Understand and operate Sophos Firewall Zero-Day Protection
Sophos Firewall Zero-Day Protection analyzes suspicious downloads and email attachments via SophosLabs Intelix. The firewall sends appropriate, risky files to the cloud service, where machine learning, reputation, sandbox analysis and threat research work together. The goal is not only to block known malware, but also to better classify new or unusual files.
It is important for admins: Zero-Day Protection is not a replacement for clean rules, web protection, mail protection, TLS Inspection, logging or endpoint protection. The function is an additional protection and analysis module. It is particularly helpful when files enter the network via web downloads or email attachments and classic signatures do not yet provide a clear decision.
Which protection item fits?
Zero-Day Protection primarily answers the question of how suspicious files are analyzed. Depending on the problem, the better way to start is with web access, mail flow, network attacks, encrypted traffic or evaluation:
- Check suspicious downloads or email attachments with Intelix: This article.
- Schedule Web Categories, URL Groups, SafeSearch or Download Rules: Sophos Firewall Set up web protection with web policies.
- Make HTTPS traffic visible and plan exceptions cleanly: Insert Sophos Firewall TLS Inspection correctly.
- Distribute CA certificate for HTTPS scanning to clients: Sophos Firewall Install CA certificate for HTTPS scanning.
- Check email traffic in MTA mode and operate mail protection: Sophos Firewall Set up mail protection in MTA mode.
- Block exploits and attack patterns in network traffic: Sophos Firewall Set up IPS and test it safely.
- Handle malicious IPs, domains or URLs via IoC lists: Sophos Firewall Set up threat feeds and operate them securely.
- Classify NDR, Active Threat Response, XDR, MDR or SIEM evaluation: Sophos Firewall NDR and Active Threat Response operate.
- Track unexpected drops or blocks: Sophos Firewall Analyze dropped packets.
This separation prevents false expectations: Zero-Day Protection evaluates files, but it does not replace a web policy, no IPS, no mail relay planning and no central log evaluation. The best protection only occurs when the file, web, mail, network and logging layers fit together.
Where Zero-Day Protection helps in practice
Zero-Day Protection is particularly relevant in these scenarios:
- Users download executable files, archives or documents from the Internet.
- Email attachments should be checked more closely before delivery or release.
- A file is not yet clearly known, but seems suspicious.
- A download should not only be scanned locally, but also monitored in a sandbox.
- A security incident must be better assessed using a detailed report.
The feature fits well with a tiered security model: Firewall rules limits allowed traffic, TLS Inspection makes encrypted web traffic more auditable, Web Protection and Mail Protection assess content, and Zero-Day Protection complements these controls with cloud analytics and sandbox reports.
Requirements and limits
Zero-Day Protection only works usefully if the relevant protection modules and policies are active. A pure Allow rule without appropriate security profiles does not provide the same protection. Depending on the area of application, you must therefore consciously plan web protection, mail protection, malware scanning, SSL/TLS Inspection and logging.
Important limits in operation:
- The firewall does not send every file type to Intelix, but primarily risky file types.
- Many non-hazardous file types, for example typical image formats, are not sent for detonation.
- Exceptions can exclude files from the analysis and thus reduce the protective effect.
- Cloud analytics requires connectivity to Sophos services and may delay downloads.
- Sharing before analysis is complete may expose malicious content.
- Zero-Day Protection does not replace endpoint detection and response, no MDR and no clean incident response.
If the firewall sees little because HTTPS is not decrypted or rules are running without security profiles, Zero-Day Protection also remains restricted. The article Sophos Firewall Logs: Which function writes to which log? helps with log and module assignment.
Where Zero-Day Protection takes effect
Zero-Day Protection should not be viewed in isolation. The function only becomes relevant if a file actually runs through a suitable protection path.
Typical paths:
- Web download: The appropriate firewall rule, web protection, malware scanning and, for HTTPS, often TLS Inspection must be in place beforehand. You can check the web log, SSL/TLS inspection log and the downloads and attachments view.
