Intercept X Server

admin



Intercept X for Server leverages a broad set of protections to stop zero-day attacks, exploits, and hackers. These protections prevent attacks from reaching servers in the first place, detect attacks before they run, or stop them and provide a thorough cleanup if they manage to evade protection. Intercept X consolidates unmatched protection and endpoint detection and response into a single solution. This means that most threats are stopped before they can ever cause damage, and Intercept X Advanced with EDR provides additional cybersecurity assurance with the ability to detect, investigate, and respond to potential security threats. Intercept X Advanced consistently rates at the top of independent tests and analyst reports for endpoint protection. By combining advanced technologies, such as deep learning and endpoint detection and response, Intercept X delivers unmatched protection against unknown malware, exploits, and ransomware. Show More Information (if available). With Intercept X Advanced for Server, you get a state-of-the-art deep learning neural network to protect you against never-before-seen malware, unmatched ant.

  1. Central Intercept X Advanced
  2. Intercept X For Servers
  3. Intercept X Server Trial
  4. Intercept X Features

Components Updated

Components and their version numbers by release. The second column contains the latest release.
Sophos Intercept X

Windows 7 and later

2.0.20

February 2021

2.0.19

January 2021

2.0.18

October 2020

2.0.17

May 2020

2.0.16

November 2019

2.0.15.2

September 2019

2.0.15

July 2019

2.0.14.1

July 2019

2.0.14

February 2019

2.0.13

February 2019

2.0.12

January 2019

HitManPro.Alert3.8.1.5043.8.0.5233.8.0.5233.7.17.3213.7.15.4463.7.14.403.7.13.14603.7.12.4663.7.12.4663.7.12.4543.7.10.762
Machine Learning Engine1.7.0.191.7.0.191.5.31.5.31.5.31.2.131.2.131.1.2021.1.2021.1.2021.1.202

Other release notes

You should also read the Sophos Core Agent release notes. They cover the changes, resolved issues and known issues for the core components.

For information about the changes to the Sophos Core Agent, see the Sophos Core Agent release notes.

For information about the changes to Sophos Endpoint Advanced, see the Sophos Endpoint Advanced release notes.

System

For improvements and new features in Sophos Central, see What's new in Sophos Central.

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

Restriction You can only use some options on Windows servers.
Note If an option is locked, your partner or Enterprise administrator has applied global settings. You can still stop detecting applications, exploits, and ransomware by going to the events list.

Go to Server Protection > Policies to set up threat protection.

To set up a policy, do as follows:

  • Create a Threat Protection policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.

You can either use the recommended settings or change them.

Warning Think carefully before you change the recommended settings because doing so may reduce your protection.
NoteSophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types to provide the best protection.

Intercept X Advanced for Server

If you have this license, your threat protection policy offers protection from ransomware and exploits, signature-free threat detection, and 'threat cases' for analysis of threat events.

Central Intercept X Advanced

We recommend that you use these settings for maximum protection.

Note If you turn on any of these features, servers assigned to this policy use an Intercept X Advanced for Server license.

Server Protection default settings

Intercept x server datasheet

We recommend that you leave these settings turned on. These provide the best protection you can have without complex configuration.

These settings offer:

  • Detection of known malware.
  • In-the-cloud checks to allow detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.
  • Automatic exclusion of activity by known applications from scanning.

Intercept X For Servers

Scheduled scanning

Scheduled scanning performs a scan at a time or times that you specify.

This form of scanning is turned on by default for servers.

You can select these options:

  • Enable scheduled scan. This lets you define a time and one or more days when scanning should be performed.
    Note The scheduled scan time is the time on the endpoint computers (not a UTC time).
  • Enable deep scanning. If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.
    Note Scanning archives may increase the system load and make scanning significantly slower.

Scanning exclusions

Some applications have their activity automatically excluded from real-time scanning.

You can also exclude other items or activity by other applications from scanning. You might do this because a database application accesses many files, which triggers many scans and impacts a server's performance.

Tip To set up exclusions for an application, you can use the option to exclude processes running from that application. This is more secure than excluding files or folders.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the servers the policy applies to.

