Home
Powerful New Features in Intercept X Advanced with EDR 3.0
Sophos Central

Powerful New Features in Intercept X Advanced with EDR 3.0

David - June 2, 2020

Sophos Intercept X Advanced with EDR is at the frontier of modern cybersecurity and features the strongest endpoint detection and deep learning for truly exceptional defense against suspicious activities, unknown malware, and ransomware.

With the Version 3.0 two groundbreaking features have been implemented, which will be a great help for administrators to handle the daily requirements and challenges of IT. These new features are already available for Windows 8, 8.1, 10 and Windows Server. Support for Linux and Mac will follow later in the second quarter.

Note: You will need the Early Access Program in order to use Intercept X Advanced with EDR 3.0 and all its fantastic features. The Early Access Program is available if you have Intercept X or Intercept X for Server. If you have just enrolled to the “New Endpoint Server Protection and EDR Features” you do not have to do anything. Your devices will automatically receive the updated software.

What’s New?

  • Live Discover
  • Live Response

Live Discover

Live Discover is the latest and crucial feature of Sophos Intercept X Advanced with EDR 3.0. Live Discover has the ability to ask queries about security concerns of devices. It does this by accessing and recognizing the historic activity and current running state of the device, and can get immediate responses. This could be a simple query such as ‘how long has a device been running?’ However it can also be more advanced queries e.g. recognizing the differences in network communications and standard deviations with the device over the previous 30 days in search of anomalies. To accomplish this access will be obtained directly from Sophos Central. You will be able to take advantage of the API to ask those questions and choose the device you want to ask. Through this method, you are able to look at threats that may be encountered later, and any expected malware.

How does it work…?

Live Discovery allows administrators to search their data so that they can answer almost any question they may find using SQL at the endpoints and servers. You can pick from a selection of pre-prepared questions that can be completely customized to capture the exact information that you require. This can help answer threat hunting and IT operational queries such as:

  • How’s the performance of the device?
  • Why is the device running slowly?
  • Is there a remote sharing option available?
  • What is the patch level of the device?
  • What hardware and operating system details are available according to the device?
  • What are all the files and registry keys? Have these been modified when it ran 10 days ago?

Besides editing an existing query, you also have the possibility to create your own SQL queries and save them in a category. There are numerous categories available in Live Discover. You can see these categories from the picture below:

Note: You can find additional support in the Sophos Community and share your own queries . You will need a Sophos ID for access.


To start a query, you first select the devices from which you need certain information. For example, in the screenshot below you can see the result of a query of various operating system details:

In response to this request, Live Discover will present you, for all selected devices, the host name, the name of the CPU manufacturer, the operating system and OS version and much more. The statistics and data are processed on each individual device that you selected before the query and then transferred to Central. For example, if you send a query to 10,000 devices, the load will be distributed across all these devices, which means that the load on a single device is minimal.

How the new features of ‘Live Discover’ will help you with your IT operations…

  • It allows you to select your desired device for a query
  • It provides advance threat hunting
  • It helps with forensic investigation
  • It provides SQL queries for improved details
  • It can provide your present and historical data for up to 90 days.
  • It scales to thousands of devices
  • It contains details about patches, OS versions, video, and disk information
  • It has access to system events
  • It has information about any current and historic running process.
  • It provides access to see changes in the registry
  • It provides information about user authentications

Live Response

Live Response is another incredible feature of Sophos Intercept X EDR 3.0 that you are bound to love. What’s the most amazing thing about this feature? Live Response allows admins to link directly via remote access to any device in the environment from anywhere in the world. This does not mean a direct remote session with an image, but it provides safe access to a command-line interface, which you can control via Sophos Central in your browser. Sophos Central acts as a terminal to control the device you want to use. This gives you the ability to conduct detailed and security-related investigations on a device or to react to a threat in real time.

How does it work…?

Before initiating the Live Response session, you need to enable the global setting from Sophos Central. It's worth highlighting that the global settings page can only be modified by admins who have the super admin privileges. Super admins must also be authenticated to Sophos Central using MFA.

Once Live Response is enabled in the global settings, you can start a shell as Super-Admin for each computer or server you manage in Central. You can now use any commands that you could physically run directly on the machine. For example, "iponfig" to check the IP address of the selected device, or the "reg" command to display, change or delete the registry keys. You can also browse, view or delete files.

Note: Currently only Windows computers or Windows servers are supported. Linux and Mac support will follow later.

Sophos Central provides a secure and safe connection to the device. No extra ports need to be kept open. As mentioned at the beginning, administrators will need to carry out two-factor authentication to have access to this function. In addition, every live response connection is recorded in the audit log and it is always possible to trace when a session was started and stopped.

Live Response can provide the following facilities to the Admins:

  • Remote access and management of your desired device from anywhere in the world.
  • The ability to reboot a device awaiting updates.
  • Editing of the registry keys.
  • Ability to browse files.
  • Ability to delete files.
  • Ability to run programs and scripts.
  • Assisting in detecting and neutralizing any suspicious activity.
  • Check all the running operations and terminate any of them.
  • Installation or uninstallation of software
  • Running forensic tools
  • Providing full system-level access

Try Sophos Intercept X with EDR 3.0 now!

To experience Live Discover and Live Response for yourself, simply join the EAP (Early Access Program) ‘New Endpoint Server Protection and EDR Features’. You need at least one valid license for Intercept X or Intercept X Advanced for Server.

If you do not already have a Sophos Central Account, you can sign up on the Sophos website to create one and test all features, including ‘Sophos Intercept X with EDR 3.0’, free for 30 days.

If you have a Sophos Central account and the 30-day trial has already expired, you can order either a ‘Sophos Intercept X’ or ‘Intercept X Advanced for Server’ license via our website and then benefit from the EAP:

Send Your Feedback

Share your thoughts about this article, your private queries are always welcome and greatly appreciated.

Send Feedback
All information are confidential
Newsletter

On our blog we regularly publish articles on various topics related to Sophos. To make sure you don't miss any articles, you can subscribe to our newsletter, and once a month you will receive an email with a summary of all articles published in the last 30 days.

Knowledge base

Do you need help with a Sophos product? Then maybe our free knowledge base can help you. We try to document most support requests in an article so that we can help as many people as possible.