Building upon our previous discussions about how these elements are evaluated and their functions, we’re now providing further insight into the inner mechanics of Intercept X, specifically focusing on content updates – a combination of configuration changes that alter code execution pathways, as well as code modifications themselves.
Intercept X leverages a strategic blend of real-time cloud-based lookups and intelligent on-device content updates. As the risk landscape continuously evolves and shifts, it is crucial to deliver on-device content updates in a steady manner, with some updates potentially required at short notice. While relying on automatic content updates may seem convenient, they also pose a risk of disruptions; corrupted or invalid updates can cause unforeseen issues.
Sophos leverages a standard update distribution mechanism to disseminate device-level content revisions, which are seamlessly integrated into low-privilege Sophos user-space processes rather than relying on Sophos kernel drivers. These updates originate from the Sophos Content Distribution Network (CDN). Intercept X’s content updates are one of the three crucial components, complemented by software from the Content Delivery Network (CDN) and coverage and configuration from Sophos Central.
Here’s the improved text:
This article delves into the diverse types of content updates employed in our system, outlining the process of verification and validation that ensures the integrity of this content. We will also examine how our ecosystem is designed to mitigate potential issues arising from corrupt or defective content, thereby maintaining a seamless user experience. Since we previously highlighted the significance of Intercept X and its components, it’s worth noting that this solution has been an integral part of since December 14, 2017.
As of August 2024, it’s worth noting that the fine print within this text remains current; however, please be aware that terms may be subject to change without prior notice as we continually update and refine our offerings.
Sophos distributes fresh content updates to customers through ‘launch teams’, with each Sophos Central tenant automatically allocated to a specific group.
The primary launch group is reserved exclusively for internal engineering testing, with no assignments made to manufacturing clients. This automation empowers our engineering teams to seamlessly monitor new content updates to manufacturing infrastructure without the need for manual intervention. If testing fails, the discharge process will automatically terminate without proceeding to subsequent launch teams.
Once engineering qualification is successful, we manually elevate the discharge to the ‘Sophos inside’ launch group (‘dogfooding’). The company’s data breach affects both its manufacturing unit employees and individual account holders. If issues arise during discharge or are subsequently reported, we will immediately halt the process and refrain from proceeding further with any subsequent actions.
Upon successful validation, we promptly notify and escalate the release to our public-facing deployment teams for production rollout. From this level, Sophos’ Launch Methods robotically disseminate newly published content updates to all discharge teams within a timeframe of several hours or days by default, as depicted in Figure 1.
Sophos’ AutoUpdate, an integral component of Intercept X, performs continuous checks for fresh content updates every hour; however, actual update frequencies are significantly lower, as illustrated in the table below.
Sophos AutoUpdate retrieves all available updates from the Content Delivery Network (CDN), then verifies whether any fresh packages are awaiting installation for its respective release group.
The content material updates are timestamped and digitally signed using SHA-384 hash functions and a personalized Sophos certificate chain. Sophos AutoUpdate ensures that downloaded updates are thoroughly verified to guarantee integrity and authenticity. When detecting potentially malicious or unverified updates, the system promptly disregards them and notifies both Sophos and the designated Sophos Central administrators via warnings. To mitigate staleness of CDN caches and malicious replay attacks, Sophos AutoUpdate disregards any otherwise valid update with a signature timestamp predating the previously downloaded patch.
When a fresh content package becomes available, Sophos AutoUpdate promptly acquires and deploys it via its associated installation bundle. Updates to various features of Intercept X are handled independently by distinct components within the system.
The latest Intercept X update features new content materials as part of its 2024.2 release.
DatasetA
The SophosFileScanner.exe loads DatasetA as a low-privilege process without creating any permanent filesystem entries aside from its log folder and a temporary listing to facilitate efficient scanning of large files. It successfully interfaces with the Sophos Anti-Virus Interface (SAVI).
The Sophos File Scanner executable (SophosFileScanner.exe) executes file scanning operations in response to scan requests issued by various Sophos processes.
