Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/enterprise/help/en-us/index.html?contextId=server-threat-protection-InterceptX-Advanced

Server Threat Protection: Intercept X Advanced

If you have an Intercept X Advanced for Server license, you'll see options in your threat protection policy in addition to the standard Server Protection options.

Runtime Protection

You must join the Early Access Program to use some options.

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic on endpoint computers.

  • Protect document files from ransomware (CryptoGuard): This protects document files against malware that restricts access to files and then demands a fee to release them. You can also choose to protect 64-bit computers against ransomware run from a remote location. You can choose what action you want to take if ransomware is detected. You can terminate any ransomware processes that are running, or you can stop any ransomware processes from writing to the filesystem by isolating them.
  • Protect from master boot record ransomware: This protects the computer from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.
  • Protect critical functions in web browsers (Safe Browsing): This protects your web browsers against exploitation by malware.
  • Mitigate exploits in vulnerable applications: This protects the applications most prone to exploitation by malware. You can select which application types to protect.

  • Advanced exploit mitigation settings:

    • Prevent credential theft: This prevents the theft of passwords and hash information from memory, registry, or hard disk.
    • Prevent code cave utilisation: This detects malicious code that's been inserted into another, legitimate application.
    • Prevent APC violation: This prevents attacks from using Application Procedure Calls (APC) to run their code.
    • Prevent privilege escalation: This prevents attacks from escalating a low-privilege process to higher privileges to access your systems. We recommend testing these settings before you apply the policy to your servers.

  • Protect processes: This helps prevent the hijacking of legitimate applications by malware. You can do as follows:

    • Protect against process replacement attacks (process hollowing attacks).
    • Protect against loading .DLL files from untrusted folders.

  • Enable CPU branch tracing: CPU malicious code detection is a feature of Intel processors that allows tracing of processor activity for detection. We support it on Intel processors with the following architectures: Nehalem, Westmere, Sandy Bridge, Ivy Bridge, Haswell, Broadwell, Goldmont, SkyLake, and Kaby Lake.

    We don't support it if there is a (legitimate) hypervisor on the computer.

  • Dynamic shellcode protection. This detects the behavior of covert remote access agents and prevents attackers from gaining control of your networks.

  • Validate CTF Protocol caller. This intercepts and blocks applications that attempt to exploit CTF.

    A vulnerability in a Windows component, only known as “CTF”, present in all versions back to Windows XP, allows a non-administrative, unauthorized attacker to hijack any Windows process, including applications that are running in a sandbox.

  • Prevent side loading of insecure modules. This prevents an application from side-loading a malicious DLL that poses as an ApiSet Stub DLL.

    ApiSet Stub DLLs are DLLs that serve as a proxy to maintain compatibility between older applications and newer operating system versions. Attackers may place malicious ApiSet Stub DLLs to manipulate this functionality, or bypass tamper protection and terminate anti-malware protection.

  • Protect browser cookies used for MFA sign in. This prevents unauthorized applications from decrypting the AES key used to encrypt multi-factor authentication (MFA) cookies.

  • Linux runtime detections: This gives you runtime visibility and threat detection for Linux server workloads and containers. You can manage these alerts in the Threat analysis center in Sophos Central Admin.

    You need an Intercept X Advanced for Server with XDR or Server MTR license to use this option.

Deep Learning

Deep learning uses advanced machine learning to detect threats. It can identify known and previously unknown malware and potentially unwanted applications without using signatures.

Remediation

  • Enable Threat Graph creation: Threat cases let you investigate the chain of events in a malware attack and identify areas where you can improve your security.