Sophos have been producing computer security software since 1985, so it’s safe to say they know a thing or two about tackling malware, ransomware and other computer security threats. Their antivirus software Sophos Home, provides fairly robust protection and is reasonably priced.
Sophos’ very own EDR (Endpoint Detection and Response) platform ‘Intercept X’, is a cut above regular antivirus scanners. Its developers claim that it uses AI to detect both known and unknown malware, as well as using advanced behavioral analysis and file recovery to protect organizations from ransomware.
The question is whether Sophos Intercept X Advanced is one of the best endpoint protection software platforms? Read on to find out.
Sophos Intercept X Advanced: Plans and pricing
While Sophos’ website does feature a ‘How to Buy’ page for Intercept X, the prices listed are guidelines only. For instance, the $30 subscription fee for Intercept X’s ‘Advanced’ tier per user per year assumes users will buy a 3-year subscription in advanced for 500-999 seats.
In fairness Sophos does also offer a ‘Get Pricing’ page, where interested parties can fill in a contact form to receive a custom quote via one of Sophos’ trusted partners. This same page boasts ‘Simple’ pricing on a per user basis with no hidden extras. We couldn’t help but wonder if the pricing is so simple, why not just list it on the website?
If you just want to test the waters, you can sign up for a 30-day trial of Sophos Intercept X Advanced with XDR (Extended Detection and Response) without providing any payment information. Naturally if you choose to extend your subscription beyond the trial we recommend contacting Sophos directly for pricing.
Sophos Intercept X Advanced: Features
The aforementioned free trial of Sophos Intercept X Advanced with XDR also includes trial versions of other products such as Sophos Intercept X for mobile, ZTNA (Zero Trust Network Access) and others, so for the purposes of this review we’ll try to distinguish those features specific to Intercept X Advanced.
The company has produced a datasheet explaining some of the perks, as well as a list of technical specifications for the Intercept X tiers.
Despite the name, ‘Intercept X Advanced’ is, in fact, the most basic tier. Subscribers get to enjoy deep learning malware detection, anti-malware file scanning and real-time protection. Other perks include Web Control / Category-based URL Blocking, as well as application/peripheral control.
Data Loss Prevention features include ‘Cryptoguard’, which continuously monitors file to check if they’ve been encrypted by ransomware. The platform can also perform file recovery of compromised files if this is detected.
Subscribers to ‘Intercept X Advanced with XDR’ (which is offered via the free trial) benefit from all the above features, as well as better support for live detection of threats. This includes 30 days of Sophos Data Lake cloud storage, as well as an SQL Query Library (pre-written, fully customizable queries) to detect suspicious events. Subscribers also benefit from cross-product Data Sources such as Firewall and Email (Sophos XDR).
‘Advanced with XDR’ subscribers can access Advanced On-demand Sophos X-Ops Threat Intelligence and export forensic reports. Crucially this tier supports live response so managers can remote monitor endpoints and take action to secure or even isolate them.
Subscribers to ‘Intercept X Advanced with MDR Complete’ benefit from the full package, which includes human-led threat hunting and response such as security health checks and ‘root cause analysis’ to prevent further threats. Subscribers to this top tier also get their very own “incident response lead”.
Sophos Intercept X Advanced: Setup
In order to download a free trial interested parties must first register an account with Sophos Central. We were happy to provide an email address in order to receive a registration link but didn’t understand why a telephone number or postcode was required.
Still, the registration process was very fluid and we clicked the activation link to create a password for the ‘Sophos Central Dashboard’ in under 2 minutes.
From here it was a simple matter to download the Windows installer to our test machine (macOS clients are also available) but we did hit a snag when the client program discovered that a previous endpoint client hadn’t been fully installed from the machine. A quick dive into the Control Panel was all that was needed. The installer said it would take 10 minutes but we found the whole process took less than five.
When downloading the installer, you can choose to customize it with ZTNA or device encryption. If you don’t choose these features, you can install them later once the endpoint’s active.
As soon as the Sophos client finished installing, we clicked the system tray icon to see the reassuring message, “Your Device is protected”.
Sophos Intercept X Advanced: Interface
Having praised the installer’s quick operation, we should also take some time to mention it’s spartan interface. There are three main sections : ‘Status, ‘Events’ and ‘Detections’. Users can launch their own scan but apart from that it’s not particularly configurable.
Still, simplicity can be effective and it’s clear this theme has also been carried over into the ‘Sophos Central’ web interface. The left hand pane contains easy to understand options such as ‘Devices’, which you can click into to find more information.
The main ‘dashboard’ displays a summary of all detected threats in large lettering at the top, as well as a text summary of recent alerts, a summary of devices and users and a ‘Web Control’ section detailing blocked pages. This is exactly the kind of data we like to see in an overview, though we think most users could survive without the ‘Global Security News’ section at the very bottom.
The ‘Threat Analysis Center’ provides colorful graphics of detected events, including a spidery graph format to trace the root cause of any malware or exploits. This can seem overwhelming at first but you can filter out specific information like registry keys or processes.
The ‘Logs and Reports’ section can display any amount of information but we were most impressed by the ‘hero’ reports, which list a summary of your account status including devices protected, licensing and usage, threat trends, and total threats blocked.
The ‘Devices’ section also shows just enough information about endpoints to be helpful, though you can click on individual appliances, then on ‘More Actions’ to perform functions like scanning or diagnosis. You can also ‘Isolate’ the endpoint with one click.
Sophos Intercept X Advanced: Performance
When testing endpoint security platforms our first test is to try to download a fake computer virus, provided by the good people of EICAR using Microsoft Edge. As soon as we tried to save the virus in compressed (ZIP) format to the ‘Downloads’ folder of our test machine we encountered a permissions error – the Sophos client had detected it was dangerous and then automatically prevented it from being saved.
Our next test used a real computer virus that we’d caught in the wild. It had only come out recently so wasn’t necessarily listed in Sophos’ threat protection database. Even so, as soon as we copied and pasted the virus into the ‘Downloads’ folder, the Sophos client automatically detected and quarantined it.
Our final test was to revisit the ‘Sophos Central’ cloud platform to see if the client had dialed home to report these threats. We were pleased to see two alerts in the main dashboard area, detailing the exact threats and were able to click into each one to view full details.
We were also pleased to see the platform automatically generated an e-mail security alert warning about the first detected virus.
Sophos Intercept X Advanced: Final verdict
In terms of threat detection and reporting Sophos works blindingly fast. The malware files (even in compressed format) barely even touched the machine before the platform software detected and contained them. We were also pleased to see that Sophos Intercept X is proactive about threats, preventing downloads of harmful software before they happen.
The platform itself is easy to navigate and it’s simple to install software on endpoints. Since we only had a single test machine, setup only took a few moments but we were grateful to see it’s also possible to send installers to users and groups in bulk.
The platform itself doesn’t include a firewall, though you can add a subscription to ‘Sophos XG Firewall’ via Sophos Central. Similarly Intercept X doesn’t have its own email security, but you set up Sophos Email (Mailflow) or Sophos Email Gateway separately. This is our only real criticism of Intercept X as many endpoint security platforms also include a basic firewall and e-mail attachment scanner at no extra cost.
Despite Intercept X’s awesome powers of threat detection, given the lack of extra frills we feel that users would be more reassured by a more detailed pricing page, listing the exact cost per user per seat for each of Intercept X’s tiers.