- Email attachment: The mail flow must pass through mail protection, appropriate attachment policy and malware check. You can control mail logs, quarantine and the downloads and attachments view.
- Release or error status: The report is not yet completed or the analysis failed. Then the release process, user context, hash and other logs count.
- No visibility: Traffic does not pass through the protection path or the file type is not relevant. Then first check the firewall rule, policy, TLS, mailflow and file type.
For web downloads, the first thing that is important is whether the correct Web Policy is active in the firewall rule. For email attachments, the mail flow must actually run via Mail protection in MTA mode or a comparable checked path. If only a normal allow rule allows traffic, you should not expect a complete file analysis from Zero-Day Protection.
Analysis flow
1. Detection on the firewall
A file gets through the firewall via a download or as an email attachment. If the policy, file type and context match, the file is flagged for Zero-Day Protection. Known, clearly classified files can be evaluated beforehand by other protection modules.
2. Handover to SophosLabs Intelix
Eligible files are sent to a SophosLabs Intelix service over an encrypted connection. There the file is not only checked against known patterns, but is also evaluated using several levels of analysis.
3. Machine learning and reputation
SophosLabs Intelix evaluates characteristics, structure, global reputation and similarity to known good or malicious files. This is particularly helpful for new files that have not yet been widely seen.
4. Sandbox analysisSandbox analysis examines the file in an isolated environment. The evaluation combines dynamic and static analysis, deep learning, exploit detection, CryptoGuard and monitoring of file, storage, registry and network activities. For admins, the marketing term is less important than the question: What was the file actually trying to do?
5. Decision and report
At the end there is a rating, for example clean, likely clean, suspicious, malicious or PUA. Depending on the result, the file is released, blocked, or remains visible with an error or analysis state. The report helps to clearly justify a release, a block or further incident response steps.
Read reports correctly
The overview can be found in Sophos Firewall under Monitor & analyze > Zero-day protection > Downloads and attachments. There you can see activity data on suspicious downloads and email attachments, the analysis status, report details and sharing options.
A report can contain, among others, these areas:
- Download details: Source, timing and affected user.
- Analysis summary: Overall evaluation of the file.
- Machine learning analysis: Features, structure and ML evaluation.
- Reputation analysis: Assessment based on global distribution.
- Detonation results: Behavior of the file during sandbox execution.
- Full file analysis: Signatures, certificates, resources, imports and exports.
- VirusTotal report: additional external detection situation.
When it comes to a suspicious file, you shouldn’t just look at the final status. Source, user, file name, target URL, process behavior, network activity and whether other systems have seen the same download are also relevant. If this results in an incident, the report should be merged with endpoint, mail, web and firewall logs.
Process for suspicious reports
A zero-day protection hit should be treated like a small security case, not like a pure web filter block.
Practical process:
- Open report and record status, file name, source, user, time and rating.
- Check whether it was a web download, an email attachment or another path.
- Compare web, mail and firewall logs for the same time period.
- If present, check endpoint or EDR events for the affected client.
- Document file hash, sender, URL or domain.
- Decide whether it is a false positive, a blocked attack, an unresolved suspicion or an incident.
- Only consider approval if there is a understandable business reason.
- Document the decision and, if necessary, derive a URL group, mail policy, threat feed or endpoint measure.
When multiple users see the same file or domain, a single decision is often not enough. You should then check whether a web policy adjustment, a mail policy rule, a threat feed entry or an incident response is necessary.
Share filesSophos Firewall allows sharing only for files or email messages that are still being analyzed or have returned with an error status. Such a release may be necessary if a business process is blocked. However, it is unsuitable as a normal workaround.
Before releasing, you should at least check:
- Is the source trustworthy and expected?
- Was the user or department consulted about the context?
- Is there a hash, file name or sender that can be additionally checked?
