Sophos Intercept X Comparison
Community Guide jhartnerd123 Community Guide
‎11-16-2016 09:13 AM

Sophos Intercept X Comparison

Hey All,

I wanna share my response to a fellow community member and Webroot Ambassador @GryozoK in a post he made in a private area about Sophos Intercept X and it competing with Webroot. This will be a long post but I'll first place his quote first and then below my actual response due to my experience in vetting out all the "Next-Gen" Antivirus/Endpoint Security products and my real world review of it. I thought this would be beneficial to all the community as it dispels some of what Sophos is actually doing with Intercept X.

Here is @GryozoK Post:

Sophos says that InteceptX:
1. is ligth-weight agent
2. no agent daily updates
3. can protect against all 24 of the cpu level exploits
4. detects mass encryption (ransomware)
5. cut off connection to the attacking host
6. remediating any encrypted documents using a local mirror image copy

All these sayings above seems to be similar to what WSA advantages used to be up until now - and actually WSA cannot do 3.,4. and 5. today.

By the way, I was thinking that journaling and rollback was a proprietary Webroot technology, wasn't it?

We still would like to win the prospetcs. Can you help us, what advantages Webroot has today over Sophos InteceptX?

And here is my reply with first hand experience in utilizing all the aspects of the Sophos products:

I've actually just finished a vetting process of Sopho's products for the last month and I can surely address these for you.

1. Is a light weight agent:

- In actual fact it's roughly 9-12 different processes that run (just for Intercept X, Endpoint+InterceptX is more) that use 8-10%CPU and upwards of 300MB+ of memory idle and upwards of 500MB when running a scan or 730MB when doing remediation. Webroot uses roughly 10MB idle and 15 ish when scanning and 0 cpu idle and 25-50% scanning, but can be adjusted through policy.

2. No daily definition updates:

- while that part is true for Intercept X ONLY (Endpoint still requires signatures), the installation literally takes upwards of 15-25 minutes while the installer takes inventory of your system and downloads all the files to begin the installation of all the services and programs required.

3. Can protect against all 24 of the cpu level exploits:

- This is mainly true. Unless they are fileless attacks in memory, they'd ultimately require files/processes to be run which can possibly be picked up by Webroot. (this is an advantage for Sophos here)

4. Detects mass encryption:

- This is also somewhat true. They designed the agent to pick up on usage of cipher.exe, vssadmin.exe etc... and to look for very common repetative tasks such as encrypting large swaths of files. From my experience it's decently effective, but no different than Webroot if something gets past. Either way you're screwed.

5. Cut off connection to the attacking host.

- Again partly true. This can only happen if the Sophos network threat system knows the IP/Domain/Host to be bad. Webroot's outgoing firewall also looks at how processes/files communicate to outside sources and blocks if known bad. To me this is also something that needs to be addressed by whitelisting your internet connection with something like DNSThingy. Then you'll never have to worry about this ever again.

6. Remediating any encrypted documents using local mirror image copy:

- Somewhat an advantage for Sophos but requires more disk space. They rely on a backup image as well as shadow copies.

The disadvantage of both here is that it has to be picked up immediately by the agents in order to be recovered or in Webroot's term "rolled back." If in either case the malware was able to be executed and then as part of it's process, delete's itself etc.. then neither agent is able to know the originating source to follow the chain back and recover stuff.

NEVER consider this to be a silver bullet to a proper Backup Disaster Recovery (BDR) plan.
Journaling and Rollback the way Webroot implements it might be proprietary, but Sophos, SentinelOne both implement something similar. SentinelOne almost strictly relies on rolling things back (and is somwhat effective), rather than stopping at first encounter.

Our MSP is a huge partner with Webroot and even with that, I've gone and tested ALL the other Next Gen solutions out there and still come back to Webroot mostly for it's cost, multi-tennant console (others don't have that), effectivness, great support etc...

There's not one product out there yet that's as fast or light weight as Webroot. Sopho's Intercept X IS NOT lightweight, adds upwards of 8 seconds to boot times, 9-12 processes that take up huge amounts of memory etc.. can be a bitch to remove if you aren't careful in the console due to their Tamper Protection

It's also very important to know that Intercept X IS NOT a full antivirus/malware solution. It's really an add on for their Endpoint service that detects exploits and Ransomware. It relies heavily on their aquistion of HitManPro (which their HitmanPro Alert Service also gets installed to take up more memory) as their remediation engine.

So you can't completely replace an existing AV with just Intercept X as it doesn't cover all the bases. It can run alongside other AV's like Webroot, but if you go to install the Endpoint & Intercept X together it won't install at all and will absolutely force you to remove any and all other security products residing on the system.

I've tested Webroot and Intercept X with 10 different types of malware, 5 of them are Crypto-Ransomware:

- Webroot stopped 4 of the 5 Crypto-Ransomware completely with no need for any remediation as it wouldn't let me run it. The last was a known variant of Nemucod inside a .js file that Webroot doesn't scan script files, but it did pick up the A1.exe and was able to remediate the malware before it took hold. It blocked the rest of the regular mix of malware/PUA's

- Intercept X couldn't block a single regular malware/PUA because it doesn't do that sort of thing and relies on it's Endpoint to do that. I had to manually run the HitmanPro portion to scan and remove, if I hadn't the system would have had junk on it.

- The Intercept X agent was able to block 3 of the 5 Crypto-Ransomware completely with no need for any remediation the same as Webroot. It did however fully allow a variant of Cerber and it was fast acting enough that it deleted itself and there was no chance of remediation. The fourth was also the same variant of Nemucod that Webroot initially allowed, but in this case the agent didn't pick up the A1.exe right away and began to encrypt files. The neat thing was after maybe 50-60 files were encrypted, it finally did pick up the activity and was able to revert the changes. That was neat.

Overall though, you'll still need to have another AV to detect common malware/PUA's as Intercept X is ONLY an addition to their Endpoint offering or an add on to your existing AV from Webroot, Symantec, and what not.

The only thing that really impressed me the most was being able to manage all of the offerings from Sophos from one single console that looks way better, easier to navigate etc... Webroot really needs to get all of their offerings available to businesses under the GSM, especially the mobile, then add backup/sync.. Get rid of Web Security or integrate it into WRSA completely as nobody needs/wants/uses a proxy like that hardly anymore. But stay tuned for more on the GSM.

Lastly I wouldn't recommend Intercept X strictly for the fact that it's NOWHERE NEAR as light as they claim, it's install can literally take upwards of a half hour, and it's detection/remediation is basically comparable to Webroot anyway, and for a lot less price/endpoint.