For query assistance, please see the following Best Practices guide

See the story from SophosLabs Uncut on KingMiner: https://news.sophos.com/en-us/2020/06/09/kingminer-report/

The article is both educational and enlightening.  One of the aspects of KingMiner that is common with other attacks is that many of the indicators of compromise are non-deterministic.  The domain names and URLs they use are all auto generated.   I read…

We are thrilled to announce that the latest version of Sophos EDR (endpoint detection and response) is now available in Intercept X Advanced with EDR and Intercept X Advanced for Server with EDR.  This release brings powerful new capabilities that enable both IT admins and security analysts to ask detailed IT operations and threat hunting questions across their entire estate. It also provides new functionality to remotely respond…

For query assistance, please see the following Best Practices guide

We have added a new table to the sophos forensics journals. The sophos_process_activity table.

Often as part of an investigation you need to to get a quick view of what a process did in the past and this table provides a quick lookup location for that information.

This table contains a subject for each of the other Sophos 'journals' and collects some of…

Posting a query to the Live Discover Queries board will now include a review process.  This will allow us to review any question and proposed answer prior to it being visible by others.  We are adding this to ensure that the content of the queries do not contain anything inappropriate and that the query has been reviewed and tested and is not believed to cause harm. as for how well it does what it says.  we advise administrators…

For query assistance, please see the following Best Practices guide

While we have the schema posted on the EAP community pages, I have had a number of request for how to find it and how to use it.

First how to find the schema(s):

From the Sophos Community: We provide a link to definition of the sophos windows schema on the community form in the documents section. You can downlaod the file with this link: https://community…

We're pleased to announce that a new version of the Sophos Endpoint user interface is being rolled out to customers. Windows clients will begin updating this week, with Windows servers following in June.

The key goal of the update is to better represent our different endpoint components (Intercept X, Central Device Encryption, and the upcoming Unified Endpoint Management agent), and to bring a consistent look across…

Starting on the week of may 18 we will be adding variable support to queries.

You can create queries that now include support for up to 6 variables. A variable will be given a $$ prefix and postfix and can be either a TEXT or DATE value.  You will write your query and specify the variable information in the query.  Then when you run it you will be able to simply drop in the information for the variable and we will automatically…

The week of May 18 we will be turning on two powerful new capabilities in the EAP, Edit Query and Query Variables.

CREATE, SAVE queries - With this new capability you can now create and save your own queries, This will allow you to start from scratch or modify an existing query.  You will need to give your query a name, description, identify one or more categories it will be a part of and specify what operating systems…

Note: Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement.

 

We are excited to announce that Live Response is now available in early access.

 

Live Response allows admins to remotely connect to devices and get access to a command line interface so that detailed investigations can be performed, or to take prompt action to contain or remediate a…

Can you help to shape our future products?

 

We're looking for customers and partners to join our Sophos Design Partner group. Sign up and you'll be able to give us your product feedback and ideas through surveys, interviews, or usability testing.

You'll be helping to make the world a safer place -- and you might win Amazon vouchers while you're doing it.

We’re particularly keen to talk to customers who…

I'm pleased to say that a new version of our endpoint user interface is being released to EAP customers this week. Windows devices (client and server) enrolled in the EAP will receive the update automatically.

The key goal of the update is to better represent Sophos' different endpoint components - Intercept X, Central Device Encryption and our upcoming UEM agent. It will also to bring a consistent look across platforms…

We are excited to announce that we have added our new Linux EDR agent to the New Server Protection and EDR Features early access program.

Joining the EAP:

To get access to the new agent you must first join the New Server Protection and EDR Features early access program. See this presentation on how to join the EAP.

Getting access to the agent and installing:

Once you have successfully joined, from the Protect Devices…

Hi Community,

Sophos Anti-Virus v9.9.8 for Mac OS has been released. This release has the fix for blank captive portal.

For more information, please refer to the below release notes:

Hi Community, 

Due to current events, we are lengthening the Extended Support for Windows XP and Windows Server 2003 until June 30, 2020. Please refer to the below article for more information. 

• Extended Anti-Virus support for Windows XP and Windows Server 2003

Note: Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement.

We are excited to announce that Intercept X Advanced with EDR v3.0 with Live Discover is now available in early access.

Live Discover allows admins to search their data to answer almost any question they can think of by searching across their endpoints and servers using SQL. You can…

In early April we are extending the Early Access Program to add Live Discover

Watch the 5 min video. https://vimeo.com/401888432  

Hi All, Apple has just released macOS 10.15.4 and with this release they are highlighting to end users with Sophos Endpoint installed that they have a product installed that has a “Legacy system extension”, the notification goes on to say...

Note: Customers can join early access programs and use EAP features free of charge.  Use of all features and functionalities provided under the Early Access Program is subject to the Sophos End User License Agreement.  

The New Endpoint/Server Protection Features Early Access Program allows customers to test the latest and greatest endpoint and server features and functionality as they are being developed by Sophos.

See…

Source: https://community.sophos.com/kb/en-us/134486

Overview

SophosZap is a last resort command line clean up tool focused on uninstalling Sophos Endpoint products to revert a machine to a clean state.
To uninstall we strongly recommend that you use the standard product uninstaller first. Only use SophosZap when all other uninstall options have failed, as SophosZap uses heuristics trying to identify Sophos components…

Starting today we are gradually rolling out Sophos AMSI Protection to the Recommended release for endpoints. In a first phase only new Sophos Central customers (with the right license), and a very small percentage of existing Sophos Central customers will see this.

While we have tested this technology a lot, internally as well as in this EAP, it is still a new technology so we want to be sure all works well.

If all goes…

Hi All, 

Central Device Encryption version 2.0.81 for Windows

This service release contains bugfixes and improvements. Fixed JIRA items:

• CDP-7724 - "Protect Attachments" button not working when attaching files using "recent items".
• CDP-7726 - Outlook Add-In: Secure File Sharing does not pop up when forwarding mails with an…

Starting this week we will gradually roll out an update to the components in the Enhanced Protection EAP. We are mainly focusing on improved quality, and have fixed most of the issues that have been reported. Both endpoints and servers will be updated.

Other changes are the introduction of Windows 7 support for IPS, and a new and faster SDU log collection.

This roll-out will take about two weeks.

The update will bring…

Hi Community, 

A new version of Sophos Central Server Intercept X 2.0.16 has been released to our Sophos Central customers. This release also contains the below customer fixes:

Hi Community, 

A new version of Sophos Central Intercept X 2.0.16 has been released to our Sophos Central customers. This release also contains the below customer fixes: