Intercept X Early Access Program Sophos Tester

Slides:



Advertisements
Similar presentations
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Advertisements

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
Security for Today’s Threat Landscape Kat Pelak 1.
________________ CS3235, Nov 2002 Viruses Adapted from Pfleeger[Chap 5]. A virus is a program [fragment] that can pass on malicious code [usually itself]
Norman Endpoint Protection Advanced security made easy.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Week #7 Objectives: Secure Windows 7 Desktop
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Malicious Software.
Wireless and Mobile Security
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
W elcome to our Presentation. Presentation Topic Virus.
1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
Mac OS X backdoor Trojan, now in beta? 報告人:劉旭哲. Introduction It targets users of Mac OS X As even the malware itself admits, it is not yet finished. It.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Understanding and breaking the cyber kill chain
WannaCrypt Ransomeware Customer Guidance
Intercept X Early Access Program July 2017
WannaCry/WannaCrypt Ransomware
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
A Quick Tour of Ceedo Safe Browsing and Remote Access Protection.
WannaCry/WannaCrypt Ransomware
Chapter Objectives In this chapter, you will learn:
Ransomware 12:00 Juwan harris.
Sophos Intercept Next-Gen Endpoint Protection
Ilija Jovičić Sophos Consultant.
Lecture 1-Part 2: Operating-System Structures
[Internal Use] for Check Point employees​
Chapter 7: Identifying Advanced Attacks
Intercept X Early Access Program Root Cause Analysis
A+ Guide to Managing and Maintaining Your PC, 7e
Secure Software Confidentiality Integrity Data Security Authentication
Lecture 8. Cyber Security, Ethics and Trust
Online password manager By: Anthony diveronica
Sophos Intercept Next-Gen Endpoint Protection
Bomgar Remote support software
Basic Computer Maintenance
WHAT IS A VIRUS? A Computer Virus is a computer program that can copy itself and infect a computer A Computer Virus is a computer program that can copy.
Risk of the Internet At Home
Intercept X for Server Early Access Program Sophos Tester
Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-
Intercept X Install alongside competitive AV
Chap 10 Malicious Software.
Intercept X Early Access Program Root Cause Analysis
Local Administrator Rights
Ransomware in Web Apps OWASP Singapore.
Faculty of Science IT Department By Raz Dara MA.
Bethesda Cybersecurity Club
Securing Windows 7 Lesson 10.
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
Chap 10 Malicious Software.
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
CSC-682 Advanced Computer Security
Malicious Program and Protection
Per Söderqvist Per Söderqvist Sales Engineer
About Us Scanster is one of the leading IT security software company. Our Software's are well integrated system that simplify computer security management.
Cybersecurity Simplified: Ransomware
OSL150 – Get Hands on with Ivanti Endpoint Security
Presentation transcript:

Intercept X Early Access Program Sophos Tester Karl Ackerman Principal Product Manager – Endpoint Security Group July 2017

Agenda Overview FAQ Tests described Platform Results

Overview FAQ What is Sophos Tester? Is this safe to use? Demonstration of attack techniques from exploits and ransomware to atom bombing Is this safe to use? Sophos tester will not harm your PC It performs the techniques for multiple attack methods but does not deliver malware, communicate with command and control servers, or encrypt your documents NOTE running the tool with Intercept X will create detection events and they will show in Sophos Central so if that console is monitored by another team, they may wonder what the heck you are doing. Can I run Sophos Tester on a machine with a competitors AV? The tool is not intended for competitive comparisons, and was built to confirm detection methods available in Intercept X Some AV Vendors block the tool as malicious, or unknown, others may block some of the techniques of the attack as well  What platforms does the tool run on? Sophos tester was built for Windows 7 32bit and should run on Windows XP, 7, 8, 10 for 32 and 64 bit systems Some issues with OS’s other than windows 7 32bit are known with tests failing to run correctly

Overview FAQ (continued) Does the test tool have a test for ALL the mitigations in Intercept X No this tool does not validate all exploit methods, just the most common ones Why don’t I see any tests for Disk-Wiping, Credential Theft of Process Protection? For these tests the test tool needs to be run as administrator Right click on the Sophos Tester.exe and select “Run as Administrator” When run with Intercept X, do detections generate events in the console? Yes, when run with Intercept X, the admin console will show the detection events and an Root Cause Analysis may also be generated Will Sophos Clean remove the test tool on detection? No Sophos Clean will allow sophos tester to remain after detections Ransomware detections by Intercept will identify the target application and block similar attacks until a reboot or sufficient time has elapsed for Intercept to unblock the application.

