Sophos Zero-Day Protection FAQ<\/a><\/p>\n\n<\/div><\/div>\n<\/div>\n<\/div>\nAs soon as these requirements are met, the file is sent to SophosLabs Intelix for further analysis.<\/p>\n\n
2. analysis by SophosLabs Intelix<\/h2>\n\n
Once a file is recognized by the Sophos Firewall as suitable for analysis, it is uploaded to the Sophos Cloud, where the analysis process begins.\nSophosLabs Intelix uses machine learning, sandboxing and threat research to analyze the file for potential risks.\nThe file is run in an isolated environment that simulates different operating systems to ensure it is tested under realistic conditions without putting your system at risk. <\/p>\n\n
Available data centers:<\/strong><\/p>\n\n\n- Asia-Pacific (Sydney, Tokyo)<\/li>\n\n\n\n
- Europe (Frankfurt, London)<\/li>\n\n\n\n
- United States<\/li>\n<\/ul>\n\n
If no specific region is selected, the system will use the nearest data center based on latency.<\/p>\n\n
3. sandbox analysis<\/h2>\n\n
The first analysis tool that is used is machine learning.\nSophosLabs Intelix uses several models to evaluate the properties and global reputation of the file.\nThe file is compared with millions of known safe and malicious files to determine its potential maliciousness. <\/p>\n\n
After this evaluation, the file undergoes a sandbox analysis that uses both dynamic and static techniques.\nFile access, memory and registry manipulation and network activities are monitored.\nIn addition, deep learning is used for exploit detection and CryptoGuard is used to identify ransomware behavior.\nThis step protects the network from zero-day threats such as ransomware and targeted attacks. <\/p>\n\n
While running in the sandbox, Sophos continuously monitors various parameters to detect potentially malicious behavior.\nThese include: <\/p>\n\n
\n- Unexpected network activities<\/li>\n\n\n\n
- Manipulation of the operating system<\/li>\n\n\n\n
- Attempts to access sensitive data<\/li>\n\n\n\n
- Self-replication or other typical viral behaviors<\/li>\n<\/ul>\n\n
This thorough analysis process can take several minutes, which is why the download may be delayed by up to 15 minutes<\/strong> until the analysis is complete.<\/p>\n\nIn addition to the technical analysis of the file, SophosLabs Intelix performs a reputation analysis.\nThis analysis evaluates how widespread the file is and how it has been treated by other security solutions in the past.\nThis helps to better assess the risk. <\/p>\n\n
Block or unblock:<\/strong> Based on the results of the sandboxing analysis, the file is either unblocked or blocked.\nIf the file is classified as safe, the user can download it immediately.\nOtherwise, it is blocked and the administrator is informed of the threat. <\/p>\n\n4. preparation of a report<\/h2>\n\n
Once the analysis has been completed, a detailed report is produced summarizing the results of the various analysis steps.\nThis report contains information such as <\/p>\n\n
\n- Download details:<\/strong> Origin of the file, time of download and the users who downloaded the file.<\/li>\n\n\n\n
- Summary of the analysis:<\/strong> An overview of the overall result of the Zero-Day Protection analysis, the classification of the file (e.g. clean, suspicious, malicious) and a brief description of the threats detected.<\/li>\n\n\n\n
- Results of the machine learning analysis:<\/strong> Details on the analysis of file properties, structure and combinations of features.<\/li>\n\n\n\n
- Zero-Day Protection detonation results:<\/strong> Information about the activities that the file performs, including screenshots and details of the processes and registry activity used.<\/li>\n\n\n\n
- Complete file analysis:<\/strong> Comprehensive file details, including signatures, certificates used, resources accessed and import\/export functions.<\/li>\n\n\n\n
- VirusTotal report:<\/strong> Number of entries in the VirusTotal database and how many malware detection products identify the file as a threat.<\/li>\n<\/ul>\n\n
Administrators can view the detailed reports of the Zero-Day Protection analysis at any time to better understand the risk.\nIt is also possible to release files or email messages that are still being analyzed or where an error has occurred.\nHowever, caution is advised here, as sharing before the analysis has been completed carries the risk of downloading malicious content. <\/p>\n\n
Test individual files<\/h2>\n\n
In the blog post SophosLabs Intelix – The tool for detecting cyber threats<\/a>, it is explained how you can also check individual files with the online tool Sophos Intelix<\/a>.<\/p>\n\nFAQ<\/h2>\n\n
\n
\n
What is Sophos Zero-Day Protection?<\/strong><\/h3>\n\n\n
Sophos Zero-Day Protection is a security module for Sophos Firewall designed to detect and block new, previously unknown threats.
