Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercept X for Server Early Access Program Sophos Tester

Published byPaul Gerber Modified over 5 years ago

Similar presentations

Presentation on theme: "Intercept X for Server Early Access Program Sophos Tester"— Presentation transcript:

1 Intercept X for Server Early Access Program Sophos Tester
Stephen McKay Product Manager – Endpoint Security Group May 2018

2 Overview FAQ What is Sophos Tester? Is this safe to use?
Demonstration of attack techniques from exploits and ransomware to atom bombing Is this safe to use? Sophos tester will not harm your PC It performs the techniques for multiple attack methods but does not deliver malware, communicate with command and control servers, or encrypt your documents NOTE running the tool with Intercept X for Server will create detection events and they will show in Sophos Central so if that console is monitored by another team, they should be made aware of any testing you plan to do. Can I run Sophos Tester on a machine with a competitors AV? The tool is not intended for competitive comparisons, and was built to confirm detection methods available in Intercept X Some AV Vendors block the tool as malicious, or unknown, others may block some of the techniques of the attack as well What platforms does the tool run on? Sophos tester has been tested on all of the platforms supported in the Early Access Program: Server 2008R2, Server 2012, Server 2012R2 and Server 2016

3 Overview FAQ (continued)
Does the test tool have a test for ALL the mitigations in Intercept X No this tool does not validate all exploit methods, just the most common ones Why don’t I see any tests for Disk-Wiping, Credential Theft of Process Protection? For these tests the test tool needs to be run as administrator Right click on the Sophos Tester.exe and select “Run as Administrator” Will Sophos Clean remove the test tool on detection? No Sophos Clean will allow sophos tester to remain after detections Ransomware detections by Intercept X for Server will identify the target application and block similar attacks until a reboot or sufficient time has elapsed to unblock the application

4 Attack Targets Target We look for common infection vectors (Applications) used by malware on the machine and display these as target applications Using a target application will launch the application to perform the attack technique Dummy (Default) This is the sophos tester executable itself and can be used to demonstrate attacks Note some attacks on a protected system will identify the Sophos tester or target application and lock its use for a period of time A good way to avoid having to reboot is to try each ransomware test with a different target application

5 Category Attack Techniques Run Sophos Tester as Administrator
Code exploits Attacks that take advantage of vulnerabilities in the software being used Memory exploits Attacks that manipulate process and system memory to execute their code Logic Flaws Preventing malicious behaviors even when the application is ‘allowed’ to perform them Safe Browsing Detect man in the browser activity that present one view to the user and another to the site Ransomware Malicious rapid file encryption Often the application target is now blocked from similar activity, reboot to clear this state on Intercept protected devices See Settings for additional configurations Disk-wiping Attacks on the master boot record Credential Theft Attacks that steal authentication credentials Process Protection Newer exploits using Asynchronous Procedure Calls (Wanacry, eternal blue, double pulsar) Run Sophos Tester as Administrator

6 Notifications on the desktop
Detections from Sophos Tester will generate notifications on the device A Clean scan will be run and the Sophos Tester will remain on the device Events will be registered in Sophos Central and in a few minutes an Root Cause Analysis report will be available for review When running ransomware tests the target application is identified and Intercept will block the detected behavior from that application until a reboot

7 Notifications in Sophos Central
Sophos test results in a notification to the end user and in Sophos Central

8 Sophos Central – Root Cause Analysis
Root Cause Analysis reports should be generated for most detection events

9

Download ppt "Intercept X for Server Early Access Program Sophos Tester"

Similar presentations

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Computer & Network Security

Computer & Network Security
1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.

1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Sophos Live Protection. Agenda 1.Before and After Scenarios 2.Minimum Required Capabilities 3.How we do it 4.How we do it better.

Sophos Live Protection. Agenda 1.Before and After Scenarios 2.Minimum Required Capabilities 3.How we do it 4.How we do it better.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Malicious Software.

Malicious Software.
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Similar presentations

Ads by Google