We've been running an updated behavioral engine in the early access program in silent mode for a little while; today we are ready to start blocking! A small number of the behavioral rules that we have will be updated to start blocking from today.
What does that mean for you?
You might see some detections in Sophos Central and the local UI
What might you see?
What do you need to do?
Nothing really, post feedback here if you'd like. It'll be interesting to hear your experiences with this exciting new feature. We will be releasing more rules over the coming weeks.
For those who may be wondering about the "T1117" in the detection name:
This is a reference to a technique in the MITRE ATT&CK Framework. The ATT&CK Framework is like a map of the various tactics and techniques used by attackers to compromise an endpoint. Each tactic (e.g., Execution) is a stage or component of an attack. Each technique (e.g., RegSvr32 or T1117) is a known method of carrying out that tactic.
Each of the techniques in the framework are named and numbered, so security professionals and vendors have a common language they can use. Where relevant, our plan is for the new behavioral detections in Intercept X (early access) to include the technique number. This should help you if you want to better understand the significance of the detection, investigate further, or consult an outside expert.