While its name, “SophosScanner.exe”, may seem antiquated, this tool remains a cornerstone of Intercept X’s functionality: it scans for malicious content within files, process memory, network traffic, and more.
LocalRepData
LocalRepData incorporates two status lists:
- Repute by SHA-256
- Repute by signer
Upon startup, a Windows executable is intercepted by Intercept X, which promptly verifies it by storing its SHA-256 hash and signature in the LocalRepData, contingent upon the signature being valid. When the status is provided by LocalRepData, Intercept X flags the method with that status in accordance with Sophos’ guidelines for handling high-reputation data and procedures. This approach, exemplified by exempting such data from cleanup, ensures efficient processing.
The SSPService.exe process leverages LocalRepData to dynamically update the status of running processes upon their initiation.
The Sophos File Scanner (SophosFileScanner.exe) processes numerous local reputation data files, enabling the assignment of statuses to embedded executable streams found within non-executed file content.
Conduct
The conduct guidelines are loaded by the SSPService.exe program. The guidelines information comprises signed and encrypted Lua code. The SSPService.exe executable validates, decrypts, and executes the embedded foundations within a sandboxed LuaJIT environment that is only accessible through Sophos-specific internal APIs.
Is a fast, embedded scripting language. Sophos leverages Lua to streamline conduct detection guidelines, offering a flexible solution that enables the rapid deployment of new threat signatures without requiring a full software release, thereby maintaining top-tier security. While the foundations are loaded in user-space, this design choice ensures that any potential malfunctions will not propagate to the kernel and trigger a critical system failure. Instead of using Lua-based libraries, Sophos constructs its guidelines engine without relying on these foundation components – access to the system is solely facilitated through Sophos’ internal API, which has been fortified against potential misuses via strict conduct rules. Sophos collects extensive telemetry about rule runtimes, continually refining and minimising runtime overhead to optimise performance.
Guidelines serve as event reactors: Intercept X provides multiple callback opportunities, with guidelines registering handlers to capture these events. Sensors can be configured to adjust multiple aggregation settings for specific high-traffic events, allowing them to consolidate or reject certain instances accordingly.
Flags
Sophos’ flag-based system enables a gradual rollout of new features and capabilities within Intercept X. Flags are typically provided through two distinct approaches:
- The Flag Complement module integrates a foundational flag set mirroring the prevailing choices available within the software application.
- The Flags Service is a Sophos Central microservice that enables Sophos Launch Engineers to manage flag configurations across multiple tenants.
The Flags Complement mechanism for a software program’s launch is comprised of a collection of function flags and their corresponding enablement requirements.
| Flag Complement Worth | Flag Service Worth | Characteristic is… |
| Off | Off | |
| Obtainable | Off | Off |
| Obtainable | On | On |
The mechanism provides Sophos with various avenues for enabling and disabling options.
- Sophos introduces new options with the “Obtainable” flag, although they are not yet enabled within the Flags Service.
- Sophos enables seamless progression of new options by leveraging the Flags Service, thereby facilitating flag deployment across tenants in a tenant-agnostic manner.
- Sophos can mitigate an affected capability by toggling off the relevant indicator through the Flags Utility.
- Sophos can disable a problematic function within a selected software program by modifying its Flags Complement setting.
CRT
The CRT features an algorithm that effectively eliminates known incompatible software programs during the setup process. The temporary installation file is automatically deleted by the installer following setup.
Typically, the Compatibility Runtime (CRT) is not leveraged by Intercept X. However, when a customer installs a non-security component like Sophos System Encryption and subsequently decides to implement Intercept X, the existing agent will download and install the CRT before setup begins. Once Intercept X is deployed, the outdated CRT technology is seamlessly retired.
Endpoint Self Assist Ruleset
The Endpoint Self-Assist (ESH) guidelines define standardised formats for categorising certain types of log data. Sophos engineers promptly identify common root causes or misconfigurations, and in response, they release novel rules linked to comprehensive Database Articles (Knowledge Base Articles), providing detailed information on the specific issue alongside suggested solutions.
