Host Intrusion Prevention System (HIPS) is a security technology that protects computers from unidentified viruses and Suspicious Behavior. It includes both pre-execution behavior analysis and runtime behavior analysis.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Endpoint Security and ControlCentral Mac EndpointCentral Windows Endpoint
Monitors code on a computer and blocks any that would behave maliciously before it is executed. Unlike other runtime HIPS which monitor running code and intervene once they believe Suspicious Behavior has occurred, Sophos Behavioral genotype protection identifies and blocks malicious programs before execution.
Sophos Anti-Virus can scan for Suspicious Files that contain certain characteristics that are common to malware but not sufficient for the files to be identified as a new piece of malware. For example, a file containing dynamic decompression code commonly used by malware can be regarded as suspicious. With On-access scanning enabled, Suspicious File detection scans a file when a user clicks to open it. With Suspicious File scanning enabled in scheduled scans, Sophos Anti-Virus will detect the files before anyone attempts to open them.
Sophos Anti-Virus analyzes behavior of the programs running on the system. The runtime behavior analysis includes:
This dynamically analyzes the behavior of programs running on the system in order to detect and block activity which appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.
This dynamically analyzes the behavior of programs running on the system in order to detect buffer overflow attacks.
Note: BOPS (Buffer Overflow Protection) has been globally disabled in the endpoint product, we continue to show the policy option in SEC but currently ignore the selected setting. The decision to do this was brought about after thorough and detailed investigations between our Engineering and SophosLabs teams, unfortunately BOPS does not provide any detailed feedback when it gets exercised, which happens quite often as it is prone to false positive detections, this means that the team can do little to tune the protection it offers, we recommend using Exploit Prevention as this provides better protection against buffer overflow attacks along with many other exploit mitigation features.
When Sophos Endpoint Security and Control is first installed, it detects Suspicious Behavior and displays alerts (and sends them to the console). However, it does not block any of the programs detected.
See How to manage detection of Suspicious Files and Behavior for details on managing alerts.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.