Intercept-X Only deployment

Hi Pieter

Thank you for your message. You are correct that servers need to be running Sophos Central Server Protection in order to be enrolled into the Intercept X for Server Early Access Program.

We have not yet announced packaging specifics for the new features (we will announce these details at launch). However, I can tell you that we are not currently planning to support the ability to run the product alongside third-party AV products on servers.

Do you have a non-production/test server (without your current vendor's AV installed) that you could use enroll in the Early Access Program? Once you're up and running, we'd love to hear your feedback.

Many thanks

Paul Murray
(Sophos Product Management)

Thanks Paul

I have a server with some Hyper-V hosts that I can use to test the stack. Please tell me if this is correct:

- Windows Server Installer on the server

- Security VM Installer on the server, with agents on the Hyper-V servers

- Intercept-X for Server on the the Windows Server and Hyper-V servers

Thanks

Pieter

Hi William

I'm pleased to hear that you're a fan of the off-board file scanning approach of Sophos for Virtual Environments (SVE). Thank you for that feedback.

It isn't possible to install the 'full' server agent (with Intercept X features) on the same server endpoint as the SVE thin guest VM agent. In short, this is because both agents use the same on-access driver. 

The ability to off-load file scanning to a centralized Security VM while protecting from other threats (exploits, ransomware etc.) via the agent on the local server, is a scenario we may consider for the future, although it is not on plan for the near-term. 

Thanks

Paul 

Hi Paul,

please consider this. On a server with 5 hyper-v servers, today I need one Advanced server licence, and the included Sophos for Virtual Environments to protect the five servers.

When I want to add Intercept X for servers, I need to remove the SVE, and add 5 Advanced server licenses for a total of 6. 

There seems something wrong in the pricing model, unless deploying an Advanced server license in a Hyper-V environment is free. If it is not, I will have to pass on Intercept X for Server.

Hi Pieter

Sophos Server Protection products, including Sophos for Virtual Environments, are licensed per server endpoint/VM. 

If you deploy the Sophos for Virtual Environments Guest VM agent on 5 virtual servers, then five Server Protection licenses (Standard or Advanced) are required for these machines. If you also choose to protect the host server with the server agent, then a sixth license is required.

The model is the same if you deploy Central Server Protection Advanced on the five virtual servers and on the host, six licenses would be required.

Thanks
Paul

I think it's a shame there is no Intercept X for Server only deployment option. 

Most of our servers are in AWS, so most of the extra 'Server Protection' components don't seem to serve much purpose besides causing additional services/load. I'd be very happy if I could just run Intercept X on all servers. 

Agree, I think with the GDPR in the EU, there is a market for Intercept-X only on application servers, with heartbeat. AV does not seem necessary, and the cost could be lower.

Can any Sophos reps respond if this will be a future option?

I know we feel and im sure so many others that this is really a wasted opportunity for Sophos forcing people to install the server agent with no ability to install just intercept x.

Your competitors have many true lightweight agents out there, which is what people want these days. Intercept X would provide this but instead we are stuck with a heavy server protection agent.

If you gave us the ability to intercept x standalone on windows and linux servers and then the endpoint agent on for non servers we'd probably double our order - instead we'll probably move to one of your competitors light weight agents that is supprted on all platforms and versions. Shame!

Hello,

When you refer to competitor light weight agents, do you mean thin agents like our Sophos for Virtual Environments product?

You mention that you use AWS and that the other components don't offer much, please can you advise which features you would value?

Machine Learning PE detection?

Sophos AV for non PE detections?

Intercept X (Anti Ransomware, Anti Exploit, Anti Hacker, Root Cause Analysis) ?

Control features (Application Control, Peripheral Control, Web Control, Data Loss Prevention)?

Sophos Lockdown (Application Whitelisting)?

We don't have any current plans to create an Intercept X only offering, but I would be interested to understand your use case so that we can assess the potential options.

Regards,

Stephen

When I say 'lightweight' - I mean a product that focuses solely on threat protection (anti-exploit, anti-malware, anti-ransomware) and not on all the additional features and has a very small footprint, little to no reboots, minimal install time - See Palo Alto Traps, Cylance or Webroot offering to get an idea.

• Machine Learning PE detection - Yes! For sure. 
• Sophos AV for non PE detection - Maybe? AV file scanning seems to have a fairly heavy load still?  HIPS functionality would be good.  
• Intercept X (Anti Ransomware, Anti Exploit, Anti Hacker, Root Cause Analysis)  - Yes for sure. I-X has behavior monitoring for malware too right?).  
• Control features (Application Control, Peripheral Control, Web Control, Data Loss Prevention)? -  We dont use any of these in AWS. 
• Sophos Lockdown (Application Whitelisting)? - We use it on certain severs we manage (file share backup for example) - but we cant use it on 99% of servers in AWS. 

Would need to have some option for scheduled scanning (perhaps file scanning by the ML file scanner) to be PCI compliant too. 

The way we use our AWS  sees us spinning up and terminating machines constantly. The Server Protection agent and install method is quite time consuming at around 3-4min via caching server or 10 minutes via internet. We need something we can install with a minimal time (sub 1 min), has minimal maintenance overhead but still provide great threat protection (like Intercept X) but without all the other services.  

Hope this makes sense?

HI LRB,

Thank you for your detailed feedback, it is very helpful. One question; 'Sophos Lockdown - but we cant use it on 99% of servers in AWS', why is this? The use of auto scaling and the short life of the server?

Regards,

Stephen

Yeah, basically. Lockdown requires rebooting, extra steps etc. That and if it caused issues, the time it would take to unlock and get back going doesnt make it practical.

Thinking about it, there may be some servers I could use it on that are more stable, just a big concerned it could cause issues with things I'm not aware about.  

Everything in AWS is about scalability at speed. And I need a product to match.

Yeah, basically. Lockdown requires rebooting, extra steps etc. That and if it caused issues, the time it would take to unlock and get back going doesnt make it practical.

Thinking about it, there may be some servers I could use it on that are more stable, just a big concerned it could cause issues with things I'm not aware about.  

Everything in AWS is about scalability at speed. And I need a product to match.