As malware continues to evolve, the methods used to detect previously unknown threats has to evolve as well. A ML/PE-A detection is generated by Sophos Intercept X’s Machine Learning (ML) engine, also referred to by the specific Sophos approach Deep Learning and is designed to detect malicious Portable Executable (PE) files such as:
If a detection of this type occurs, it is because Sophos has detected a file on the endpoint that our Deep Learning threat model has decided as malicious. This is a pre-execution detection meaning the file was detected before it was able to be run, stopping any further malicious activity from occurring.
For more information on how Deep Learning makes these decisions please see Demystifying deep learning: how Sophos builds machine learning models
The following sections are covered:
Applies to the following Sophos products Sophos Intercept X
In most cases there is nothing to do, the detected file and related components will have already been automatically removed from the endpoint. If more information on what led up to the detection is needed, use the Root Cause Analysis feature in the Sophos Central to see what is happening on the endpoint at that time.
Deep learning, as well as being an advanced way of stopping unknown malware, does come with a chance of detecting a non-malicious (clean) file as malicious which is also known as a False Positive. Sophos has included protections in Deep Learning to reduce the chance of this occurring as well as routinely reviewing our threat model and adjusting it to increase correct detection and reduce incorrect ones.
In order to help customers mitigate false positives, you have the ability to resolves these detection within the product itself. In the Sophos Central, an administrator will have the option to allow ML/PE-A detection that he believes to be incorrect. Doing so will restore the file and related components and stop it from being detected again in the environment.
Note: Only allow detections if you are sure it is safe to do so. To help understand if something is safe or not please see: How to investigate and resolve a potential False Positive / Incorrect Detection
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.