• 26 May 2020

    New Sophos Table - Sophos_process_activity

    We have added a new table to the sophos forensics journals. The sophos_process_activity table. Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick lookup location for that information. This table contains a subject for each of the other Sophos 'journals' and collects some of the more useful information like Registry Key/Values...
    • 23 May 2020

    Live Discover Queries - Review Process

    Posting a query to the Live Discover Queries board will now include a review process. This will allow us to review any question and proposed answer prior to it being visible by others. We are adding this to ensure that the content of the queries do not contain anything inappropriate and that the query has been reviewed and tested and is not believed to cause harm. as for how well it does what it says. we advise administrators...
    • 19 May 2020

    How to find and use the Schema for Live Discovery Queries

    While we have the schema posted on the EAP community pages, I have had a number of request for how to find it and how to use it. First how to find the schema(s): From the Sophos Community: We provide a link to definition of the sophos windows schema on the community form in the documents section. You can downlaod the file with this link: https://community.sophos.com/products/intercept/early-access-program/m/files...
    • 15 May 2020

    Intercept X with EDR EAP - Variable support for queries

    Starting on the week of may 18 we will be adding variable support to queries. You can create queries that now include support for up to 6 variables. A variable will be given a $$ prefix and postfix and can be either a TEXT or DATE value. You will write your query and specify the variable information in the query. Then when you run it you will be able to simply drop in the information for the variable and we will automatically...
    • 15 May 2020

    Intercept X with EDR EAP Update - Adding Create/Save/Edit Queries

    The week of May 18 we will be turning on two powerful new capabilities in the EAP, Edit Query and Query Variables. CREATE, SAVE queries - With this new capability you can now create and save your own queries, This will allow you to start from scratch or modify an existing query. You will need to give your query a name, description, identify one or more categories it will be a part of and specify what operating systems...
    • 28 Apr 2020

    Live Response now in Early Access and other EDR updates

    Note: Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement . We are excited to announce that Live Response is now available in early access. Live Response allows admins to remotely connect to devices and get access to a command line interface so that detailed investigations can be performed, or to take prompt action to contain or remediate...
    • 23 Apr 2020

    Help design the future of security; Live Discover User Experience Research

    Can you help to shape our future products? We're looking for customers and partners to join our Sophos Design Partner group. Sign up and you'll be able to give us your product feedback and ideas through surveys, interviews, or usability testing. You'll be helping to make the world a safer place -- and you might win Amazon vouchers while you're doing it. We’re particularly keen to talk to...
    • 19 Apr 2020

    New Windows endpoint UI

    I'm pleased to say that a new version of our endpoint user interface is being released to EAP customers this week. Windows devices (client and server) enrolled in the EAP will receive the update automatically. The key goal of the update is to better represent Sophos' different endpoint components - Intercept X, Central Device Encryption and our upcoming UEM agent. It will also to bring a consistent look across...
    • 17 Apr 2020

    New Linux EDR Agent now available in Early Access

    We are excited to announce that we have added our new Linux EDR agent to the New Server Protection and EDR Features early access program. Joining the EAP: To get access to the new agent you must first join the New Server Protection and EDR Features early access program. See this presentation on how to join the EAP. Getting access to the agent and installing: Once you have successfully joined, from the Protect...
    • 29 Mar 2020

    Powerful New EDR Capabilities Now Available In Early Access

    Note: Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement . We are excited to announce that Intercept X Advanced with EDR v3.0 with Live Discover is now available in early access. Live Discover allows admins to search their data to answer almost any question they can think of by searching across their endpoints and servers using SQL. You...
    • 29 Mar 2020

    Intercept X with EDR 3.0 is coming soon

    In early April we are extending the Early Access Program to add Live Discover Watch the 5 min video. https://vimeo.com/401888432
    • 24 Mar 2020

    New Endpoint/Server Protection and EDR Features Early Access Program

    Note: Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement . The New Endpoint/Server Protection and EDR Features Early Access Program allows customers to test the latest and greatest endpoint and server features and functionality as they are being developed by Sophos. See below for descriptions of the the features currently in the Early...
    • 3 Mar 2020

    Sophos AMSI Protection going live!

