Sophos Endpoint Detection and Response - Private EAP Update

Thursday, the 13th of September, Sophos plans on launching the next round of capabilities as part of the EDR Private Early Access program. The new capabilities being launched in this part of the Early Access Program are:


Respond Capabilities

In the event potential undetected threats have been identified, new respond capabilities can be applied to help contain the threat. Admin led isolation can restrict the network connectivity of an endpoint or admins can opt to apply a Clean and Block action which will clean the suspected bad file and any associated artefacts and prevent execution on any further endpoints.


Threat Search

The endpoint will be enhanced so that details on detected or suspicious portable executable files will be continually sent up to Sophos Central (to be clear it is the details on the files only). This then gives the admin the ability to search for file names or SHA-256 hashes to identify which endpoints have seen those suspect files to investigate further or take action. Searches can also be run on processes from within an existing Threat Case (formerly RCA). Keep in mind that Sophos Central will only store details on portable executable files that have a bad or uncertain reputation and therefore will only return results on those files where a query is matched. 


SDR Exporter

For admins looking to do more detailed investigations than Threat Cases (formerly RCA) currently allow, the SDR Exporter utility has been updated to now support an export to JSON format as well as the SQLite format.


What can I expect to see?:

Once the new software update is released, endpoints assigned to the Early Access Program will be updated with the new endpoint software.    Once Endpoint components are updated on assigned endpoints, you will be prompted to restart the endpoint to finish the update:

Once restarted, you can confirm a successful update by clicking the Sophos Agent Icon in the system tray and clicking the About link in the bottom right-hand corner - you should see the Core Agent is now running the 2.1.1 Beta version.



Note: The new capabilities will not work until the restart has been performed.


Anything else to be aware of?

Due to a change in how the endpoint agent monitors and then logs system changes, Sophos are recommending that Endpoints enrolled in the Early Access program have a minimum of 15GB of free hard disk space available. Sophos is investigating how to best tune and compress these logs for when the product becomes generally available.

We will be posting an updated Known Issues document and other collateral related to the new features on the Intercept X Early Access Program community:


Please use the Endpoint Detection and Response forum for asking questions, highlighting issues, or sharing feedback:


 As always, the PM team at Sophos are eager to speak to customers regarding the new capabilities.  If you have time for a conversation, please contact us at