Sophos machine learning doesn't work?

Question

I'm doing a POC with Crowdstrike and on the test computer we received a file that was detected as ( RegistryPersistEdit ) by Crowdstrike's machine learning. Sophos detected nothing and let the file make changes to the Windows registry. Sophos machine learning doesn't work? This is worrying. I have a ticket where I sent the sample file (07062400) 
 Thanks

Maxim-Sophos · Answer

Hi Andre, 
 There's a lot to unpack here. 
 First, Sophos doesn't use machine learning to detect registry changes. We use machine learning in a number of other ways, including to detect malicious executable files. Whether that's relevant here is hard to tell, as I don't know whether the file you submitted is a malicious executable. 
 Second, using the registry to add persistence is not inherently malicious. Legitimate applications do this all the time at installation or when you set a preference to start an app at Windows startup. I wouldn't expect Intercept X Essentials or Advanced to block this, as it's not necessarily a malicious action. Sophos XDR (an upgrade from Intercept X Advanced) would likely detect it as a suspicious behavior. Similarly, CrowdStrike's protection module probably wouldn't block the behavior; I suspect the detection you saw was from its EDR module. 
 Third, every product has blind spots, and no product will block or detect 100% of threats. It is important to judge based on something more holistic than a single example. We have a strong track record of strong protection and detection performance across third-party tests like SE Labs , the MITRE Engenuity ATT&CK Evaluations , and more. We also have strong reviews and ratings from customers on sites like Gartner Peer Insights and G2 . 
 Regards, Maxim 
 P.S. Support should get back to you with more information about the specific file you submitted.

Sophos machine learning doesn't work?

Top Replies