- Are there endpoint or mail logs for the same process?
- Can the file be examined in an isolated environment or via a separate analysis tool?
- Is it documented who decided to release it and for what reason?
⚠️ Sharing before analysis is complete may result in malicious content being downloaded or delivered. In productive environments, this decision should be documented and not delegated to first-level routine.
For individual files, the Avanet blog post SophosLabs Intelix - The cyber threat detection tool can help. However, this does not replace the evaluation in the specific network and user context.
Data center and data protectionYou can specify the data center for the analysis under Monitor & analyze > Zero-day protection > Protection settings. By default, Sophos Firewall chooses the nearest data center. Alternatively, you can choose a data center consciously.
This setting is particularly important if data protection, data residency or internal regulations play a role. A change in data center may impact ongoing analytics. Therefore, the setting should not be changed during an acute analysis case, but should be planned and documented.
Use exceptions carefully
In the protection settings you can exclude file types from the zero-day protection analysis. File type detection is based on file extension and MIME header. Archives containing excluded file types can also be excluded.
Exceptions are technically practical, but safety-relevant. Each exception should have a clear justification:
- Which application or process creates the files?
- Why is the analysis disturbing or not useful?
- Is there a narrower exception than an entire file type?
- Is the exception checked regularly?
- Is it known what protective effect is lost as a result?Broad exceptions for archives, scripts, Office files or executable files should be avoided. When Zero-Day Protection disrupts a legitimate process, the first step is often to check the policy, source path, affected user base, or alternative deployment.
Check approvals and exceptions regularly
Zero-Day Protection is not just a power-on function. The actual operational value arises when reports, approvals and exceptions are checked regularly. Otherwise, risky decisions remain active for a long time, even though the original business reason has long since disappeared.
These points are particularly helpful for the review:
- Released file: Check the reason for the release, affected user or department, hash, file source, expiry date and later evaluation.
- File type exception: Check affected application, owner, review date, closer alternative and risk for archives, scripts or Office files.
- Recurring error status: Check Sophos connectivity, file size, file type, policy, data center and possible support case.
- Many hits from one source: Check web or mail policy, URL, sender, user group, threat feed, URL group or blocklist.
An exception is not a normal firewall rule cleanup. Such entries should have an owner, a reason and a review date. For recurring releases, you should also compare endpoint, mail, web and firewall logs so that a single exception does not turn into a permanent bypass unnoticed.
Troubleshooting
No entries visibleIf no entries appear under Downloads and attachments, you should first check whether the traffic actually goes through the appropriate firewall rule and security profile. For HTTPS traffic, missing TLS Inspection can explain why the firewall sees less content. Then check web, mail, malware and zero-day settings.
Downloads take too long
A sandbox analysis can take time. If users regularly wait for long periods of time, you should check whether many large or frequently changing files are being analyzed, whether the processes affected are legitimate and whether a narrow technical exception is justifiable. A blanket deactivation is usually the wrong first step.
Lots of false positives
For recurring false positives, check the report details, file source, hashes, reputation, affected users and application. Only when the pattern is understood should you set exceptions. For dynamic block lists and IOC operations, Sophos Firewall Set up threat feeds and operate them securely is a related topic.
Release has been requestedA release should be treated as a security decision. If the department only reports “urgent,” that’s not enough. You need source, purpose, file, user, risk assessment and a documented decision.
Operational checklist
- Zero-Day Protection License and module status checked.
- Web and mail policies controlled with malware and security scanning.
- TLS Inspection planned where web downloads should be checked sensibly.
- Data center deliberately chosen for analysis or documented as standard.
- No broad file type exceptions without owner and review date.
- Downloads and attachments view checked regularly.
- Release process defined for analyzed or incorrect files.
- Reports correlated with endpoint, mail, web and firewall logs.
- Syslog, Central Reporting or SIEM taken into account for longer traceability.