    Starting today we are gradually rolling out Sophos AMSI Protection to the Recommended release for endpoints. In a first phase only new Sophos Central customers (with the right license), and a very small percentage of existing Sophos Central customers will see this. While we have tested this technology a lot, internally as well as in this EAP, it is still a new technology so we want to be sure all works well. If all...
    • 17 Feb 2020

    February 2020 Enhanced Protection EAP Update

    Starting this week we will gradually roll out an update to the components in the Enhanced Protection EAP. We are mainly focusing on improved quality, and have fixed most of the issues that have been reported. Both endpoints and servers will be updated. Other changes are the introduction of Windows 7 support for IPS, and a new and faster SDU log collection. This roll-out will take about two weeks. The update will...
    • 20 Jan 2020

    New Intercept X features now also blocking exploits on Server

    The same Intercept X features that protect your endpoints are now also activated for the Windows Servers participating in the Server Protection EAP have are now also blocking exploits. While these features were active in terms of scanning for and detecting of potential exploits, admins have not seen any threats blocked based on these mitigation types. After having run this on your servers in silent mode, we are now...
    • 14 Jan 2020

    Enhanced Protection EAP opening for Server

    We have opened up the Early Access Program to include Windows Server 2008R2 and later! For now, the same Intercept X and AMSI features as found in the endpoint will be available, with Intercept X initially only in detection mode, not blocking. (Update: Note that meanwhile these features are now also set to block exploits ). The AMSI interface is available on Windows Server 2016 and Windows Server 2019. Versions...
    • 28 Nov 2019

    New Intercept X features now blocking exploits

    A few weeks ago we updated your machines in the EAP with four new Intercept X exploit mitigation types. While these features were active in terms of scanning for and detecting of potential exploits, users have not seen any threats blocked based on these mitigation types. After having run this on your machines in silent mode, we are now confident to start blocking detections of these exploits. As a reminder, these...
    • 15 Nov 2019

    Enhanced Protection EAP extended with new Intercept X features

    Starting tomorrow, we’ll extend the Early Access Program for Enhanced Protection with some new Intercept X features for you to test. Four new mitigation options will be added to endpoints that are participating in the EAP. All four new mitigation options can individually be switched off or on – but as with other EAP features, they’ll be on by default. However, you will not yet see any detections based...
    • 18 Oct 2019

    Intercept X Enhanced Protection EAP is now open!

    We are pleased to announce that the new EAP that introduces AMSI Protection and Malicious Network Traffic Protection (IPS) is now open. Check out the attached slides, or watch this video to find out how to join. For questions and feedback, please visit the Feedback and Issues forum
    • 4 Oct 2019

    Announcing Early Access for Enhanced Protection / IPS and AMSI

    Can the best get any better? We sure think so! Our teams have been working hard to add new protection focused features to Central Windows Endpoint & Windows Server. The Early Access Program is due to launch in late October, the full list of included products can be found later in this blog post. IPS Sophos Network Threat Protection just got better! We're adding Malicious Network Traffic Protection with Packet...
    • 5 Mar 2019

    Introducing Intercept X for Server with EDR

    After the closure of the Early Access Program (EAP) for our endpoint EDR capabilities we are happy to announce that we have commenced a new EAP giving access to Server EDR capabilities. Check out this post for more detail.
    • 19 Feb 2019

    Fakedrop - a quick and dirty testing and demo tool for EDR

    Fakedrop is a fake malware dropper to help you safely simulate some suspicious and malicious activity on Sophos Intercept X protected endpoints without fear of causing a malware outbreak. This also means the tool is only for use with our products and not competitors. The code is quick and dirty however it helps get the job done. It's designed to be run one or more machines protected by Intercept X (with the Advanced...
    • 19 Jan 2019

    Intercept X Advanced with EDR Early Access Program Closing Down

    On January 31st the Intercept X Advanced with EDR Early Access Program (EAP) will be closing down. From January 21st the EAP will be closed to new customer registrations and no new endpoints can be assigned to the Early Access Program for existing customers who have joined the EAP. What will the experience be for customers coming out of the Early Access Program on January 31st? For customers who had joined the Early Access...
    • 11 Jan 2019

    Best Practices for EDR Data Feed

    One of the key new features delivered in Intercept X Advanced with EDR is the ability to search across an endpoint estate for details on portable executable files that have an uncertain or bad reputation and the network destinations those files have connected to. This will search across all the data that has been sent back to Sophos Central but only from Endpoints that have Threat Protection policies with the ‘Allow...
    • 21 Dec 2018

    Intercept X Advanced with EDR Early Access Program Updates - December 2018

    Now that the Intercept X Advanced with EDR offering is now available for purchase, we wanted to provide Early Access Program customers some best practices for migrating from the Early Access Program to an Intercept X Advanced with EDR license for those who have made the decision to purchase. Migration Steps: 1. Apply the Activation code for the “Intercept X Advanced with EDR” license on the Licensing page...