (Atom bombing) – This detects abuse of Application Procedure Calls often used as part of the new (2016) Atom Bombing exploit technique and more recently used as the method of spreading the Wanna Cry worm.  Adversaries can abuse these calls to get another process to execute their code.
  • New registry protections
    • Sticky key protection – Intercept 2.0 prevents replacement of the sticky key executable by an adversary often used for persistence.
    • Application verifier protection – Intercept 2.0 prevents the replacement of application verifier dlls that would allow the adversary to circumvent AV and other normal process start up behaviour.
  • Improved process lockdown
    • Browser behaviour lockdown – Intercept 2.0 prevents the malicious use of PowerShell from browsers as a basic behaviour lockdown.
    • HTA application lockdown – HTML applications loaded by the browser will have the lockdown mitigations applied as if they were a browser.

Eligibility details

Intercept Early Access is available on Windows 7 and above

How to enable the features

The new features will automatically be enabled once you join the EAP program and assign the endpoints to participate.

Simply enroll in the Early Access Program and assign Windows 7 or above endpoints.

Remember to join the Community to provide feedback on the features.