This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Potential Inability to protect un-popular programs

Hi there. While testing Intercept-X as a replacement for EMET in prep for EOL, I am having trouble understanding if in fact Intercept-X can be used as a direct replacement. One of the great advantages of using EMET is it's ability to force applications into using mitigation techniques. I tested this by running the Hitman Pro Exploit test tool against applications other than itself. While using any of the exploit techniques, such as DEP or SEHOP, Intercept-X caught most if not all when leveraged against Microsoft applications. However, once I used these same techniques against a non-popular program, EA's Origin client in this case, Intercept-X was not able to prevent the exploit technique.

To insure EMET would in fact mitigate these exploits, I un-installed Intercept-X, restarted, installed EMET, restarted and added Origin as a program to protect along with enabling the mitigations that I wanted EMET to force the application into. I then ran the exploit tool again and EMET caught/prevented all but maybe one, while Intercept-X did not catch any.

So my question is...Unlike EMET, where you can add an application to protect and force mitigation techniques upon. Is Intercept-X not a direct potential replacement in that it will only protect certain applications that it is programed to protect? Are there plans to allow users to pick additional applications that they would like Intercept-X to protect?

While I understand Office applications, Java, Flash and browsers are the main attack vector of popular incidents. It is important to also protect the other applications within our organization as they can also be leveraged in an attack.

Thanks!

Ryan



This thread was automatically locked due to age.
Parents
  • Sophos Intercept X contains a unique feature called the Software Radar. It automatically applies (enforces) exploit mitigations to applications that are e.g. registered as web browser and other applications that are capable of opening productivity file types, like Office documents, PDF files and media files like AVI. So compared to Microsoft EMET, users do not need to configure Sophos Intercept X to protect internet-facing applications. Sophos Intercept X offers more and better mitigations compared to EMET, but it currently offers no interface to apply mitigations to custom applications, like Origin - a client to start games which is uncommon in a business scenario.

    In a coming update of Sophos Central, the ability to protect custom applications will become available. But normally, you would not need to bother configuring applications thanks to the Software Radar.

    Hope this helps.

    Best,
    Mark Loman
    Director, Engineering

Reply
  • Sophos Intercept X contains a unique feature called the Software Radar. It automatically applies (enforces) exploit mitigations to applications that are e.g. registered as web browser and other applications that are capable of opening productivity file types, like Office documents, PDF files and media files like AVI. So compared to Microsoft EMET, users do not need to configure Sophos Intercept X to protect internet-facing applications. Sophos Intercept X offers more and better mitigations compared to EMET, but it currently offers no interface to apply mitigations to custom applications, like Origin - a client to start games which is uncommon in a business scenario.

    In a coming update of Sophos Central, the ability to protect custom applications will become available. But normally, you would not need to bother configuring applications thanks to the Software Radar.

    Hope this helps.

    Best,
    Mark Loman
    Director, Engineering

Children
  • Thank you for the reply, Mark.

    I understand that Origin is uncommon in a business scenario, however I picked it for this specific reason. It was successful in proving that Intercept-X does in-fact pick programs to protect, versus protecting all or allowing the user to chose the protection scope. Our Organization may require the ability to protect applications that do not fall under the Software Radar categories, which is why I took this testing approach when looking for exploit mitigation programs.

    I am happy to hear that the ability to pick applications will be introduced, as that was the point of this post. To find out if this functionality is coming and or start the conversation to request it.

    Appreciate your time and the work you guys do!

     

    Ryan