The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Host Intrusion Prevention System (HIPS) is a security technology that protects computers from unidentified viruses and suspicious behavior.
HIPS includes both pre-execution and runtime behavior analysis.
Applies to the following Sophos product(s) and version(s) Sophos Endpoint Security and Control
Sophos Anti-Virus analyzes behavior of the programs running on the system. The runtime behavior analysis includes:
Suspicious behavior detection This dynamically analyzes the behavior of programs running on the system in order to detect and block activity which appears to be malicious. Suspicious behavior may include changes to the registry that could allow a virus to run automatically when the computer is restarted.
Buffer overflow detection This dynamically analyzes the behavior of programs running on the system in order to detect buffer overflow attacks.
NOTE: Buffer overflow detection was not available for Windows Vista and 64-bit versions of Windows in Sophos Endpoint Security and Control 9.7 as these operating systems are protected against buffer overflows by Microsoft's Data Execution Prevention (DEP) feature. In Sophos Endpoint Security and Control 10.x buffer overflow protection (BOPS) has been extended to include these operating systems to increase protection.
Behavioral Genotype Protection
Monitors code on a computer, and blocks any that would behave maliciously before it is executed. Unlike other runtime HIPS, which monitor running code and intervene once they believe suspicious behavior has occurred, Sophos Behavioral Genotype Protection identifies and blocks malicious programs before execution.
Suspicious file detection
Sophos Anti-Virus can scan for suspicious files, that is, files that contain certain characteristics that are common to malware but not sufficient for the files to be identified as a new piece of malware. For example, a file containing dynamic decompression code commonly used by malware can be regarded as suspicious. With on-access scanning enabled, suspicious file detection scans a file when a user clicks to open it. With suspicious file scanning enabled in scheduled scans, Sophos Anti-Virus will detect the files before anyone attempts to open them.
When Sophos Anti-Virus 9.7 is first installed, it detects suspicious behavior and displays alerts (and sends them to the console). However, it does not block any of the programs detected.
See Sophos Anti-Virus for Windows XP+: managing the detection of suspicious files and behavior for details on managing alerts.
The HIPS best practices guide
For installation details, see the Sophos Endpoint Security network startup guide and the Sophos Endpoint Security network upgrade guide.
For management details, see Sophos Anti-Virus for Windows XP+: managing the detection of suspicious files and behavior.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.