• SSL/TLS decryption of HTTPS websites

    Hi all, HTTPS inspection is being enabled by default for devices in the EAP now that the roll out has finished, (both Endpoint and Server). When users visit websites via browsers the Sophos endpoint will decrypt HTTPS network traffic for the pur...
    • 15 Oct 2021
  • XDR - Detection and Investigation Early Access Program

    We are excited to announce the opening of the Detections and Investigations Early Access Program (EAP).  The EAP begins with the introduction of the Detections dashboard which provides a prioritized list of suspicious activity for further invest...
    • 10 Oct 2021
  • Important Changes to the Endpoint/Server Protection and EDR Features Early Access Program

    Hi all, We have some exciting changes coming to the Endpoint/Server Protection and EDR Features Early Access Program over the next few weeks. One of the biggest changes is the decrypt and re-encrypt of HTTPS traffic between the browser and the w...
    • 11 Jun 2021
  • New Endpoint/Server Protection early access features now generally available

    This blog post contains a listing and details on features that have previously been released to the New Endpoint/Server Protection Features early access program and are now generally available to all customers. 19/08/2020 - IPS for Windows Ser...
    • 1 Jan 2021
  • License changes to New Endpoint and Server Protection and EDR Features early access programs

    With having completed the early access testing on our new EDRv3 capabilities and with the upcoming features that will be entering the New Endpoint and Server Protection and EDR Features early access program being more protection rather than EDR relat...
    • 23 Oct 2020
  • Notice for next EAP update

    Hello all, We are due to update our EAP agent during the week of 21st September; this update has some small fixes in it and will allow us to start enabling IPS and our new behavioral engine.  Note: After this update you need to reboot devices to...
    • 15 Sep 2020
  • Exploring Windows Events and Security groups with Live Discover

    The Sophos UK Sales engineering team has been getting familiar with live discover. In the work they explored group policy and provided the following queries:

    Deleted security groups -

    Variable to specify the number of days to check

    /* Deleted Security Groups */
       CAST(datetime(time, 'unixepoch') AS TEXT) AS 'Change Made',
       JSON_EXTRACT(data, '$.EventData.SubjectUserName') AS…

    • 6 Jul 2020
  • Detecting Glupteba malware with Sophos EDR

    Last week SophosLabs published a report about the Glupteba malware. According to Sophos Labs this malware family has been growing in numbers. "This malware, with its hard-to-pronounce name, has been getting regular updates and feature enhancements that seem to be focused on its ability to conceal itself from detection on infected computers....The core malware is, in essence, a dropper with extensive backdoor functionality, but…

    • 29 Jun 2020
  • Live Discover for LINUX.... Video

    In the next two weeks we will be fully launching the EDR Live Discover for LINUX.

    The capabilities on Linux are simply astounding, we have been busy creating the prebuilt queries and finishing the last bit of work before this is fully available.

    In the video, Ethan Vince-Urwin, one of the core linux developers who has been building the features we all love takes the product for a test drive and shows off some of the power…

    • 11 Jun 2020
  • KingMiner non-deterministic indicators of compromise

    See the story from SophosLabs Uncut on KingMiner: https://news.sophos.com/en-us/2020/06/09/kingminer-report/

    The article is both educational and enlightening.  One of the aspects of KingMiner that is common with other attacks is that many of the indicators of compromise are non-deterministic.  The domain names and URLs they use are all auto generated.   I read through the article and crafted a query to check if you have experienced…

    • 10 Jun 2020
  • New Sophos Table - Sophos_process_activity

    We have added a new table to the sophos forensics journals. The sophos_process_activity table.

    Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick lookup location for that information.

    This table contains a subject for each of the other Sophos 'journals' and collects some of the more useful information like Registry Key/Values for the registry…

    • 26 May 2020
  • Live Discover Queries - Review Process

    Posting a query to the Live Discover Queries board will now include a review process.  This will allow us to review any question and proposed answer prior to it being visible by others.  We are adding this to ensure that the content of the queries do not contain anything inappropriate and that the query has been reviewed and tested and is not believed to cause harm. as for how well it does what it says.  we advise administrators…

    • 23 May 2020
  • How to find and use the Schema for Live Discovery Queries

    While we have the schema posted on the EAP community pages, I have had a number of request for how to find it and how to use it.

    First how to find the schema(s):

    From the Sophos Community: We provide a link to definition of the sophos windows schema on the community form in the documents section. You can downlaod the file with this link: https://community.sophos.com/products/intercept/early-access-program/m/files/9491/…

    • 19 May 2020
  • Intercept X with EDR EAP - Variable support for queries

    Starting on the week of may 18 we will be adding variable support to queries.