Intercept
Note If you want to apply exclusions to all your users and servers, set up global exclusions on the Overview > Global Settings > Global Exclusions page.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, process, website, potentially unwanted application).
  3. Specify the item or items you want to exclude. The following rules apply:
    • File or folder (Windows). On Windows, you can exclude a drive, folder, or file by full path. You can use wildcards and variables. Examples:
      • Folder: C:programdataadobephotoshop (add a slash for a folder)
      • Entire drive: D:
      • File: C:program filesprogram*.vmg
    • File or folder (Linux). On Linux, you can exclude a folder or file. You can use the wildcards ? and *. Example: /mnt/hgfs/excluded.
    • File or folder (Sophos Security VM). On Windows guest VMs protected by a Sophos security VM, you can exclude a drive, folder, or file by full path, just as you can for other Windows computers. You can use the wildcard * but only for file names.
      Note By default, exclusions apply to all guest VMs protected by the security VM. For exclusions on one or more specific VMs.
    • Process (Windows). You can exclude any process running from an application. This also excludes files that the process uses (but only when accessed by that process). If possible, enter the full path from the application, not just the process name shown in Task Manager. Example: %PROGRAMFILES%Microsoft OfficeOffice 14Outlook.exe
      Note To see all processes or other items that you need to exclude for an application, see the application vendor's documentation.
    • Website (Windows). You can specify websites as an IP address, IP address range (in CIDR notation), or domain. Examples:
      • IP address: 192.168.0.1
      • IP address range: 192.168.0.0/24 The appendix /24 symbolizes the number of bits in the prefix common to all IP addresses of this range. Thus /24 equals the netmask 11111111.11111111.11111111.00000000. In our example, the range includes all IP addresses starting with 192.168.0.
      • Domain: google.com
    • Potentially Unwanted Application (Windows). You can exclude applications that are normally detected as spyware. Specify the exclusion using the same name under which the system detected it. Find more information about PUAs in the Sophos Threat Center.
    • Detected Exploits (Windows/Mac). You can exclude any exploit that has already been detected. We'll no longer detect it for the affected application and no longer block the application.
      Note This turns off CryptoGuard ransomware protection for this exploit for the affected application on your Windows servers.
    • AMSI Protection (Windows). On Windows, you can exclude a drive, folder, or file by its full path. We don't scan code in this location. You can use the wildcard * for file name or extension.
    • Server isolation (Windows). Device isolation (by an administrator) is available for servers if you are signed up to the Early Access Program for Intercept X Advanced for Server with EDR.

      You can allow isolated devices to have limited communications with other devices.

      Choose whether isolated devices will use outbound or inbound communications, or both.

      Restrict those communications with one or more of these settings:

      • Local Port: Any device can use this port on isolated devices.
      • Remote Port: Isolated devices can use this port on any device.
      • Remote Address: Isolated devices can only communicate with the device with this IP.

      Example 1: You want remote desktop access to an isolated device so that you can troubleshoot.

      • Select Inbound Connection.
      • In Local Port, enter the port number.

      Example 2: You want to go to an isolated device and download cleanup tools from a server.

      • Select Outbound Connection.
      • In Remote Address, enter the address of the server.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Exploit Mitigation exclusions

You can exclude applications from protection against security exploits. For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

Adding exclusions reduces your protection.

Adding exclusions using the global option, Overview > Global Settings > Global Exclusions, creates exclusions that apply to all users and devices.

We recommend that you use this option and assign the policy containing the exclusion only to those servers where the exclusion is necessary.

Restriction You can only create exclusions for Windows applications.

To create a policy exploit mitigation exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Exploit Mitigation (Windows).

    A list of the protected applications on your network shows.

  3. Select the application you want to exclude.
  4. If you don't see the application you want, click Application not listed?. You can now exclude your application from protection by entering its file path. Optionally, use any of the variables.
  5. Under Mitigations, choose from the following:
    • Turn off Protect Application. Your selected application isn't checked for any exploits.
    • Keep Protect Application turned on and select the exploit types that you do or don’t want to check for.
  6. Click Add or Add Another. The exclusion is added to the list on the Global Exclusions page.

    The exclusion only applies to servers that you assign this policy to.

Intercept X Server Trial

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Desktop Messaging

You can add a message to the end of the standard notification. If you leave the message box empty, only the standard message is shown.

Desktop Messaging is on by default.

Intercept X Features

Click in the message box and enter the text you want to add.