Hi all,

As you will have read in the Recommended Read from last week; we released an update to Intercept X, 2.0.23. This week we will start enabling new features that are part of the update for devices that are running in the New Endpoint/Server Protection Features EAPs.

CryptoGuard 5:

A new policy option now sets the default action on detection of ransomware to terminate the process. We have kept the option to only isolate a process should you wish to keep using the setting from CryptoGuard 4. 

This new release is a design change in how our ransomware detection works; resulting in Sophos detecting more ransomware families and protecting more file types and sizes.

This feature is enabled for all devices in the EAP

Registry Credential Theft Protection:

An extension to our existing credential theft protection, we will now protect the SAM database when it is accessed via the registry

This feature is enabled for all devices in the EAP

Over the coming weeks we plan to enable one further mitigation which is browser MFA cookie protection. 

Browser Cookie Protection:

Browser cookies have sensitive data in them, and whilst the cookies are encrypted, the encryption key is then further encrypted, attackers can abuse programs to decrypt the key and decrypt the cookies and read its content. 

MITRE ATT&CK ID: T1539 – Steal Web Session Cookie
MITRE ATT&CK ID: T1550/004– Use Alternate Authentication Material: Web Session Cookie

This new mitigation protects the contents of the browser cookies by preventing malware, shell-code, loaded modules and debuggers from decrypting the AES key in order to decrypt the cookie.

Please do provide your feedback about these new protections in Intercept X.



  • Hi William,

    The features in the Early Access Program (EAP) are full release tested by Sophos. The EAP allows for customers to test on a few devices ahead of the wider roll out by Sophos. 

    The program allows for customers to feedback on any issues or questions they have ahead of the wider release and it gives Sophos environmental insight that we cannot replicate in our QA process. We monitor telemetry and customer feedback closely; this helps us in two ways:

    1) We can verify the efficacy of protection and resolve any reported bugs

    2) We use the EAP as a release gate before we release to the wider customer base. As we use feedback to determine when features get a general release the time taken can vary; from two weeks to a couple of months. 

    This Early Access Program has been running for a few years now and has a large number of customers running the cutting edge version of the software on a significant number of devices. 



  • Hello, I would like to make sure I understand how the EAP works. So if enrolled new features still being tested by Sophos are installed on my endpoints and servers? Eventually after testing the features then become standard and updated to all? If this is correct, how long does it typically take for the features to become standard? Have you seen any of the features break customer applications while being tested?

    Thank you.

  • Thank you for your reply - Understood

  • Are your Servers enrolled in the Server Protection Features EAP? If not, they will not be upgraded yet; the release to Servers not in the EAP will be in the new year

  • Hi, It seems that only my endpoints installations update to 2.0.23. Server installations stop at 2.0.22 - Will the update be released to server installions soon?