Intercept-X Only deployment

Hi Pieter

Thank you for your message. You are correct that servers need to be running Sophos Central Server Protection in order to be enrolled into the Intercept X for Server Early Access Program.

We have not yet announced packaging specifics for the new features (we will announce these details at launch). However, I can tell you that we are not currently planning to support the ability to run the product alongside third-party AV products on servers.

Do you have a non-production/test server (without your current vendor's AV installed) that you could use enroll in the Early Access Program? Once you're up and running, we'd love to hear your feedback.

Many thanks

Paul Murray
(Sophos Product Management)

Hi Pieter

Thank you for your message. You are correct that servers need to be running Sophos Central Server Protection in order to be enrolled into the Intercept X for Server Early Access Program.

We have not yet announced packaging specifics for the new features (we will announce these details at launch). However, I can tell you that we are not currently planning to support the ability to run the product alongside third-party AV products on servers.

Do you have a non-production/test server (without your current vendor's AV installed) that you could use enroll in the Early Access Program? Once you're up and running, we'd love to hear your feedback.

Many thanks

Paul Murray
(Sophos Product Management)

Thanks Paul

I have a server with some Hyper-V hosts that I can use to test the stack. Please tell me if this is correct:

- Windows Server Installer on the server

- Security VM Installer on the server, with agents on the Hyper-V servers

- Intercept-X for Server on the the Windows Server and Hyper-V servers

Thanks

Pieter

Hi Pieter

The Sophos Security VM is part of our Sophos for Virtual Environments (SVE) offering, which provides off-board malware scanning for Windows VMs in Hyper-V and ESXi environments. This is a Generally Available product which is separate to, and not part of, the Intercept X for Server Early Access Program.

The Intercept X for Server EAP capabilities require our full Windows server agent (rather than the thin guest agent which is part of Sophos for Virtual Environments). You can deploy the Windows server agent on your Windows server guest VMs and on the host server. 

Hope that helps?

Paul

Can you run the thin-agent and the intercept x component on the same VM?

Wondering if we can create the scenario where intercept x for servers provide anti-exploit and anti-ransomware and the thin-agent the off-loaded signature-based AV scanning.

Hi William

Thanks for your message. I'm afraid that isn't a supported scenario at present. The full server agent (including on-box scanning) needs to be installed, in order to use the anti-exploit mitigation capabilites.

Kind regards

Paul

Hi Paul,

That is alright, we can configure the Sophos Central Server Protection with Intercept X to not use the on-access scanner retaining the anti-exploit and anti-ransom protection.

Would it be possible to run it alongside the thin-agent so both signature based scanning with the SVM and anti-exploit and anti-ransomware from Intercept X can be used?

The signature based scanning with the thin-agent is much more smarter for the Virtual Environments due to the SVM load-balancing and caching then the signature based scanner included in the Sophos Central Server Protection.

Another question, since the Intercept X has such a small footprint (20MB) are there any plans of integrating the Intercept X Deep Learning engine into the thin-agent? Both are pre-execution scanners?

Hi William

I'm pleased to hear that you're a fan of the off-board file scanning approach of Sophos for Virtual Environments (SVE). Thank you for that feedback.

It isn't possible to install the 'full' server agent (with Intercept X features) on the same server endpoint as the SVE thin guest VM agent. In short, this is because both agents use the same on-access driver. 

The ability to off-load file scanning to a centralized Security VM while protecting from other threats (exploits, ransomware etc.) via the agent on the local server, is a scenario we may consider for the future, although it is not on plan for the near-term. 

Thanks

Paul 

Hi Paul,

please consider this. On a server with 5 hyper-v servers, today I need one Advanced server licence, and the included Sophos for Virtual Environments to protect the five servers.

When I want to add Intercept X for servers, I need to remove the SVE, and add 5 Advanced server licenses for a total of 6. 

There seems something wrong in the pricing model, unless deploying an Advanced server license in a Hyper-V environment is free. If it is not, I will have to pass on Intercept X for Server.

Hi Pieter

Sophos Server Protection products, including Sophos for Virtual Environments, are licensed per server endpoint/VM. 

If you deploy the Sophos for Virtual Environments Guest VM agent on 5 virtual servers, then five Server Protection licenses (Standard or Advanced) are required for these machines. If you also choose to protect the host server with the server agent, then a sixth license is required.

The model is the same if you deploy Central Server Protection Advanced on the five virtual servers and on the host, six licenses would be required.

Thanks
Paul

I think it's a shame there is no Intercept X for Server only deployment option. 

Most of our servers are in AWS, so most of the extra 'Server Protection' components don't seem to serve much purpose besides causing additional services/load. I'd be very happy if I could just run Intercept X on all servers. 

Agree, I think with the GDPR in the EU, there is a market for Intercept-X only on application servers, with heartbeat. AV does not seem necessary, and the cost could be lower.