Rather than look for malicious executables, InterceptX takes a different tact, blocking paths to exploitation.
Sophos on Sept. 15 officially launched its InterceptX next-generation endpoint security technology in a bid to help organizations with modern ransomware and zero-day threats.
The new technology is being positioned by Sophos as complementary to existing endpoint security technologies.”The security industry has been talking for some time about the death of AV [antivirus], and to some extent there is legitimacy to that discussion,” Joe Levy, CTO of Sophos, told eWEEK. “Signature-based technologies are inadequate in their ability to deal with new classes of attacks or variants of malware they haven’t encountered before.”Rather than take a signature-based approach, InterceptX is designed to help solve the challenge of modern security threats by understanding how attackers actually exploit users and systems.
At its core, InterceptX isn’t antivirus; it’s anti-exploit technology, he said.While hundreds of millions of malware samples exist today, when looking at the actual software vulnerabilities that are exploited, Levy said there are a few dozen exploit techniques that enable malware.
Those techniques include such things as memory buffer overflows, data execution protection bypasses and abusing address space layout randomization.
“What we’ve done with InterceptX is we have focused on 20 or so exploit techniques,” he said. “So whether we have seen a given piece of malware before or not, we are able to stop it.”
The core technology behind InterceptX is from security vendor SurfRight, which Sophos acquired in December 2015.Rather than taking a sandbox or emulator approach that aims to isolate potential malware, InterceptX directly hooks into a Microsoft Windows operating system. Microsoft has technology called EMET (Enhanced Mitigation Experience Toolkit) that is intended to help protect a Windows operating system user against unknown vulnerabilities.”InterceptX is similar in its design with EMET, but InterceptX is demonstrably superior to what EMET does,” Levy said.”InterceptX is more automated in the protection that it offers.”Ransomware is one specific attack vector that InterceptX is designed to block.
InterceptX has a feature called CryptoGuard that can identify actions taken by ransomware. Not only can it stop ransomware, but it is also capable of rolling back any changes made by the malware. Levy said CryptoGuard can identify collections of processes that appear to be opening files, changing names and attempting various forms of manipulation.”We’re highly confident that InterceptX can deal with all known variants of ransomware today and confident it’s prepared for future variants as well,” Levy said.InterceptX also has a root cause analytics feature that provides forensics on where and how a piece of malware attempted to exploit a system.
There is an event history tracker that collects events as they occur on an endpoint system, he said.”Then if there ever is a malicious event, we can actually reconstruct the entire sequence that led to an infection,” Levy said. “So not only can we tell an end user or administrator they have a piece of malware on their system, we can also tell them how it got in.”Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.
Follow him on Twitter @TechJournalist.