Skip to content
Avanet
Sophos Central Update – Enhanced Protection for Servers and more

Sophos Central Update – Enhanced Protection for Servers and More

Over the past two months, Sophos has introduced several new features for the Central platform, which are briefly summarised in this post. We begin with the imminent end of support for Windows 7 and Windows Server 2008 R2.

Imminent end of support for Windows 7 and Windows Server 2008 R2

Microsoft ended support for Windows 7 and Windows Server 2008 R2 on 14 January 2020. Consequently, Sophos will also only provide limited support for these two operating systems. Standard support officially ends on 31 December 2021.

Windows 7

  • End of standard support: 31 December 2021
  • End of extended support: 31 March 2025

Windows Server 2008 R2

  • End of standard support: 31 December 2021
  • End of extended support: 31 March 2025

Info: Support for Windows Server 2008 ends on 31 July 2020.

Purchasing extended support

For environments in which 31 December 2021 is not sufficient time to replace systems, Sophos offers extended support. With an additional licence, support for the following products is extended until 31 March 2025:

  • Intercept X Advanced / Intercept X Advanced with EDR
  • Intercept X Advanced for Server / Intercept X Advanced for Server with EDR
  • Central Endpoint Protection / Central Server Protection
  • Endpoint Protection Standard / Endpoint Protection Advanced
  • Server Protection for Virtualization, Windows and Linux / Server Protection Enterprise

If you are interested in extended support, simply contact us via the contact form and we will prepare an appropriate quote.

Sophos Intercept X Enhanced Protection (beta) now available for servers

In October 2019, Sophos launched a beta programme for Intercept X Enhanced Protection. The goal is to further expand Intercept X and provide additional capabilities to defend against current malware. Ransomware attacks continue unabated in 2020 – names such as EMOTET are omnipresent. Sophos is therefore working hard to continuously strengthen Intercept X technology.

In its first version, Intercept X Enhanced Protection already included the two features Anti-Malware Scanning Interface (AMSI) and Intrusion Prevention System (IPS).

In December 2019, further core protection mechanisms for Windows systems were added, which are now also available for Windows Server from version 2008 R2:

Protection against encrypting file system attacks (EFS Guard)

Since Windows 2000, Microsoft has integrated a feature called EFS (Encrypting File System) into its operating system. This should not be confused with BitLocker, which encrypts an entire drive; EFS is used to encrypt specific files and folders.

Attackers have found ways to abuse this function and encrypt files directly via the APIs of the built‑in encryption function (EFS). The “advantage” for attackers: no additional malware has to be downloaded. With EFS Guard, Intercept X can now protect specifically against such attacks.

Protection against encrypting file system attacks (EFS Guard)

Dynamic shellcode protection

The authors of new malware increasingly rely on so‑called “stagers”. These are small, seemingly harmless programs that load the actual malicious code into temporary memory and execute it there. Classic anti‑malware solutions have difficulty detecting such patterns. Behaviour‑based analysis enables dynamic shellcode protection to defend against precisely this technique. As soon as behaviour is detected that resembles that of a stager, detection kicks in and stops the application.

Dynamic shellcode protection

CTF is a vulnerability in a Windows component that has existed since Windows XP. It allows unauthorised attackers to control any Windows process – including applications running in a sandbox. To prevent the CTF protocol from being exploited, the Sophos Threat Mitigation team developed the CTF Guard feature and integrated it into the threat protection policy.

Validate CTF Protocol Caller (CTF Guard)

The ApiSetGuard feature prevents applications from loading malicious DLLs that masquerade as ApiSet stub DLLs. ApiSet stub DLLs help applications remain compatible with newer versions of Windows. Attackers can place manipulated ApiSet stub DLLs on a system to change functionality – for example, to circumvent Sophos tamper protection and terminate the Sophos client.

Prevent side‑loading of unsafe modules (ApiSetGuard)

Email DKIM signing

If you use Sophos Central Email to scan inbound and outbound traffic, you can now sign messages with DKIM. To configure this, go to the “Settings” of Central Email and select the “Domain settings / status” menu. Clicking on a domain for which outbound traffic is also scanned displays an option under the summary to create a new DKIM key. A short guide with all the required details for configuring the DKIM record is then shown.

Sophos Central Email Gateway – email DKIM signing

Customisable email address for Phish Threat training

Sophos Central Phish Threat is designed to raise employees’ awareness of phishing emails. Until now, the automated training and registration emails did not always look trustworthy when they came from “Sophos training@staysafe.sophos.com”. More than a few people probably wondered whether they should really click the link. 😅

Sophos has responded and now allows you to configure your own domain for caught‑you emails, reminder emails and registration emails that are sent to end users.

To do this, go to the Phish Threat “Settings” and open the “Training enrolment and reminder emails” section. There you can enable and verify a custom email address. In our tests, both the verification email and the subsequent test email initially landed in the spam folder. 🙄 The configuration applies per Central account and cannot be set differently for individual campaigns.

Customisable email address for Phish Threat training
David

David

David is responsible for content, structure, and digital implementation at Avanet. His focus is on making complex technical topics clear, precise, and search-friendly.