Intercept X Server



Sophos Intercept X. These are the release notes for Sophos Intercept X for Windows 7 and later, managed by Sophos Central. Some of the features mentioned in these release notes are only available if you have the appropriate license. Intercept X for Server delivers protection that is top-rated by industry experts, combining server-specific features to create a comprehensive, defense-in-depth solution.

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

Restriction You can only use some options on Windows servers.
Note If an option is locked, your partner or Enterprise administrator has applied global settings. You can still stop detecting applications, exploits, and ransomware by going to the events list.

Go to Server Protection > Policies to set up threat protection.

To set up a policy, do as follows:

  • Create a Threat Protection policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.

You can either use the recommended settings or change them.

Warning Think carefully before you change the recommended settings because doing so may reduce your protection.
NoteSophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types to provide the best protection.

Intercept X Advanced for Server

If you have this license, your threat protection policy offers protection from ransomware and exploits, signature-free threat detection, and 'threat cases' for analysis of threat events.

Intercept

We recommend that you use these settings for maximum protection.

Note If you turn on any of these features, servers assigned to this policy use an Intercept X Advanced for Server license.

Server Protection default settings

We recommend that you leave these settings turned on. These provide the best protection you can have without complex configuration.

These settings offer:

  • Detection of known malware.
  • In-the-cloud checks to allow detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.
  • Automatic exclusion of activity by known applications from scanning.

Scheduled scanning

Scheduled scanning performs a scan at a time or times that you specify.

This form of scanning is turned on by default for servers.

You can select these options:

  • Enable scheduled scan. This lets you define a time and one or more days when scanning should be performed.
    Note The scheduled scan time is the time on the endpoint computers (not a UTC time).
  • Enable deep scanning. If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.
    Note Scanning archives may increase the system load and make scanning significantly slower.

Scanning exclusions

Some applications have their activity automatically excluded from real-time scanning.

You can also exclude other items or activity by other applications from scanning. You might do this because a database application accesses many files, which triggers many scans and impacts a server's performance.

Tip To set up exclusions for an application, you can use the option to exclude processes running from that application. This is more secure than excluding files or folders.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the servers the policy applies to.

Intercept X Advanced

Note If you want to apply exclusions to all your users and servers, set up global exclusions on the Overview > Global Settings > Global Exclusions page.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, process, website, potentially unwanted application).
  3. Specify the item or items you want to exclude. The following rules apply:
    • File or folder (Windows). On Windows, you can exclude a drive, folder, or file by full path. You can use wildcards and variables. Examples:
      • Folder: C:programdataadobephotoshop (add a slash for a folder)
      • Entire drive: D:
      • File: C:program filesprogram*.vmg
    • File or folder (Linux). On Linux, you can exclude a folder or file. You can use the wildcards ? and *. Example: /mnt/hgfs/excluded.
    • File or folder (Sophos Security VM). On Windows guest VMs protected by a Sophos security VM, you can exclude a drive, folder, or file by full path, just as you can for other Windows computers. You can use the wildcard * but only for file names.
      Note By default, exclusions apply to all guest VMs protected by the security VM. For exclusions on one or more specific VMs.
    • Process (Windows). You can exclude any process running from an application. This also excludes files that the process uses (but only when accessed by that process). If possible, enter the full path from the application, not just the process name shown in Task Manager. Example: %PROGRAMFILES%Microsoft OfficeOffice 14Outlook.exe
      Note To see all processes or other items that you need to exclude for an application, see the application vendor's documentation.
    • Website (Windows). You can specify websites as an IP address, IP address range (in CIDR notation), or domain. Examples:
      • IP address: 192.168.0.1
      • IP address range: 192.168.0.0/24 The appendix /24 symbolizes the number of bits in the prefix common to all IP addresses of this range. Thus /24 equals the netmask 11111111.11111111.11111111.00000000. In our example, the range includes all IP addresses starting with 192.168.0.
      • Domain: google.com
    • Potentially Unwanted Application (Windows). You can exclude applications that are normally detected as spyware. Specify the exclusion using the same name under which the system detected it. Find more information about PUAs in the Sophos Threat Center.
    • Detected Exploits (Windows/Mac). You can exclude any exploit that has already been detected. We'll no longer detect it for the affected application and no longer block the application.
      Note This turns off CryptoGuard ransomware protection for this exploit for the affected application on your Windows servers.
    • AMSI Protection (Windows). On Windows, you can exclude a drive, folder, or file by its full path. We don't scan code in this location. You can use the wildcard * for file name or extension.
    • Server isolation (Windows). Device isolation (by an administrator) is available for servers if you are signed up to the Early Access Program for Intercept X Advanced for Server with EDR.

