Starting in November 2019 Sophos began enabling 'Active Adversary Mitigations' as a default setting for all of our new customers. Existing customers had access to this functionality before this date but there was never an enforced default for this policy option to be applied.
As Sophos are committed to providing their customers the best possible protection, starting January 2020 we will be enabling Active Adversary Mitigations by default for all of our Sophos Intercept X customers. We will be staggering this release out to all of our customers and we expect this to be completed by the end of February 2020.
After this change customers may see additional detections for the below mitigations:
These detections are for modern exploit techniques used by third parties to gain malicious access to computers and Sophos recommend that you protect against them.
At the current time this change will only affect your Endpoint Threat Protection policies. There will not be any changes to your Server Threat Protection policies at this time.
This article explains the changes that customers will see in their Threat Prevention policies after the Central change as well as what to do in the case of any issues.
The following sections are covered:
Applies to the following Sophos products and versions Central Endpoint Intercept X 2.0.14
As part of this release in January and February 2020, Active Adversary Mitigations will move from the "New" section at the top of the Threat Prevention policy into the main policy body.
For customers who have left their policy as the default of - "Sophos managed (off)":
we will automatically enable these new mitigations within their policy:
For customers who have specified a custom policy:
we will honour the settings they have specified:
If a customer has disabled "Protect processes" in their threat prevention policy then we will not re-enable this toggle:
If, following this change, you encounter new detections for any of the above exploits we would recommend you ensure that all of your endpoints and servers are fully protected with Sophos Intercept X and that your Threat Prevention policy has all of the various options enabled. Further assistance for this can be gained by contacting Sophos Support.
If you are confident that these detections are false positives then you can report them to Sophos by following this article, as part of this there may be an investigation required by Sophos Support to deem that the detection is indeed a false positive and not actual malicious behaviour. You also have the ability to exclude these detections by following our guidelines in this article. However customers perform these exclusions at their own risk and Sophos would recommend that they contact Sophos Support to investigate the detection prior to any exclusion.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.