Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos machine learning doesn't work?

I'm doing a POC with Crowdstrike and on the test computer we received a file that was detected as ( RegistryPersistEdit ) by Crowdstrike's machine learning. Sophos detected nothing and let the file make changes to the Windows registry. Sophos machine learning doesn't work? This is worrying. I have a ticket where I sent the sample file (07062400)

Thanks



This thread was automatically locked due to age.
  • Hi Andre,

    There's a lot to unpack here.

    First, Sophos doesn't use machine learning to detect registry changes. We use machine learning in a number of other ways, including to detect malicious executable files. Whether that's relevant here is hard to tell, as I don't know whether the file you submitted is a malicious executable.

    Second, using the registry to add persistence is not inherently malicious. Legitimate applications do this all the time at installation or when you set a preference to start an app at Windows startup. I wouldn't expect Intercept X Essentials or Advanced to block this, as it's not necessarily a malicious action. Sophos XDR (an upgrade from Intercept X Advanced) would likely detect it as a suspicious behavior. Similarly, CrowdStrike's protection module probably wouldn't block the behavior; I suspect the detection you saw was from its EDR module.

    Third, every product has blind spots, and no product will block or detect 100% of threats. It is important to judge based on something more holistic than a single example. We have a strong track record of strong protection and detection performance across third-party tests like SE Labs, the MITRE Engenuity ATT&CK Evaluations, and more. We also have strong reviews and ratings from customers on sites like Gartner Peer Insights and G2.

    Regards,
    Maxim

    P.S. Support should get back to you with more information about the specific file you submitted.

  • Hi Maxim.

    Yes, it is an executable file. I submitted it to virustotal.com and some detect it as heuristic malware detection, so it's probably a malicious executable file that Sophos didn't detect.

    The license we use is Intercept-X Advanced with XDR. I'll wait for support's response, it could be a false positive from CrowdStrike.

  • Sophos' response is that the submitted file is now covered by us under “Troj/Mdrop-JVY“