Agenda Overview FAQ Tests described Platform Results

Attack Targets Target We look for common infection vectors (Applications) used by malware on the machine and display these as target applications Using a target application will launch the application to perform the attack tecnique Dummy (Default) This is the sophos tester executable itself and can be used to demonstrate attacks Note some attacks on a protected system will identify the Sophos tester or target application and lock its use for a period of time A good way to avoid having to reboot is to try each ransomware test with a different target application

Category Attack Techniques Run Sophos Tester as Administrator Code exploits Attacks that take advantage of vulnerabilities in the software being used Memory exploits Attacks that manipulate process and system memory to execute their code Logic Flaws Preventing malicious behaviors even when the application is ‘allowed’ to perform them Safe Browsing Detect man in the browser activity that present one view to the user and another to the site Ransomware Malicious rapid file encryption Often the application target is now blocked from similar activity, reboot to clear this state on Intercept protected devices See Settings for additional configurations Disk-wiping Attacks on the master boot record Credential Theft Attacks that steal authentication credentials Process Protection Newer exploits using Asynchronous Procedure Calls (Wanacry, eternal blue, double pulsar) Run Sophos Tester as Administrator

Agenda Overview FAQ Tests described Platform Results

Platform tests (Target Dummy-Default) Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Code Exploit StackPivot1 Exploit Success Blocked StackPivot2 VirtualProtect ROP VirtualProtect ROP via legit call Succeeded (Test passed, legitimate) NtProtectVirtualMemory ROP WinExec Rop IAF VirtualProtect Via Legit Call Memory Exploit Nop Sled Heap Spray

Platform tests (Target Dummy-Default) Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Memory Exploit Polymorphic Nop Sled Heap Spray Success Blocked Date Execution Prevention Logic Flaws Create, Execute Create, Execute elevated Blocked (Note MS warnings) Create, Rename, Execute Create, Execute via WMI Safe Browsing WinINet hijack Must run with a target browser. (Detected) Ransomware* CryptoLocker Crypto Guard Blocked1 1 – After an attack the target application(Sophos Tester) is temporarily blocked from similar activity, reboot may be required

Platform tests (Target Dummy-Default) Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Ransomware* CTB-Locker Crypto Guard Success Blocked1 TorrentLocker CryptoWall 3 Locky HydraCrypt Cerber 3 Dharma Dharma Alternative CryptoShield Disk-wiping Master Boot Record Disk and Boot Protection Blocked 1 – After an attack the target application(Sophos Tester) is temporarily blocked from similar activity, reboot may be required

Platform tests (Target Dummy-Default) Category Attack Intercept X Policy Control Win 7 32bit (No AV) Win 7 32bit (Intercept X EAP) Win 8 64bit (No AV) Credential Theft Read LSASS memory Member of EAP protected devices Success Blocked2 Blocked3 Open SAM registry Blocked Process protection APC Exploit (Atom Bombing) APC Exploit (Start shellcode) Know Issues – we have had some reported issues with Sophos Tester not executing the tests correctly on some X64 devices we are investigating Support on Servers and MAC – With the exception of crypto-guard, is not yet available for Windows Servers or MAC OS Supported Operating Systems – Supported on Windows XP and above, NOT available for MAC OS 2 – This attack is shown as ‘unsuccessful’ in the Sophos Tester, but no notification is presented to the user, well fix it 3 – Windows 8 64 bit protected the LSASS memory from non-authorized processes

Notifications on the desktop Detections from Sophos Tester will generate notifications on the device A Clean scan will be run and the Sophos Tester will remain on the device Events will be registered in Sophos Central and in a few minutes an Root Cause Analysis report will be available for review When running ransomware tests the target application is identified and Intercept will block the detected behavior from that application until a reboot

Notifications in Sophos Central Sophos test results in a notification to the end user and in Sophos Central

Sophos Central – Root Cause Analysis Root Cause Analysis reports should be generated for most detection events

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.