How to test the new Intercept X features?

Download the updated Sophos test tool ("SophosTester.exe") here: https://www.sophos.com/Pages/DownloadRedirect.aspx?downloadKey=9C981E73-C833-4DEF-8276-3DF3FB515A93.

Once downloaded, just double-click the file, and start testing.

EFS Guard

Dummy (Unsigned) ⇒ Ransomware ⇒ EFS

Note: it is important to choose the unsigned version of "Dummy", as the signed version is allowed to encrypt files.

Dynamic Shellcode Protection

Dummy ⇒ Code exploits ⇒ Dynamic Shellcode (HeapHeapProtection)

CTF Guard

Dummy ⇒ Process protection ⇒ CTF Service exploit

ApiSetGuard

Dummy ⇒ Code exploits ⇒ LoadLib APISet

  • Sophos detect this tool as ML\PE-A (SophosTester_Unsigned.exe)

  • In reply to pfeffex:

    Hi  

    It seems to be false positive. Are you running the tool in your test environment? Have you tried running on any other test machine?  Please check this article for details about ML\PE-A detections. 

  • In reply to pfeffex:

    Hi pfeffex,

    Can you provide us with the steps to replicate this?  I was unable to trigger an ML/PE-A detection with this tool.

  • In reply to Shweta:

    No not testenvironment, live production. I try to extract the zip. During extraction Sophos popup with this message. You should add this tool in a global exception.

  • In reply to MEric:

    Do you use Intercept X Advanced EDR?

  • In reply to pfeffex:

    Yes, I'm running Intercept X Advanced with EDR.  The download provides me with a .exe so there's no ZIP to extract.  Of course you could create an exclusion for this ML/PE-A detection and it should still detect any exploit detections that you trigger with the tool but I'm wondering if this detection is expected.  With the tool being unsigned and performing similar exploits it's not too surprising that it has a low malware score.  I get lockdown detections when attempting to use the unsigned tool and only when I disable all exploit features do I get an ML/PE-A detection.

  • In reply to MEric:

    Sorry it was a .exe, yes of course. It's bad that I connot upload a picture here. Anyhow, it was detected as ML\PE-A Root Cause Firefox. Firefox downloaded sophostester.exe. Sophostester_unsigned.exe triggered the event. It's only an information for the vendor. For me as a customer it's a little bit confusing that a vendor owned program is detected and there is no global exclusion for this tool as default. Cheers!