The new Intercept X for Server with EDR capabilities allow you to take charge of security incidents by answering the tough questions about an event, investigate with deep expertise, and respond with a click of a button.
Intercept X for Server with EDR is available on Windows Server 2008R2 and later
How to enable the features
Simply enrol in the Early Access Program and assign your Windows Servers
Remember to join the Community to provide feedback on the features.
Enhanced and Enriched Threat Cases
The threat cases now accessible from the new 'Threat Analysis Center' provides a simple to read graphic of the beacon, root cause, server and result of each threat.
Whilst you investigate an incident, new response capabilities can be applied to help contain the threat. Admin isolation can restrict the TCP and UDP network connectivity of a Server.
A new “clean and block” action is available which will add the hash of suspect files to a blocked item list which will be distributed to your Windows computers and servers. The clean and block action will only apply to portable executable files that don’t have a good Sophos reputation. If files matching the hash are identified on endpoints Sophos will clean the suspected bad file and any associated artifacts, and prevent execution on any further endpoints.
Cross Estate Threat Searching:
Intercept X for Server with EDR allows admins to search for file names or SHA-256 hashes to identify suspect files across Windows Computers and Servers. Searches can also be run on processes from within an existing threat case. Note that Sophos Central will only store details on portable executable files that have a bad or uncertain reputation and therefore will only return results on those files where a query is matched.
Deep Learning Malware Analysis report
This feature automatically analyses malware in extreme detail, breaking down file attributes and code and comparing them to millions of other files so you can determine if a file should be blocked or allowed.
Along with leveraging new machine learning technologies, the updated malware analysis report has been further enhanced to provide prevalence details, file property details, and signature details which can also provide key insights when coming to conclusions on suspect files.
On the Report Summary Tab, there is a new AV Detection line which will give detail on the Sophos detection name if we are detecting a threat, details on the number of AV vendors that detecting a file according to VirusTotal, and then also providing a link to the VirusTotal details for that file if they have awareness of the file.
How do I join?
Click here to view a presentation walking through the EAP registration process
Enjoy testing out these new features and please help us to improve by providing feedback and asking any questions to the Endpoint Detection and Response forum.