Comparison of Intercept X for Server vs Sophos for Virtual Environments

For the last 9 months or so, we have had Sophos Intercept X Advanced for Servers running on our virtualised servers across two ESXi hosts. Recently, due to increased server demand, we decided that switching to Sophos for Virtualised Environments should allow us to increase server performance by offloading the scanning of files to a Sophos Security VM.

However, we cannot find any documentation that explicitly compares the two products, showing what the limitations of SVE (if any) are or any benchmark statistics that could be useful in assessing the situation.

Additionally, we cannot find any documentation on how to apply specific policies to specific VMs or VM groups covered by SVE. Some of our VMs are high I/O and so suffer when using Real-Time Scanning with Intercept X Advanced. Others which are not critical, we want to have RTS enabled for safety. There are a mix and match of other aspects of the policies (namely, scheduled scanning on different days to avoid resource contention) that have caused us to group our server VMs in to five well-defined groups and apply individual policies to each. We would need to retain the ability to apply these policies to each group of servers, if possible.

It's entirely possible I've misunderstood the whole concept of SVE - I've read a number of support posts on here that lead me to think this might be the case. If someone could provide a side-by-side comparison of exactly what can and cannot be done with SVE vs Intercept X, I can assess our environment from there and adjust our deployment accordingly.

Many thanks in advance!

  • Hello Sera H,

    I've never used SVE, let alone on Central and I'm not an expert. Nevertheless might be able to give you one or other answer or at least a hint. And I've just found this thread.I did not remember :).

    Have you see the SVE landing page mentioned in the pinned post by ? It links to many KBAs related to SVE.

    any documentation that explicitly compares the two products
    I'm not aware that there is one. The following might explain why.

    increase server performance by offloading the scanning
    the cycles, memory, and I/O necessary for scanning must be available "somewhere else" (and there's additionally some overhead compared to local scanning). Apart from the fact that SVE performs only "classic" scanning the savings come from redundancy: If the SVM has already scanned a file for one guest the scan can be skipped for the same file on other guests. This applies to both RTS and scheduled scans.

    how to apply specific policies to specific VMs
    policies are assigned to (groups of) SVMs and apply to all guests of the SVM. Scheduled (or immediate) scans are staggered.

    Does this help?
    Christian

  • There are also additional environment design elements that you need to take into account for SVE. Since it has a networking component (the Guest talks to the SVE Machine and might have to send up a file) it is best to have the a dedicated network for that traffic and to have the SVE Machine servicing a guest on the same physical host as the guest. Are you using physical hardware or a cloud solution?

    The primary benefit, as Christian pointed out, is that the scanning isn't done on the guest machine (the server that is doing other tasks) and any decision on the SVE can be propagated to all the managed guests - so a file can be scanned once and the decision is universal.

    The counter-side is that SVE protection doesn't have the Active Exploits and other advanced features of the Server product. 

    Does that answer your questions?

    RichardP

    Snr. New Product Introduction Engineer | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.