ScheduledQueryPack
The scheduled question pack contents feature updates a list of prearranged questions with their respective execution frequencies for automated testing. The SophosOsquery.exe executable loads the foundations, with the resulting output being transmitted by McsClient.exe for integration into the Sophos Central Knowledge Lake.
The Sophos Osquery.exe feature includes an intrinsic watchdog mechanism that prevents runaway queries from utilizing excessive CPU or memory resources. Sophos gathers telemetry data on scheduled query performance, continually refining and fine-tuning these queries to prevent them from exceeding the allocated resource limits, thus avoiding triggers of the watchdog mechanism.
RemapperRules
The Remapper guidelines are loaded by McsAgent.exe and utilize Sophos Central’s coverage settings to ‘remap’ configurations for Endpoints, which are then stored in the Windows Registry under the key HKLM\SOFTWARE\Sophos\Management\Policy.
The coverage is delivered in the form of standardized XML documentation, originating from Central. The foundation is a collection of XML documents that detail the structure of the data stored in the registry, providing XPath queries and conversion capabilities to extract content from the policy XML and generate registry information.
When a rule file becomes corrupted or processing fails for any reason, none of the registry values defined in that file remain updated, leaving earlier settings intact. The processing of diverse, genuinely valid rules remains unimpeded.
EPIPS_data
Sophos’ EPIPS_data content updates incorporate IPS signatures loaded by SophosIPS.exe. Sophos’ IPS product, integrated within SophosIPS.exe, leverages IPS signatures developed by SophosLabs to detect and block potential threats.
Sophos IPS.exe runs as a low-privilege process. When Internet Protocol Security (IPS) is enabled, the sntp.sys driver transmits packets to SophosIPS.exe for filtering purposes, whereupon SophosIPS.exe returns instructions to either accept or reject those packets.
Engaging with a community necessitates meticulous handling of packets as they flow through the complex layers of the community’s infrastructure, demanding utmost attention to detail. While the Windows Filtering Platform (WFP) callouts at Layer 2 are sensitive to the underlying drivers, often sourced from third-party vendors, serving the physical and media access layers. To mitigate potential instability risks, the Integrated Protection System (IPS) proactively activates when faced with Blue Screens of Death (BSODs) or community disruptions likely triggered by incompatible third-party drivers. When incompatible conditions are detected, the IPS functionality automatically deactivates and changes the endpoint’s status indicator to a pink color to signal an alert.
NTP_OVERRIDES
When developing a Windows Filtering Platform (WFP) kernel driver, one crucial consideration is that although the platform supports multiple drivers operating simultaneously on the filtering stack, Sophos has identified certain third-party software packages that are incompatible with the IPS function, which necessitates the ability to intercept and manipulate L2 packets.
The NTP Overrides content material replaces an inventory of known incompatible drivers. When IPS is activated within a coverage setup but deployed alongside a tool featuring an incompatible driver, SophosNtpService.exe systematically deactivates IPS, effectively superseding the intended coverage.
To ensure seamless updates, Sophos enables real-time driver compatibility validation, allowing for swift responses when new incompatible drivers emerge, thereby protecting customers with identical configurations without interruption. If Sophos or third-party vendors address driver incompatibilities, Sophos can potentially discontinue support for a specific device model.
RepairKit
During each hourly update, Sophos’ AutoUpdate feature runs a self-repair program called su-repair.exe, which detects and fixes any issues that are deemed repairable. The original purpose of the RepairKit was to identify and rectify file corruption caused by abrupt system closures, which could compromise the integrity of the Sophos setup. As the Sophos engineering team has utilized this feature over time, they’ve successfully addressed numerous issues that would otherwise have necessitated client-facing engagements or potentially remained undetected until a subsequent software update prompted attention to the issue.
The RepairKit guidelines are authored in Lua programming language and successfully loaded by the su-repair.exe executable. The encryption and digital signatures ensure the integrity of the foundational documents. If the su-repair.exe program encounters difficulties loading the RepairKit guidelines, it automatically defaults to a built-in ‘last resort’ ruleset specifically designed to repair Sophos AutoUpdate in its entirety.
