Sophos machine learning doesn't work?

Hi Andre,

There's a lot to unpack here.

First, Sophos doesn't use machine learning to detect registry changes. We use machine learning in a number of other ways, including to detect malicious executable files. Whether that's relevant here is hard to tell, as I don't know whether the file you submitted is a malicious executable.

Second, using the registry to add persistence is not inherently malicious. Legitimate applications do this all the time at installation or when you set a preference to start an app at Windows startup. I wouldn't expect Intercept X Essentials or Advanced to block this, as it's not necessarily a malicious action. Sophos XDR (an upgrade from Intercept X Advanced) would likely detect it as a suspicious behavior. Similarly, CrowdStrike's protection module probably wouldn't block the behavior; I suspect the detection you saw was from its EDR module.

Third, every product has blind spots, and no product will block or detect 100% of threats. It is important to judge based on something more holistic than a single example. We have a strong track record of strong protection and detection performance across third-party tests like SE Labs, the MITRE Engenuity ATT&CK Evaluations, and more. We also have strong reviews and ratings from customers on sites like Gartner Peer Insights and G2.

Regards,
Maxim

P.S. Support should get back to you with more information about the specific file you submitted.

Hi Maxim.

Yes, it is an executable file. I submitted it to virustotal.com and some detect it as heuristic malware detection, so it's probably a malicious executable file that Sophos didn't detect.

The license we use is Intercept-X Advanced with XDR. I'll wait for support's response, it could be a false positive from CrowdStrike.

Sophos' response is that the submitted file is now covered by us under “Troj/Mdrop-JVY“