Live Response now in Early Access and other EDR updates

Note: Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement.

 

We are excited to announce that Live Response is now available in early access.

 

Live Response allows admins to remotely connect to devices and get access to a command line interface so that detailed investigations can be performed, or to take prompt action to contain or remediate a suspected threat. Using Live Response Admins can:

• Reboot a device that had pending updates
• View lists of running processes and choose to terminate a suspicious process
• Browse the file system to identify anything unexpected
• View log files
• Edit configuration files or registry keys

 

Check out this video which gives an overview of the feature in EAP and talks about upcoming plans. The full library of EDRv3 shared videos can be found here.

Platforms:

At the moment Live Response is available on Windows Endpoints and Servers, Linux and Mac support will follow.

How do I enable Live Response:

If enrolled in the Early Access Program you will see a Global Setting that needs to be enabled before Live Response connections can be initiated to supported Endpoint and Server devices. For the EAP this setting can only be enabled by Super Admins.

Is it enabled on all devices?

Only devices enrolled into the New Endpoint/Server Protection and EDR Features EAP will accept Live Response connections.

Can any admin initiate a Live Response connection:

Only admins with Super Admin privileges can initiate Live Response connections.  We also require that those admins have authenticated to Central using MFA if they want to initiate a Live Response connection.  If those requirements aren't met the option will be greyed out and we will indicate why a user can't initiate a Live Response connection.

Are Live Response connections audited?

For the Early Access program we will add an entry to the Sophos Central Audit log indicating when a Live Response session has been started.

EDRv3 Known issues:

You can find a list of known early access issues here.

Other EDR updates:

Our new Linux EDR agent is now available in early access, see more details here. 

How to join the Early Access Program (EAP)?

The EAP is open to everyone that has Intercept X and/or Intercept X for Server, even if you don’t currently have EDR.  Customer's currently enrolled in the 'New Endpoint\Server Protection and EDR Features' early access programs won't need to do anything and devices enrolled in to those EAPs will receive the updated software automatically.  Customer's looking to join the early access program should review the presentation available here.  Also check out this video guiding through the process.

EDRv3 Known issues:

You can find a list of known early access issues here.

Can you help to shape our future products?

We're looking for customers and partners to join our Sophos Design Partner group. Sign up and you'll be able to give us your product feedback and ideas through surveys, interviews, or usability testing.
You'll be helping to make the world a safer place -- and you might win Amazon vouchers while you're doing it.
We’re particularly keen to talk to customers who are using our new EDR features in EAP.
Interested? Contact us at  InterceptBeta [at] Sophos [dot] com

 

Looking for other ways to provide feedback and get support with EDRv3:

Leverage the Sophos Endpoint Early Access Community where we’ll be providing blogs, videos documentation and forums where we’ll be sharing information and answering your technical questions.