      You can allow isolated devices to have limited communications with other devices.

      Choose whether isolated devices will use outbound or inbound communications, or both.

      Restrict those communications with one or more of these settings:

      • Local Port: Any device can use this port on isolated devices.
      • Remote Port: Isolated devices can use this port on any device.
      • Remote Address: Isolated devices can only communicate with the device with this IP.

      Example 1: You want remote desktop access to an isolated device so that you can troubleshoot.

      • Select Inbound Connection.
      • In Local Port, enter the port number.

      Example 2: You want to go to an isolated device and download cleanup tools from a server.

      • Select Outbound Connection.
      • In Remote Address, enter the address of the server.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Exploit Mitigation exclusions

You can exclude applications from protection against security exploits. For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

Adding exclusions reduces your protection.

Adding exclusions using the global option, Overview > Global Settings > Global Exclusions, creates exclusions that apply to all users and devices.

We recommend that you use this option and assign the policy containing the exclusion only to those servers where the exclusion is necessary.

Restriction You can only create exclusions for Windows applications.

To create a policy exploit mitigation exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Exploit Mitigation (Windows).

    A list of the protected applications on your network shows.

  3. Select the application you want to exclude.
  4. If you don't see the application you want, click Application not listed?. You can now exclude your application from protection by entering its file path. Optionally, use any of the variables.
  5. Under Mitigations, choose from the following:
    • Turn off Protect Application. Your selected application isn't checked for any exploits.
    • Keep Protect Application turned on and select the exploit types that you do or don’t want to check for.
  6. Click Add or Add Another. The exclusion is added to the list on the Global Exclusions page.

    The exclusion only applies to servers that you assign this policy to.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Desktop Messaging

You can add a message to the end of the standard notification. If you leave the message box empty, only the standard message is shown.

Desktop Messaging is on by default.

Intercept X For Server Features

Click in the message box and enter the text you want to add.

If you have an Intercept X Advanced for Server license, you'll see options in your threat protection policy in addition to the standard Server Protection options.

Runtime Protection

Restriction You must join the Early Access Program to use some options.

Intercept X Server Datasheet

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic on endpoint computers.

  • Protect document files from ransomware (CryptoGuard): This protects document files against malware that restricts access to files and then demands a fee to release them. You can also choose to protect 64-bit computers against ransomware run from a remote location. You can choose what action you want to take if ransomware is detected. You can terminate any ransomware processes that are running, or you can stop any ransomware processes from writing to the filesystem by isolating them.
  • Protect from master boot record ransomware: This protects the computer from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.
  • Protect critical functions in web browsers (Safe Browsing): This protects your web browsers against exploitation by malware.
  • Mitigate exploits in vulnerable applications: This protects the applications most prone to exploitation by malware. You can select which application types to protect.
  • Advanced exploit mitigation settings:
    • Prevent credential theft: This prevents the theft of passwords and hash information from memory, registry, or hard disk.
    • Prevent code cave utilisation: This detects malicious code that's been inserted into another, legitimate application.
    • Prevent APC violation: This prevents attacks from using Application Procedure Calls (APC) to run their code.
    • Prevent privilege escalation: This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.

    We recommend testing these settings before you apply the policy to your servers.

  • Protect processes: This helps prevent the hijacking of legitimate applications by malware. You can choose to:
    • protect against process replacement attacks (process hollowing attacks).
    • protect against loading .DLL files from untrusted folders.
  • Enable CPU branch tracing: CPU malicious code detection is a feature of Intel processors that allows tracing of processor activity for detection. We support it on Intel processors with the following architectures: Nehalem, Westmere, Sandy Bridge, Ivy Bridge, Haswell, Broadwell, Goldmont, SkyLake, and Kaby Lake.

    We don't support it if there is a (legitimate) hypervisor on the computer.

Sophos Central Intercept X

Deep Learning

Deep learning uses advanced machine learning to detect threats. It can identify known and previously unknown malware and potentially unwanted applications without using signatures.

Intercept X Server Status

Remediation

Sophos Intercept X Server Requirements

  • Enable Threat Case creation: Threat cases let you investigate the chain of events in a malware attack and identify areas where you can improve your security.
  • Allow servers to send data on suspicious files, network events and admin tool activity to Sophos Central: This sends details of potential threats to Sophos. Ensure it's turned on in any policy for servers where you want to do threat searches.
    Note You must have Intercept X Advanced with EDR for Server to use this option.
    Restriction You must turn this option on in both Endpoint and Server Protection to use Intercept X Advanced for Server with EDR.