Shopping Cart

No products in the cart.

Sophos Firewall – How does Zero-Day Protection work?

Zero-Day Protection is a security module for the Sophos Firewall designed to protect against previously unknown threats. This module uses advanced sandboxing technologies to execute and analyze suspicious files in a secure, isolated environment. This allows threats to be detected and blocked before they can cause any damage. Zero-Day Protection provides an additional layer of protection and is particularly valuable at a time when new and previously unknown vulnerabilities are quickly exploited.

In this article, we explain how Zero-Day Protection works, which file formats are supported and which steps are taken to detect and neutralize a potential threat.

1. detection and forwarding

When a file enters your network, whether through a download or as an email attachment, Sophos Firewall automatically recognizes this file. It does not matter whether it is a known or unknown file. As soon as the file is recognized, the firewall forwards it to SophosLabs Intelix, Sophos’s cloud service, for further analysis.

Requirements

Licensing: It must be ensured that Web Protection or E-Mail Protection is licensed for Sophos Firewall, as these modules are necessary to analyze the file correctly.

File size: The file must be smaller than 10 MB to be processed by Zero-Day Protection.

Supported file formats: Only certain file formats are supported by Zero-Day Protection. These include, among others:

  • Executable files (.exe, .dll)
  • Documents (PDF, Microsoft Office formats such as .docx, .xlsx)
  • Archives (ZIP, RAR, 7-Zip)
  • Scripts (JavaScript, VBScript)
  • Other formats such as JAR, BAT, RTF and LNK files.
  • 7-Zip archive
  • ACE Archive
  • ARJ Archive
  • BZIP2 Compressed
  • GZIP Compressed
  • ISO 9660 CD-ROM
  • LHA 1.x & 2.x archive
  • Microsoft Cabinet Archive
  • TAR Archive
  • POSIX TAR Archive
  • RAR Archive
  • XZ Compressed
  • ZIP archive
  • Java (JAR files)
  • Office documents (OLE & Open XML formats)
  • PDF documents
  • PE (32-bit & 64-bit, EXE & DLL)
  • RTF documents
  • Scripts JavaScript (JS/JSE/WSF), Visual Basic Script (VBS/VBE)
  • Windows Batch /BAT files/
  • Windows shortcuts (LNK & URL files)

More information can be found here: Sophos KB: Zero-Day Protection or Sophos Zero-Day Protection FAQ

As soon as these requirements are met, the file is sent to SophosLabs Intelix for further analysis.

2. analysis by SophosLabs Intelix

Once a file is recognized by the Sophos Firewall as suitable for analysis, it is uploaded to the Sophos Cloud, where the analysis process begins. SophosLabs Intelix uses machine learning, sandboxing and threat research to analyze the file for potential risks. The file is run in an isolated environment that simulates different operating systems to ensure it is tested under realistic conditions without putting your system at risk.

Available data centers:

  • Asia-Pacific (Sydney, Tokyo)
  • Europe (Frankfurt, London)
  • United States

If no specific region is selected, the system will use the nearest data center based on latency.

3. sandbox analysis

The first analysis tool that is used is machine learning. SophosLabs Intelix uses several models to evaluate the properties and global reputation of the file. The file is compared with millions of known safe and malicious files to determine its potential maliciousness.

After this evaluation, the file undergoes a sandbox analysis that uses both dynamic and static techniques. File access, memory and registry manipulation and network activities are monitored. In addition, deep learning is used for exploit detection and CryptoGuard is used to identify ransomware behavior. This step protects the network from zero-day threats such as ransomware and targeted attacks.

While running in the sandbox, Sophos continuously monitors various parameters to detect potentially malicious behavior. These include:

  • Unexpected network activities
  • Manipulation of the operating system
  • Attempts to access sensitive data
  • Self-replication or other typical viral behaviors

This thorough analysis process can take several minutes, which is why the download may be delayed by up to 15 minutes until the analysis is complete.

