Now that the Intercept X Advanced with EDR offering is now available for purchase, we wanted to provide Early Access Program customers some best practices for migrating from the Early Access Program to an Intercept X Advanced with EDR license for those who have made the decision to purchase.
Migration Steps:
1. Apply the Activation code for the “Intercept X Advanced with EDR” license on the Licensing page in Sophos Central.
2. From the Early Access Page in Sophos Central, Manage the EDR EAP to remove a handful of assigned devices from the Early Access Program. Once removed reboot the endpoints.
i. As the EDR license has been activated they will be automatically upgraded to the recommended version which on the endpoint UI should have the versions below, or higher:
3. Once it's determined the endpoints removed from the EAP are running fine, from the Early Access Page in Sophos, choose the option to Leave the Early Access program. This will automatically remove the remainder of the endpoints from the EAP which should then also get upgraded to the recommended version.
4. Reboot the machines
5. In your Endpoint Protection policies, ensure the option to 'Allow computers to send data on suspicious files and network events to Sophos Central' is enabled in policies where you want endpoints reporting metadata on executable files with uncertain or bad reputation, and network destinations they've connected to. This also ensures you can search for these items from the EDR Threat and Item Search.
6. Endpoints that hadn't been enrolled in the Early Access Program will also be automatically upgraded to the recommended version and will also need to be rebooted.
Other Updates:
At this stage in the Early Access Program all key new features have been delivered. One recent enhancement worth noting is that in the Deep Learning Malware Analysis report for EDR customers, on the Report Summary Tab, there is a new AV Detection line which will give detail on the Sophos detection name if we are detecting a threat, details on the number of AV vendors that detecting a file according to VirusTotal, and then also providing a link to the VirusTotal details for that file if they have awareness of the file.
In the new year Sophos will provide further detail on when the Early Access Program will be closed to new registrations and then ultimately shut down entirely. At this point in time, for existing Sophos Central customers, access to new EDR capabilities is achieved by joining the Early Access Program. Details to join the Early Access Program can be found in the presentation available here.