- Sophos Home offers clear and easy to understand subscription pricing. We offer one- and two-year pricing options, and discounts for continuing customers. Renewals are done automatically at the end of the subscription period, with clear communication via email about upcoming renewal events.
- Sophos Intercept X is an endpoint protection tool used to detect malware and viruses in your environment. InsightIDR features a Sophos Intercept X event source that you can configure to parse alert types as Virus Alert events. Configure Sophos Intercept X Logs Sophos Intercept X logs are supported through Sophos Central.
- Intercept X’s endpoint security integrates with Sophos Central so you can access and manage your endpoint security wherever you are, any time. No need to spend more on infrastructure and maintain on-premises servers. Switch to an endpoint security cloud solution for smarter, faster protection. Synchronize Your Firewall and Endpoint Security.
- Intuitive management Intercept X is managed via Sophos Central, the cloud-based management platform for all Sophos solutions. It provides a single console for managing all devices and policies and brings together core protection with advanced functionality including EDR, Live Response remote remediation, and threat case investigation.
Sophos is extending its next-generation endpoint security portfolio with the launch of Intercept X, a solution to provide added detection, protection and remediation capabilities to partners.
Sophos researchers have recently released detailed research into Gootloader, a complex malware delivery platform used in a wide range of attacks, including ransomware.
Gootloader attackers hack into legitimate websites and subtly alter the content so the website can show different content to different visitors. Download facebook account hacker tool free rubackup.
The criminal operators manipulate search engine optimization (SEO) so that when someone types a question into a search engine such as Google, the hacked websites appear among the top results.
What happens next depends upon their country location:
- Users from a country that is not a target are shown benign fake web content and nothing further happens.
- Users from a target country are shown a page featuring a fake discussion forum on the very topic they queried, using the same terms they typed into the search engine. The fake discussion forum includes a post from a “site administrator,” with a link to a download. The download is a malicious file. If targets click on it, the next stage of infection begins.
Different countries, different attacks
Gootloader is currently delivering Kronos financial malware in Germany, and a post-exploitation tool called Cobalt Strike in the US and South Korea.
The attackers have also delivered REvil ransomware and the Gootkit trojan itself as payloads. Earlier operations targeted France.
Stopping Gootloader with Sophos Intercept X
Sophos Intercept X protects users by detecting the actions and behaviors of malware like Gootloader in multiple ways.
- The first stage javascript files is detected as: AMSI/GootLdr-A
- The PowerShell loader is detected as: AMSI/Reflect-H or Exec_12a
AMSI (Anti-Malware Scanning Engine) is included in all Sophos endpoint and server subscriptions managed through Sophos Central, and is available for Windows 10 and Server 2016+.
The PowerShell loader is detected as Exec_12a, this is a detection from our new behavioral engine which is included in all Sophos endpoint and server subscriptions managed through Sophos Central, with no minimum platform requirements.
Both the AMSI and Exec_12a policies are on by default and customers do not need to take any action to benefit from these protection features.
Sophos Xg 310 Datasheet
In both cases, admins will be notified of any detections via the local UI popup and the Events display in Sophos Central. In addition, both will likely generate threat cases for customers with Intercept X Advanced, and Intercept X Advanced with EDR subscriptions.
- Dynamic Shellcode protection identifies Gootloader in memory and automatically blocks it
Dynamic Shellcode protection is included in all Intercept X Advanced and Intercept X Advanced with EDR subscriptions for both endpoint and server. For more information on this feature, click here.
- IOCs for threat hunting and proactive blocking
Sophos EDR customers can access Indicators of Compromise on the SophosLabs Github, including SHAs, domains and IPs that customers can use as part of their Live Discover threat hunting, or proactive blocking.
Additional best practice advice to stop Gootloader
In addition to benefiting from the protections in Intercept X, here are some additional steps you can take to avoid Gootloader:
- Be wary of Google search results that point to websites for businesses that have no logical connection to the advice they appear to offer and/or offer advice that precisely matches the search terms used in the initial question.
- Look out for a ‘message board’-style page that looks identical to the example in this article, and featuring text and a download link that also precisely matches the search terms used in the initial Google search. The fake Gootloader websites look the same regardless of whether they are in English, German or Korean.
- Windows users can turn off the “Hide Extensions for Known File Types” view setting in the Windows file explorer as this will allow them to see that the .zip download delivered by the attackers contains a file with a .js extension
- Script blockers like NoScript for Firefox could help a web surfer remain safe by preventing the initial replacement of the hacked web page
Try Intercept X today
Visit our website for more information on Intercept X for endpoints and servers, and to start a no-obligation 30-day free trial.
For more information on Gootloader, read the detailed research report from SophosLabs.
Sophos is extending its next-generation endpoint security portfolio with the launch Thursday of Intercept X, a solution to provide added detection, protection and remediation capabilities to partners and customers on the endpoint.
The new Intercept X product, which can be sold as an add-on to existing Sophos solutions or independently, offers signature-less threat and exploit detection, CryptoGuard anti-ransomware capabilities to both block and remediate ransomware, root cause analysis to map attacks and provide recommendations for future, and Sophos Clean to clean up spyware and malware in an environment.
While the market is seeing a rise in next-generation endpoint security solutions, Kendra Krause, vice president of global channels at Sophos, said Intercept X sets itself apart with an affordable price point and remediation capabilities, in addition to prevention, and root cause analysis. Those capabilities are particularly important to mid-market customers, she said, because they don’t necessarily have the resources for independent remediation and analysis of an attack.
[Related: CRN Exclusive: Sophos CEO On One Year As Public Company And The Growing Endpoint Market]
’[Intercept X has] protection, detection and response in a single endpoint product … That’s what makes it really appealing to our partner base. They want to be able to help more than just in selling software,’ Krause said.
Sam Heard, president of Lakeland, Fla.-based Data Integrity Services, has been involved in the product beta and said he already has a waiting list of clients ready to deploy the solution. He added that he's getting clients ready for migration as soon as it's officially rolled out. Heard said he's augmenting any type of new client or renewal with Intercept X or at least preparing the client for an add-on in the future.
Heard said clients are particularly drawn to Intercept X’s anti-ransomware capabilities. For that reason, plus free-upgrade promotions and advanced security capabilities, Heard said he has gotten almost unanimous agreement from clients for the add-on.
Natalie macmaster albums. ’It protects my clients … If my clients are happy and my clients are stable … that’s the best tool for growth, I think. Success breeds success,’ Heard said.
The Intercept X launch also plays into a building strategy at Sophos around what the company calls ’synchronized security,’ bringing together intelligence from its endpoint and network security portfolios. The solution resides on the same agent as the Sophos endpoint security solution, so it also shares that same threat intelligence, Krause said.
’It fits into what we’re doing around synchronized security. That’s a big driver for our partners, as well, because it fits into the full, complete, end-to-end solution that they want to be able to go out there and offer their customers,’ Krause said.
Krause said Sophos will continue to add next-generation capabilities like Intercept X into the Sophos Central integrated security platform and its synchronized security strategy. In July, the company also announced it was adding its encryption technologies into the same strategy.
Sophos Xg Firewall
Heard said the synchronized security is a big selling point with his clients, saying they ’love it.’ He said he sold deals earlier this year based solely off the synchronized security strategy, including the removal of a competitive endpoint security product before it was due to be renewed.
Sophos Xg 330
’It’s a game changer that they have brought to the table,’ Heard said.
Sophos X86
Intercept X is available as of Thursday, with a free trial available through the company’s website. Krause said a flex-pay billing option will be available for the solution by the end of the year.