Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=intelix

Intelix reports

SophosLabs Intelix analyzes suspicious files that are submitted to Sophos.

How files are submitted

Sophos software on your devices automatically submits files to Intelix if they need investigation.

You can also submit files to Intelix manually. Go to Threat Analysis Center and submit a file by one of these methods:

  • On the Threat Graphs page, select a file and click Request latest intelligence.
  • On the Detections page, open the detection's details and find SHA 256. Click the three dots Three dots icon. beside it, select Enrichments and then Submit to SophosLabs Intelix.

You can see the Intelix analysis in the detection details, as described in See Intelix verdicts and reports.

How Intelix analyzes files

Intelix tries to determine the origin, workings, and possible impact of suspect or malicious files.

Intelix applies two different methods of analysis:

  • Static analysis uses machine learning, file scanning, and reputation to assess suspicious files.
  • Dynamic analysis runs suspicious files in a sandboxed environment to observe their behavior.

Each analysis gives a verdict on the risk level of the file. Intelix combines them to give an overall verdict.

See Intelix verdicts and reports

To see Intelix verdicts on a file, do as follows:

  1. Go to Threat Analysis Center > Detections.

  2. To see detection details, find the detection in the table and click anywhere in its row.

    A new pane slides out on the right of the screen.

    Detections details slide-out.

  3. Scroll down to Threat Intelligence. This shows the overall verdict from Intelix, for example Benign.

    Threat Intelligence section of details pane.

  4. Hover over the overall verdict to see the separate verdicts of the Static Report and the Dynamic Report.

    Hover-over pane showing Intelix verdicts.

  5. To see the full Intelix analyses, click the filename shown in Threat Intelligence.

    Link to Intelix reports.

  6. By default, the Static Analysis Report is open. This shows a verdict on the threat risk, as measured by different analyses.

    Static Analysis Report.

  7. Click the Dynamic Report tab to see the Dynamic Analysis Report. If you don't see this tab, no dynamic analysis report is available for this file.

    The report shows the following:

    • MITRE attack tactics and techniques used by the threat.
    • Processes that were run.
    • Network activity.