Category: Endpoint Protection

Sophos, a vendor that creates security products to be used in the information technology sector

Sophos introduces predictive protection in Intercept X

[Johannesburg, 1 March 2018]  

Sophos has announced the availability of Intercept X, with malware detection powered by advanced deep learning neural networks, and combined with new active-hacker mitigation, advanced application lockdown and enhanced ransomware protection. 

Deep learning is the latest evolution of machine learning. It delivers a massively scalable detection model that can learn the entire observable threat landscape. With the ability to process hundreds of millions of samples, deep learning can make more accurate predictions at a faster rate with far fewer false-positives when compared to traditional machine learning. 

“Traditional machine learning models depend on expert threat analysts to select the attributes with which to train the model, adding a subjective human element. They also get more complex as more data is added, and these gigabyte-sized models are cumbersome and slow. These models may also have significant false positive rates which reduce IT productivity as admins try to determine what is malware and what is legitimate software,” explains Tony Palmer, senior validation analyst with the Enterprise Strategy Group (ESG). 

“In contrast, the deep learning neural network of Intercept X is designed to learn by experience, creating correlations between observed behaviour and malware. These correlations result in a high accuracy rate for both existing and zero-day malware, and a lower false-positive rate. ESG Lab analysis reveals that this neural network model scales easily, and the more data it takes in, the smarter the model becomes. This enables aggressive detection without administrative or system performance penalty.” 

See also 

Businesses hit by repeated ransomware attacks, failing to close gap on exploits
Sophos positioned as leader in Gartner 2018 Magic Quadrant 


This new version of Sophos Intercept X also includes innovations in anti-ransomware and exploit prevention, and active-hacker mitigations such as credential theft protection. As anti-malware has improved, attacks have increasingly focused on stealing credentials to move around systems and networks as a legitimate user, and Intercept X detects and prevents this behaviour. 

Deployed through the cloud-based management platform Sophos Central, Intercept X can be installed alongside existing endpoint security software from any vendor, boosting endpoint protection. When used with the Sophos XG Firewall, Intercept X can introduce synchronised security capabilities to further enhance protection. 

“Predictive protection is the future of IT security. Sophos has taken a huge step forward by bringing deep learning neural networks into the industry-leading exploit and ransomware protection of Intercept X,” says Brett Myroff, MD of Sophos distributor, Netxactics. “Being able to protect against the next unknown attack instead of waiting for it to arrive will change the way IT operations in organisations can protect their users and assets. Intercept X can bring advanced next-generation protection to any organisation, regardless of their current strategy.” 

According to an ESG Lab Validation Report, every company should assume it is always under attack from cyber threats. In recent ESG research, when asked the primary reasons they believe cyber security analytics and operations are more difficult today, more than a quarter of respondents said it was the difficulty of keeping up with rapid change in the threat landscape. 

New features in Intercept X include: 

* A deep learning model, which detects known and unknown malware and potentially unwanted applications (PUAs) before they execute, without relying on signatures; 

* Credential theft protection, which prevents theft of authentication passwords and hash information from memory, registry and persistent storage, as leveraged by such attacks as Mimikatz; 

* Code cave utilisation, which detects the presence of code deployed into another application, often used for persistence and anti-virus avoidance; 

* APC protection, which detects abuse of Asynchronous Procedure Calls (APC) often used as part of the AtomBombing code injection technique, and more recently used as the method of spreading the WannaCry worm and NotPetya; 

* New and enhanced exploit prevention techniques; 

* Malicious process migration, which detects remote reflective DLL injection used by adversaries to move between processes running on the system; 

* Process privilege escalation, which prevents a low-privilege process from being escalated to a higher privilege, a tactic used to gain elevated system access; as well as 

* Enhanced Application Lockdown, browser behaviour lockdown and HTA application lockdown. 

Sophos Enterprise Console – Multiple Consoles

How to setup multiple Sophos Enterprise Consoles to a single Sophos database.

In some scenarios, there will be a requirement of running multiple consoles to a single database, such as with:

  1. Head Office and a DR site – This is for fail-over, so when Head Office goes down, the DR site takes over and the machines are still managed and protected.
  2. Running two segmented networks with different IP ranges.


The first step you will need to do is to install the Sophos database on a central SQL database server.

  1. Run the SEC setup file on the SQL server.
  2. Deselect the following 2 components:
    1. Management console
    2. Management Server
  3. Click next.
  4. Select the SQL instance where you want the database to be installed.
  5. Complete the installation.


Once the database is successfully installed, you will need to install the Sophos Enterprise console as a separate server.

To install the console, please do the following:

  1. Run the SEC setup file on the Sever for the console.
  2. Deselect the database component.
  3. Click next.
  4. Specify where the location of the Sophos database is installed.
  5. Specify the account that is going to be used to connect to the database.
  6. Complete the installation.
  7. The console will open once installation is complete.


Repeat the above installation process for the secondary console.

Now you should have two operational consoles linked to one Sophos database.

However, there are some limitations to this design of implementation.


  1. If the consoles are on two different IP ranges, you will need to log onto the relevant console to push a policy or remediate an issue on the machine on the same IP range as the console.
  2. You will need to log on to the relevant console to push policies to the machines that are connected to it. You will not be able to push policies or remediate from the other console.
  3. Troubleshooting the console update managers, you will have two locations of update logs. A separate update log for each console.

Sophos Enterprise Console Backup Process

The following backup process is for backing up all relevant Sophos registry keys and databases for the Sophos Enterprise console to ensure full recovery or migration of all the workstations, policies and groups.

Registry Keys

32bit OS:

— Certificate key —

Start | Run | regedit

HK Local Machine | Software | Sophos | certification manager | CertAuthStore

Please export the CertAuthStore, and save it to a location.

— Database-user key —

Start | Run |reg-edit

HK Local Machine | Software | Sophos | EE | Management Tools | database-user

Please export the ‘database-user’, save it to a location.


64bit OS:

— Certificate key —

Start | Run |reg-edit

HK Local Machine | software | Wow6432node | Sophos | certification manager | CertAuthStore

Please export theCertAuthStore, and save it to a location.

— Database-user key —

HK Local Machine | Software | Sophos | EE | Management Tools | databaseuser

Please export the ‘database-user’, save it to a location.


Sophos Databases

Please stop the Sophos SQL service within the computer services. Please do the following

Start | type ‘run’ and open the run box | type ‘services.msc’ | stop SQL service(SOPHOS)

Once the service has been stopped, please navigate to the following locations:

32/64 bit:

Windows 2008 – C:\program files\microsoft SQL\ Data\Sophos

Windows 2012 – C:\program files\microsoft SQL\ Data\Sophos

Please backup the following databases:


Once all databases have been backed up, please restart the Sophos SQL service again.