\nIt uses advanced technologies such as machine learning, sandboxing and threat research to analyze and evaluate suspicious files and email attachments. <\/p>\n\n<\/div>\n<\/div>\n
\n
How does Zero-Day Protection work?<\/strong><\/h3>\n\n\n
As soon as a suspicious file or email attachment enters the network, it is sent to SophosLabs Intelix\u2122 for analysis.
\nThere, the file undergoes a multi-stage analysis that includes machine learning and sandboxing.
\nThe system examines the file for suspicious behavior and blocks it if it is classified as dangerous. <\/p>\n\n<\/div>\n<\/div>\n
\n
What types of files are analyzed by Zero-Day Protection?<\/strong><\/h3>\n\n\n
Zero-Day Protection mainly analyzes executable files, scripts, documents and archives. This includes formats such as .exe, .dll, .pdf, .docx, .xlsx, .zip, .rar and many more. Only files smaller than 10 MB are analyzed.<\/p>\n\n<\/div>\n<\/div>\n
\n
How are suspicious files analyzed?<\/strong><\/h3>\n\n\n
The analysis takes place in several steps: First, the file is scanned by the antivirus engine.
\nIf the file does not contain any known threats but still appears suspicious, it is sent to a sandbox for further analysis, where it is executed in an isolated environment and monitored for malicious behavior. <\/p>\n\n<\/div>\n<\/div>\n
\n
How long does the analysis by Zero-Day Protection take?<\/strong><\/h3>\n\n\n
The analysis usually takes around five minutes, but can take up to ten minutes depending on the file size and complexity of the analysis.
\nFor files that have already been analyzed, the analysis time can be less than one second due to caching. <\/p>\n\n<\/div>\n<\/div>\n
\n
Will my data be processed securely?<\/strong><\/h3>\n\n\n
All files sent to SophosLabs Intelix\u2122 for analysis are transmitted via an encrypted SSL connection and stored asymmetrically encrypted on the servers.
\nThe files are only decrypted and processed for the duration of the analysis. <\/p>\n\n<\/div>\n<\/div>\n
\n
In which data centers are my files analyzed?<\/strong><\/h3>\n\n\n
You can select the data center where your files are analyzed.
\nAvailable regions include Asia-Pacific (Sydney, Tokyo), Europe (Frankfurt, London) and the United States.
\nIf you do not select a specific region, the system will use the closest data center based on latency. <\/p>\n\n<\/div>\n<\/div>\n
\n
What protective measures does Zero-Day Protection offer against ransomware?<\/strong><\/h3>\n\n\n
Zero-Day Protection includes ransomware detection capabilities, including dynamic analysis that monitors suspicious behavior such as file encryption in real time.
\nThe system also uses CryptoGuard to detect and stop ransomware attacks. <\/p>\n\n<\/div>\n<\/div>\n
\n
Is it possible to see which files have been analyzed by Zero-Day Protection?<\/strong><\/h3>\n\n\n
Yes, there is a special overview in Sophos Firewall that shows all files and email attachments that have been analyzed by Zero-Day Protection.
\nHere you can view reports that contain details of the analysis and the corresponding security ratings. <\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
<\/p>\n","protected":false},"author":5,"featured_media":0,"parent":0,"template":"","format":"standard","kb_kategorie":[382],"class_list":["post-161276","kb","type-kb","status-publish","format-standard","hentry","kb_kategorie-sophos-firewall"],"blocksy_meta":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb\/161276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/users\/5"}],"wp:attachment":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/media?parent=161276"}],"wp:term":[{"taxonomy":"kb_kategorie","embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb_kategorie?post=161276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}