In addition to the technical analysis of the file, SophosLabs Intelix performs a reputation analysis. This analysis evaluates how widespread the file is and how it has been treated by other security solutions in the past. This helps to better assess the risk.

Block or unblock: Based on the results of the sandboxing analysis, the file is either unblocked or blocked. If the file is classified as safe, the user can download it immediately. Otherwise, it is blocked and the administrator is informed of the threat.

4. preparation of a report

Once the analysis has been completed, a detailed report is produced summarizing the results of the various analysis steps. This report contains information such as

  • Download details: Origin of the file, time of download and the users who downloaded the file.
  • Summary of the analysis: An overview of the overall result of the Zero-Day Protection analysis, the classification of the file (e.g. clean, suspicious, malicious) and a brief description of the threats detected.
  • Results of the machine learning analysis: Details on the analysis of file properties, structure and combinations of features.
  • Zero-Day Protection detonation results: Information about the activities that the file performs, including screenshots and details of the processes and registry activity used.
  • Complete file analysis: Comprehensive file details, including signatures, certificates used, resources accessed and import/export functions.
  • VirusTotal report: Number of entries in the VirusTotal database and how many malware detection products identify the file as a threat.

Administrators can view the detailed reports of the Zero-Day Protection analysis at any time to better understand the risk. It is also possible to release files or email messages that are still being analyzed or where an error has occurred. However, caution is advised here, as sharing before the analysis has been completed carries the risk of downloading malicious content.

Test individual files

In the blog post SophosLabs Intelix – The tool for detecting cyber threats, it is explained how you can also check individual files with the online tool Sophos Intelix.

FAQ

What is Sophos Zero-Day Protection?

Sophos Zero-Day Protection is a security module for Sophos Firewall designed to detect and block new, previously unknown threats.
It uses advanced technologies such as machine learning, sandboxing and threat research to analyze and evaluate suspicious files and email attachments.

How does Zero-Day Protection work?

As soon as a suspicious file or email attachment enters the network, it is sent to SophosLabs Intelix™ for analysis.
There, the file undergoes a multi-stage analysis that includes machine learning and sandboxing.
The system examines the file for suspicious behavior and blocks it if it is classified as dangerous.

What types of files are analyzed by Zero-Day Protection?

Zero-Day Protection mainly analyzes executable files, scripts, documents and archives. This includes formats such as .exe, .dll, .pdf, .docx, .xlsx, .zip, .rar and many more. Only files smaller than 10 MB are analyzed.

How are suspicious files analyzed?

The analysis takes place in several steps: First, the file is scanned by the antivirus engine.
If the file does not contain any known threats but still appears suspicious, it is sent to a sandbox for further analysis, where it is executed in an isolated environment and monitored for malicious behavior.

How long does the analysis by Zero-Day Protection take?

The analysis usually takes around five minutes, but can take up to ten minutes depending on the file size and complexity of the analysis.
For files that have already been analyzed, the analysis time can be less than one second due to caching.

Will my data be processed securely?

All files sent to SophosLabs Intelix™ for analysis are transmitted via an encrypted SSL connection and stored asymmetrically encrypted on the servers.
The files are only decrypted and processed for the duration of the analysis.

In which data centers are my files analyzed?

You can select the data center where your files are analyzed.
Available regions include Asia-Pacific (Sydney, Tokyo), Europe (Frankfurt, London) and the United States.
If you do not select a specific region, the system will use the closest data center based on latency.

What protective measures does Zero-Day Protection offer against ransomware?

Zero-Day Protection includes ransomware detection capabilities, including dynamic analysis that monitors suspicious behavior such as file encryption in real time.
The system also uses CryptoGuard to detect and stop ransomware attacks.

Is it possible to see which files have been analyzed by Zero-Day Protection?

Yes, there is a special overview in Sophos Firewall that shows all files and email attachments that have been analyzed by Zero-Day Protection.
Here you can view reports that contain details of the analysis and the corresponding security ratings.