Sophos Endpoint Agent Overview

Web Protection intercepts outbound browser connections and blocks traffic destined for malicious or suspicious websites. It stops threats at the delivery stage by preventing users from being diverted to malware delivery or phishing websites.

Web Control uses the same traffic interception technology, enabling you to block access to undesirable or inappropriate content, such as adult and gambling websites.

Download Reputation analyzes files as they’re downloaded and uses SophosLabs global threat intelligence to provide a verdict based on prevalence, age, and source, prompting users to block files with low or unknown reputation.

Application Control enables you to block applications that may be vulnerable, unsuitable for your environment, or that could be used for nefarious purposes. Sophos provides pre-defined categories to block or monitor apps, removing the burden of blocking individual applications by hash.

Peripheral (Device) Control enables you to monitor and block access to removable media, Bluetooth, and mobiles to prevent certain devices from connecting to your network.

Data Loss Prevention (DLP) monitors and restricts the transfer of files containing sensitive data. For example, prevent employees from sending confidential files home using web-based email.

Server Lockdown allows only trusted applications and their associated files to run and change other files. Sophos records installed software, checks it is safe, and only allows those applications to run while the server is locked.

Universal Anti-Ransomware (CryptoGuard) provides the most robust anti-ransomware protection in the industry. It constantly monitors file contents for signs of malicious encryption, blocking the offending process whether it’s running locally or on a compromised remote device. Sophos’ proprietary rollback mechanism reverts encrypted files to their original state without relying on the Volume Shadow Copy Service (VSS), which attackers frequently target.

Most vendors do not offer an equivalent set of protection layers against remote ransomware.

Adaptive Attack Protection automatically enables more aggressive protection on an endpoint when a ‘hands-on-keyboard’ attack is detected, blocking actions commonly performed by adversaries, such as attempts to run remote admin tools or low reputation executables.

No other vendor offers comparable adaptive protection against active adversaries.

Deep Learning (AI-powered) malware prevention analyzes binaries to make decisions based on file attributes and predictive reasoning. Deep learning is an advanced form of machine learning that detects and blocks malware, including new and previously unseen threats.

Live Protection extends Sophos’ comprehensive on-device protection with real-time lookups to SophosLabs' latest global threat intelligence for additional file context, decision verification, false positive suppression, and file reputation. Our Tier 1 threat research provides additional live intelligence from Sophos’ expansive product portfolio and global customer base.

Some vendors including Carbon Black, CrowdStrike and SentinelOne rely solely on pre-trained machine learning models.

Behavior Analysis monitors process, file, and registry events over time to detect and stop malicious behaviors and processes. It also performs memory scanning, inspects running processes to detect malicious code only revealed during process execution, and detects attackers implanting malicious code in the memory of a running process to evade detection.

Anti-Exploitation guards process integrity by hardening application memory and applying runtime code execution guardrails. Over sixty anti-exploitation techniques in Sophos Endpoint are enabled by default, require no training nor tuning, and extend far beyond the protections provided by the native Windows OS or most other endpoint security solutions.

Some vendors including Carbon Black, SentinelOne and Microsoft lack extensive exploit mitigations or require significant manual tuning.

Application Lockdown prevents browser and application misuse by blocking actions not commonly associated with those processes. For example, a web browser or Office application attempting to launch PowerShell.

Antimalware Scan Interface (AMSI) determines whether scripts (e.g., PowerShell or Office Macros) are safe, including if they are obfuscated or generated at runtime, blocking fileless attacks where malware is loaded directly from memory. Sophos also has a proprietary mitigation against malware that attempts to evade AMSI detection.

Malicious Traffic Detection detects a device attempting to communicate with a command and control (C2) server by intercepting traffic from non-browser processes and analyzing whether it is destined for a malicious address.

File Integrity Monitoring (FIM) identifies changes to system-critical files on Windows servers. You can also define locations and exclusions to identify changes to specific files, folders, registry keys, or registry values.

The Sophos data lake integrates comprehensive telemetry from an expansive portfolio of Sophos and third-party (non-Sophos) solutions, including endpoint, mobile, firewall, network, email, and cloud technologies. It enables you to access critical data and AI-prioritized threat detections across multiple attack surfaces.

Live Discover enables you to query devices to investigate activity. It uses osquery technology to monitor and record device status and attributes in Event Journals and employs guardrails to limit the impact of queries on the device. You can query information in the Sophos data lake for multiple devices including those offline.

Live Response provides a secure terminal in your Sophos Central console, enabling you to connect to devices to investigate and remediate possible security issues. Run commands to stop suspicious processes, restart devices with pending updates, delete files, and more, with full, secure, audited shell access.

Some vendors provide only a limited set of commands through their consoles.

Forensic snapshots. When a threat detection occurs, a snapshot file of current activity is created on the device’s disk. You can remotely retrieve these forensic snapshots to perform additional analysis.

Device isolation enables you to isolate an endpoint from your network to contain a threat or during an investigation. The isolation blocks TCP and UDP traffic and prevents the device from establishing network connections.

Sophos' unified endpoint agent includes our full suite of protection, detection, and response capabilities out of the box. Organizations can also benefit from Sophos’ detection and response capabilities with non-Sophos endpoint protection using a lightweight ‘XDR Sensor’ option and a range of turnkey third-party solution integrations.

Some vendors including CrowdStrike and Microsoft do not support the use of third-party endpoint technology.

Sophos provides a unified security operations platform and tools that enable you to detect, investigate, and respond to threats across all key attack vectors in the shortest time. Learn more about Sophos' full suite of powerful Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) capabilities.