Intercept X for Server Early Access Program Sophos Tester Stephen McKay Product Manager – Endpoint Security Group May 2018

Overview FAQ What is Sophos Tester? Is this safe to use? Demonstration of attack techniques from exploits and ransomware to atom bombing Is this safe to use? Sophos tester will not harm your PC It performs the techniques for multiple attack methods but does not deliver malware, communicate with command and control servers, or encrypt your documents NOTE running the tool with Intercept X for Server will create detection events and they will show in Sophos Central so if that console is monitored by another team, they should be made aware of any testing you plan to do. Can I run Sophos Tester on a machine with a competitors AV? The tool is not intended for competitive comparisons, and was built to confirm detection methods available in Intercept X Some AV Vendors block the tool as malicious, or unknown, others may block some of the techniques of the attack as well What platforms does the tool run on? Sophos tester has been tested on all of the platforms supported in the Early Access Program: Server 2008R2, Server 2012, Server 2012R2 and Server 2016

Overview FAQ (continued) Does the test tool have a test for ALL the mitigations in Intercept X No this tool does not validate all exploit methods, just the most common ones Why don’t I see any tests for Disk-Wiping, Credential Theft of Process Protection? For these tests the test tool needs to be run as administrator Right click on the Sophos Tester.exe and select “Run as Administrator” Will Sophos Clean remove the test tool on detection? No Sophos Clean will allow sophos tester to remain after detections Ransomware detections by Intercept X for Server will identify the target application and block similar attacks until a reboot or sufficient time has elapsed to unblock the application

Attack Targets Target We look for common infection vectors (Applications) used by malware on the machine and display these as target applications Using a target application will launch the application to perform the attack technique Dummy (Default) This is the sophos tester executable itself and can be used to demonstrate attacks Note some attacks on a protected system will identify the Sophos tester or target application and lock its use for a period of time A good way to avoid having to reboot is to try each ransomware test with a different target application

Category Attack Techniques Run Sophos Tester as Administrator Code exploits Attacks that take advantage of vulnerabilities in the software being used Memory exploits Attacks that manipulate process and system memory to execute their code Logic Flaws Preventing malicious behaviors even when the application is ‘allowed’ to perform them Safe Browsing Detect man in the browser activity that present one view to the user and another to the site Ransomware Malicious rapid file encryption Often the application target is now blocked from similar activity, reboot to clear this state on Intercept protected devices See Settings for additional configurations Disk-wiping Attacks on the master boot record Credential Theft Attacks that steal authentication credentials Process Protection Newer exploits using Asynchronous Procedure Calls (Wanacry, eternal blue, double pulsar) Run Sophos Tester as Administrator

Notifications on the desktop Detections from Sophos Tester will generate notifications on the device A Clean scan will be run and the Sophos Tester will remain on the device Events will be registered in Sophos Central and in a few minutes an Root Cause Analysis report will be available for review When running ransomware tests the target application is identified and Intercept will block the detected behavior from that application until a reboot

Notifications in Sophos Central Sophos test results in a notification to the end user and in Sophos Central

Sophos Central – Root Cause Analysis Root Cause Analysis reports should be generated for most detection events