This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS inspection in Endpoint--Threat Detection settings vs. deployment of the CA manually into the certificate store?

I am testing the Sophos Intercept X Endpoint Beta and noticed the settings In Threat Protection for SSL/TLS inspection.

If I already have HTTPS scanning enabled in the firewall rule and the CA is deployed on the endpoint into the trusted certificate store, what does this option do? Does it automatically install the CA into the trusted certificate store? Is the certificate even needed to be installed now?



This thread was automatically locked due to age.
  • They're different mechanisms. The endpoint version decrypts and inspects locally. It uses a certificate included in the endpoint agent. For remote users, this is great, as it provides protection without having to backhaul their traffic through the firewall. In an office setting, the firewall provides a bit more visibility (deeper reporting, etc.) but as you know, requires deploying the certificate.

  • Let the Sophos endpoint component manage the 2 certs locally, don't try and centrally deploy them as you might with the FW cert.

  • Thank you, I will have look into whether using the firewall for HTTPS scanning is a better option. I really don't like having to log into Sophos Central every time just to change scan settings, it's very tedious, I find myself already logging into my firewall about 20 times a day.

    A minor complaint. I attempted to play a Steam game on my PC and Sophos Intercept X detected a false positive as "Hollow Process" and It was tedious to log into Central to add a simple exclusion. Maybe Intercept X is not for me and I will dial back the settings.

    With everything being in the cloud now days, it still would be nice if Intercept X could be managed right from the Endpoint desktop app without having to use a browser.

  • Sophos build for the "consumer" the Sophos Home Solution: https://home.sophos.com/en-us

    Essentially the Endpoint like Intercept X is build to be used by an Admin in some sort and therefore something like a "Tamper Protection" exists, which means, only the Admin is able to change something and nobody on the client can change the protection or start to do exceptions etc. 

    __________________________________________________________________________________________________________________

  • Yes, this is a good idea, so that no one may shut off the antivirus except for the Admin, from their Sophos Central account. I have also deployed the Server Protection too on my Linux devices as it states the Early access program are free for anyone.

    I have also used the UTM Endpoint Protection when it was still available, but now that the Intercept X is so more advanced it's incredible what Sophos offers.

    The Sophos Home solution only appears to be a trial. I use Comodo Firewall that has other ways to detect ransomware, however the use of  A.I. to detect malware is probably the future of security, and that's what deep learning is in Intercept X?