Sophos Central Update - Enhanced Protection for Server and more
Sophos Central

Sophos Central Update - Enhanced Protection for Server and more

David - March 3, 2020

Over the past two months, Sophos has released a few new features for the Central platform, which I will summarise briefly here. However, I will start this article by mentioning that support for Windows 7 and Server 2008 R2 will end soon.

Support for Windows 7 and Windows Server 2008 R2 will end soon

For both Windows 7 and Windows Server 2008 R2, Microsoft has finally stopped support on 14 January 2020. As a result, Sophos also will not support these two operating systems for much longer. The default support officially ends on 31 December 2021.

Windows 7

  • End of standard support: 31 December 2021
  • End of the extended support: 31 March 2025

Windows Server 2008 R2

  • End of standard support: 31 December 2021
  • End of the extended support: 31 March 2025

Info: Windows Server 2008 support will end on July 31, 2020.

Getting an extended support

Sophos is offering extended support to customers for whom 31 December 2021 is not sufficient to replace existing hardware. You will need to purchase an extra license to allow Sophos to grant you a grace period until 31 March 2025 for the following products:

  • Intercept X Advanced/Intercept X Advanced with EDR
  • Intercept X Advanced for Server/Intercept X Advanced for Server with EDR
  • Central Endpoint Protection/Central Server Protection
  • Endpoint Protection Standard/Endpoint Protection Advanced
  • Server Protection for Virtualization, Windows und Linux/Server Protection Enterprise

If you are interested in such an extended support, just write us via contact form. We will then gladly make you an appropriate offer.

Sophos Intercept X Enhanced Protection (beta) now available for servers

In October 2019, Sophos has already launched a beta program for Intercept X Enhanced Protection. The aim of this program is to further enhance Intercept X and provide new features to combat the latest malware. In 2020 ransomware attacks will continue and terms like EMOTET will be on everyone's lips. Sophos continues to work hard to ensure that customers can keep feeling secure with Intercept X technology.

In the first version, the Intercept X Enhanced Protection already included the two features Anti-Malware Scanning Interface (AMSI) and Intrusion Prevention System (IPS). We have already talked about this in the twelfth episode of our podcast.

In December 2019 new and very important protection mechanisms for Windows systems were added, which are now also available for Windows servers as of version 2008 R2:

Protect from Encrypting File System attacks (EFS Guard)

Since Windows 2000, Microsoft has integrated a function called EFS (Encrypting File System) into its operating system. Not to be confused with BitLocker, which can encrypt an entire hard disk, EFS is used to encrypt certain files and folders.

Attackers have found a way to abuse this function and encrypt their victims' data right away using the APIs of the native encryption function (EFS). The beauty of the whole thing is that they don't have to download their own malware to do it. With EFS Guard, Intercept X can now protect against such attacks.

Dynamic Shellcode Protection

The inventors of new malware are increasingly using so-called "stagers". These are small and innocent programs that download malware into temporary memory and execute it. As a result, they are hardly detected by traditional Anti-Malware applications. By analyzing the behavior of applications, dynamic shellcode protection can protect against exactly such Malware. If a behavior similar to staging is detected, the detection kicks in immediately and stops the application.

Validate CTF Protocol Caller (CTF Guard)

CTF is a vulnerability in a Windows component that exists since Windows XP. This vulnerability allows an unauthorized attacker to control any Windows process, including applications running in a sandbox. To prevent the CTF protocol from being exploited, the Sophos Threat Mitigation team has developed CTF Guard and added it to the Threat Protection policy.

Prevent side loading of insecure modules (ApiSetGuard)

The function ApiSetGuard prevents applications from loading a malicious DLL which pretends to be an ApiSet Stub-DLL. ApiSet Stub DLLs are DLLs that help a program to be compatible with newer Windows versions. Attackers can place malicious ApiSet Stub DLLs on a system to manipulate functions. For example, the Sophos tamper protection could be leveraged to terminate the Sophos client.

Email DKIM signing

Those who use Sophos Central Email to scan their inbound and outbound traffic can now add a DKIM signature to their email. To set this up, you will need to go to the "Settings" section of Central Email and select "Domain Settings / Status". If you now click on a domain that also scans outbound traffic, you will find the option to create a new DKIM key below the summary. After that you will see a short tutorial with all necessary information to set up the DKIM key.

Customizable email address for Phish Threat Training

Sophos Centrla Phish Threat is actually designed to train company employees to detect phishing emails. In the past, it was not really trusted when the automated training and registration emails were sent from "Sophos training@staysafe.sophos.com". Some anxious employees may have wondered whether they should click on the link in the email. 😅 Sophos has now responded by offering the option to add your own domain to catch emails, reminder emails and registration emails sent to your end users.

To do this, simply go to Phish Threat's "Settings" and select the menu item "Training Reminder and Enrollment Emails". There you can now activate and confirm a custom email address. In my tests the verification email, as well as the following test email, ended up in the spam folder. 🙄 By the way, these settings are applied to the Central Account and cannot be set individually per campaign.

Send Your Feedback

Share your thoughts about this article, your private queries are always welcome and greatly appreciated.

Send Feedback
All information are confidential

On our blog we regularly publish articles on various topics related to Sophos. To make sure you don't miss any articles, you can subscribe to our newsletter, and once a month you will receive an email with a summary of all articles published in the last 30 days.

Knowledge base

Do you need help with a Sophos product? Then maybe our free knowledge base can help you. We try to document most support requests in an article so that we can help as many people as possible.