    You can create queries that now include support for up to 6 variables. A variable will be given a $$ prefix and postfix and can be either a TEXT or DATE value.  You will write your query and specify the variable information in the query.  Then when you run it you will be able to simply drop in the information for the variable and we will automatically…

    • 15 May 2020
  • Intercept X with EDR EAP Update - Adding Create/Save/Edit Queries

    The week of May 18 we will be turning on two powerful new capabilities in the EAP, Edit Query and Query Variables.

    CREATE, SAVE queries - With this new capability you can now create and save your own queries, This will allow you to start from scratch or modify an existing query.  You will need to give your query a name, description, identify one or more categories it will be a part of and specify what operating systems…

    • 15 May 2020
  • Live Response now in Early Access and other EDR updates

    Note: Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement.


    We are excited to announce that Live Response is now available in early access.


    Live Response allows admins to remotely connect to devices and get access to a command line interface so that detailed investigations can be performed, or to take prompt action to contain or remediate a…

    • 28 Apr 2020
  • Help design the future of security; Live Discover User Experience Research

    Can you help to shape our future products?


    We're looking for customers and partners to join our Sophos Design Partner group. Sign up and you'll be able to give us your product feedback and ideas through surveys, interviews, or usability testing.

    You'll be helping to make the world a safer place -- and you might win Amazon vouchers while you're doing it.

    We’re particularly keen to talk to customers who…

    • 23 Apr 2020
  • New Windows endpoint UI

    I'm pleased to say that a new version of our endpoint user interface is being released to EAP customers this week. Windows devices (client and server) enrolled in the EAP will receive the update automatically.

    The key goal of the update is to better represent Sophos' different endpoint components - Intercept X, Central Device Encryption and our upcoming UEM agent. It will also to bring a consistent look across platforms…

    • 19 Apr 2020
  • New Linux EDR Agent now available in Early Access

    We are excited to announce that we have added our new Linux EDR agent to the New Server Protection and EDR Features early access program.

    Joining the EAP:

    To get access to the new agent you must first join the New Server Protection and EDR Features early access program. See this presentation on how to join the EAP.

    Getting access to the agent and installing:

    Once you have successfully joined, from the Protect Devices…

    • 17 Apr 2020
  • Powerful New EDR Capabilities Now Available In Early Access

    Note: Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement.

    We are excited to announce that Intercept X Advanced with EDR v3.0 with Live Discover is now available in early access.

    Live Discover allows admins to search their data to answer almost any question they can think of by searching across their endpoints and servers using SQL. You can…

    • 29 Mar 2020
  • Intercept X with EDR 3.0 is coming soon

    In early April we are extending the Early Access Program to add Live Discover

    Watch the 5 min video. https://vimeo.com/401888432  

    • 29 Mar 2020
  • New Endpoint/Server Protection Features Early Access Program

    Note: Customers can join early access programs and use EAP features free of charge.  Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement.  

    The New Endpoint/Server Protection Features Early Access Program allows customers to test the latest and greatest endpoint and server features and functionality as they are being developed by Sophos.


    • 24 Mar 2020
  • Sophos AMSI Protection going live!

    Starting today we are gradually rolling out Sophos AMSI Protection to the Recommended release for endpoints. In a first phase only new Sophos Central customers (with the right license), and a very small percentage of existing Sophos Central customers will see this.

    While we have tested this technology a lot, internally as well as in this EAP, it is still a new technology so we want to be sure all works well.

    If all goes…

    • 3 Mar 2020
  • February 2020 Enhanced Protection EAP Update

    Starting this week we will gradually roll out an update to the components in the Enhanced Protection EAP. We are mainly focusing on improved quality, and have fixed most of the issues that have been reported. Both endpoints and servers will be updated.

    Other changes are the introduction of Windows 7 support for IPS, and a new and faster SDU log collection.

    This roll-out will take about two weeks.

    The update will bring…

    • 17 Feb 2020
  • New Intercept X features now also blocking exploits on Server

    The same Intercept X features that protect your endpoints are now also activated for the Windows Servers participating in the Server Protection EAP have are now also blocking exploits.

    While these features were active in terms of scanning for and detecting of potential exploits, admins have not seen any threats blocked based on these mitigation types. After having run this on your servers in silent mode, we are now confident…

    • 20 Jan 2020