Sophos on Tuesday released an updated version of its Intercept X malware blocker. While the company wouldn’t share 2017 sales numbers ahead of earnings season, Dan Schiappa, SVP and GM of products at Sophos, told Channel Partners that Intercept X is the most successful product the company has ever launched. Schiappa credits a mix of accuracy, performance and ability to block zero-day malware and says that, as of this release, new deep-learning capabilities will improve detection and decrease false positives.

“We’re going to block more stuff, because we’re not depending on ever seeing it before,” said Schiappa. “And it gives us better performance because, the way deep learning works, it reduces the model size, so it’s actually much faster than any signature-based AV, or frankly, any machine-learning technology.”

Sophos’ Dan Schiappa

Schiappa says deep-learning neural networking works by examining a huge and self-increasing number of features, like file size or function calls, that indicate malicious intent. Sophos is able to draw on a library of millions of samples and its global labs.

“We don’t even have to know what features we want to measure,” he said. “It kind of learns by itself. That’s part of the deep learning aspect; it just goes through its training models.”

The Intercept X technology, which benefited from Sophos’ acquisition of Invincea last year, can be controlled through the Sophos Central cloud-based management platform and, when used with the company’s XG Firewall, deliver the benefits of synchronized security. Intercept X may be installed alongside existing endpoint security software from any vendor, though Schiappa says that in 90 percent of cases it’s used with other Sophos offerings.

Also new in this version are anti-ransomware and exploit prevention features, including credential theft protection. A nightmare scenario for service providers is attackers getting access to credentials that would allow them to log in to customer systems as a legitimate user; Sophos says Intercept X detects and prevents this behavior.

“A huge percentage of attacks have some form of credential theft,” says Schiappa. The most common exploit is an attack called Mimikatz, where someone can get into Windows and sift through credentials until they find, for example, an executive or IT admin login name and password.

Also in this release: the ability to detect the presence of code hidden in another application; the capability to keep a low-privilege process from being escalated to a higher privilege; and measures to prevent the malicious use of PowerShell from browsers.

While exact false-positive rates are dependent on the deployment, the fewer fire drills, the better, for partners.

Mark Brandon, VP of business operations for MSP and systems integrator NTS, says Intecept X is a huge part of the company’s security offering and is excited that the Invincea deep-learning technology has been included. NTS is a platinum Sophos partner.

“Our customers don’t have an IT department — we are their IT department,” said Brandon. “They want to know that they are getting best-of-breed security solutions, that they’re protected against ransomware, that they have a layered protection approach.”

He says customers’ eyes may glaze over at talk of …

… neural networks, but they’re very glad to know that zero-day threats can be identified and blocked. A successful ransomware attack isn’t just bad for the customer, it’s a real drain on an MSP to clean up. One popular aspect of Intercept X is the CryptoGuard anti-ransomware function that can block ransomware – including all Wanna and Petya variants – when it starts encrypting files and return any affected files to their original state.

Tony Palmer, senior validation analyst with the Enterprise Strategy Group, agrees that Intercept X should deliver lower false-positive rates and more accurately spot both existing and zero-day malware.

“ESG Lab analysis reveals that this neural-network model scales easily, and the more data it takes in, the smarter the model becomes,” said Palmer. It helps that Sophos starts with a massive library of samples.

Intercept X is available only through Sophos partners and runs between $20 and $40 per seat, with discounts available. Sophos also offers a free trial. While that may seem like a steep add-on to existing endpoint security systems, Brandon points out that it’s much less costly than a successful ransomware attack.

“I think Intercept X is going to be a game-changer,” said Brandon. “I think we’re on the path to ‘set and forget’ security.”