Skip to content
Avanet
Powerful new features in Intercept X Advanced with EDR 3.0

Powerful new features in Intercept X Advanced with EDR 3.0

Sophos Intercept X Advanced with EDR is at the forefront of modern cybersecurity and provides extremely powerful endpoint detection and deep learning for outstanding protection against suspicious activity, unknown malware and ransomware.

With version 3.0, two groundbreaking features have been introduced that help admins cope with the daily demands and challenges of IT. These new capabilities are already available for Windows 8, 8.1, 10 and Windows Server. Support for Linux and Mac is planned for later in the second quarter.

Note: To use the new Intercept X Advanced with EDR 3.0 features, you need access to the Early Access Program. The Early Access Program is open to anyone who has a licence for Intercept X or Intercept X for Server. If you are already enrolled in the “New Endpoint Protection and EDR Features” EAP, you do not need to take any further action. Your devices will receive the update automatically.

What’s new?

  • Live Discover
  • Live Response

Live Discover

Live Discover is the newest and most important feature in Sophos Intercept X Advanced with EDR 3.0. Live Discover lets you ask questions about security‑related concerns on your devices. It has access to historical activity and the current state of your devices in order to provide answers directly. Queries can be as simple as “How long has this device been running?” but also much more sophisticated, such as detecting anomalies in network communication or deviations from baseline values on individual devices over the last 30 days. All of these queries can be executed directly from Sophos Central. In Central, you can use the API extensively, define questions and select the devices to query. This enables you to spot potential threats at an early stage.

How does it work?

With Live Discover you can use SQL to ask any question you have about your servers or endpoints. You can choose from a wide range of predefined queries or adapt them so they return exactly the information you need. That helps both with threat hunting and with solving IT‑specific questions such as:

  • How is the device performing?
  • Why is my device running slowly?
  • Which patch level is installed on the device?
  • Which hardware and operating system information is available?
  • Which data and registry entries exist on my device, and has anything changed in the last ten days?

In addition to modifying existing queries, you can also create completely new SQL queries and store them in categories. Live Discover offers numerous categories, as shown in the following screenshot:

Threat Analysis Center – Live Discover categories

Note: The Sophos Community provides additional support and a place to share your own queries. You need a Sophos ID to access it.

To start a query, first select the devices you want information from. The screenshot below shows the result of a query for various operating system details:

Threat Analysis Center – Live Discover – operating system details query

For this request, Live Discover returns, for each selected device, the hostname, CPU vendor, operating system, OS version and much more. Statistics and data are collected on each device and then sent back to Central. If you send a query to, for example, 10,000 devices, the load is distributed across all of them, which means the impact on any single device remains minimal.

How the new “Live Discover” functions support your work

It:

  • lets you select multiple devices per query
  • provides advanced capabilities for threat hunting
  • supports forensic analysis
  • offers SQL queries for more detail
  • provides historical data – from today back up to 90 days
  • scales to many thousands of devices
  • includes details on patches, OS versions, graphics and memory
  • has access to system events
  • tracks all processes – past and present
  • provides insight into registry changes
  • exposes information on user logons

Live Response

Live Response is another great feature in Sophos Intercept X with EDR 3.0 that many admins will quickly grow to appreciate. It allows admins to access any device in their environment remotely, from anywhere in the world. This is not a full remote desktop session but rather a secure command‑line connection controlled via Sophos Central in the browser. Sophos Central acts as the terminal to connect to the chosen device. This makes it possible to carry out detailed security investigations on a device or respond in real time to an active threat.

How does it work?

Before you can start a Live Response session, you need to enable the corresponding setting in Sophos Central. Only super admin accounts that authenticate with 2FA are allowed to change this.

Global settings – Live Response

Once Live Response is enabled in the global settings, super admins can start a shell session for any computer or server managed in Central. You can then run any commands that you would normally execute locally on the machine – for example ipconfig to check the device’s IP address, or the reg command to view, modify or delete registry keys. You can also browse, display or delete files.

Live Response – command line

Note: At the moment, only Windows computers and Windows Server are supported here as well. Support for Linux and Mac will follow later.

Sophos Central provides a secure connection to your devices. You do not need to open any additional ports for this. As mentioned earlier, Live Response sessions can only be started by super admins with two-factor authentication enabled. In addition, every Live Response connection is recorded in the audit log, so it is always possible to see when a session was started and stopped.

What Live Response offers

  • remote access to your devices from anywhere in the world
  • the ability to restart devices that are waiting for an update
  • editing of registry keys
  • searching through files
  • deleting files
  • launching programs and scripts
  • support for identifying and eliminating suspicious activity
  • the ability to inspect all running processes and stop them whenever needed
  • software installation and uninstallation
  • the ability to launch forensic tools
  • full system access

Try Sophos Intercept X with EDR 3.0 now

To see Live Discover and Live Response for yourselves, simply join the EAP (Early Access Program) “New Endpoint Protection and EDR Features”. You need at least one valid licence for Intercept X or Intercept X Advanced for Server.

If you do not yet have a Sophos Central account, you can sign up on the Sophos website and test all features, including “Sophos Intercept X with EDR 3.0”, free of charge for 30 days.

If you already have a Sophos Central account and your 30‑day trial has expired, you can purchase a licence for “Sophos Intercept X” or “Intercept X Advanced for Server” via our website and then join the EAP:

David

David

David is responsible for content, structure, and digital implementation at Avanet. His focus is on making complex technical topics clear, precise, and search-friendly.