While RepairKit guidelines offer unrestricted access to the system, running with elevated privileges as SYSTEM allows them to manipulate sensitive data and perform critical actions.
TELEMSUP
The revised text:
This content replaces the existing telemetry documentation with a JSON file that outlines submission frequency and locations.
{ "AdditionalHeaders": "x-amz-acl: bucket-owner-full-control", "Port": 0, "Resource Root": "prod", "Server": "t1.sophosupd.com", "Verb": "put", "Interval": 86,400 } The telemetry content remains unchanged since its inception in 2016.
APPFEED, USERAPPFEED
The APPFEED content material updates incorporate signed and securely encoded Lua code segments that facilitate the detection of installed functions and generate dynamic exclusions for these functions in real-time.
When a utility is detected that has associated APPFEED exclusion guidelines, the system automatically generates machine-specific exceptions based on the installed software. These exclusions are reported once more to Sophos Central for informative display to the Sophos Central administrator.
Windows foundations typically operate in a read-only capacity, scanning the registry and file system for recognized applications listed within the Add/Remove Programs registry key. Certain database systems, such as Microsoft SQL Server, necessitate the execution of a PowerShell script to identify optional operating system components.
When the SEDService.exe process is initiated, APPFEED and USERAPPFEED are successfully loaded.
ProductRulesFeed
The product guidelines are successfully loaded by the SSP Service (SSPService.exe). Members possess identical formatting, matching the Conduct guidelines’ standards, with corresponding entries and privileges intact. Loaded into a consistent LuaJIT interpreter, they meet the performance demands dictated by the conduct guidelines.
ML fashions
The ML fashion’s content material replacement incorporates various machine learning models trained by SophosFileScanner.exe. Unlike many content updates, ML models comprise Windows DLLs containing the core ML model logic, as well as the “weights” – the outcomes of training and tuning models in the SophosLabs Cloud.
The malicious ML fashions are loaded by SophosFileScanner.exe and execute within a secure, low-privilege environment. The Sophos File Scanner executable facilitates the loading of two distinct variants for each model: ‘telemetry’ and ‘stay.’ This capability enables Sophos to deploy candidate machine learning models in telemetry mode. When running in telemetry mode, SophosFileScanner.exe employs an ML model to select a data pattern for evaluation, concurrently executing this process along with its standard functions. The data generated by the telemetry simulator, complemented by information gathered through conventional methods, provides real-time telemetry insights to Sophos for analysis and training purposes.
Sophos provides machine learning (ML) fashion updates as part of its content material refresh cycle, allowing newly trained models multiple opportunities for iteration, telemetry integration, retraining, and fine-tuning before being elevated to production-ready status.
Because the machine learning-powered mannequin replacement incorporates executable code, Sophos is releasing it in a more gradual and gated manner.
- It dedicates additional hours to the initial launch groups, specifically the engineering testing and Sophos Inside.
- Launched gradually over several weeks, rather than mere hours.
Hmpa_data
The Hmpa_data component update includes a global allowlist of predefined HitmanPro Alert thumbprint signatures. Each HitmanPro.Alert detection generates a unique fingerprint that captures the specific mitigation details and relevant information. A potential thumbprint for mitigating StackPivot attacks could comprise the affected method, alongside several preceding stack frames.
The Hmpa_data repository contains a concise directory of globally accepted biometric identifiers, specifically fingerprints. The HitmanPro.Alert service, designated by the executable file hmpalertsvc.exe, leverages this database to swiftly and discreetly suppress detections, minimize false positives, and circumvent potential performance or stability issues.
- The HitmanPro.Alert driver, named hmpalert.sys, produces digital certificates known as thumbprints and forwards these to the service whenever implementing various driver-based mitigations, including CryptoGuard, CiGuard, and PrivGuard.
- The HitmanPro.Alert hook DLL, hmpalert.dll, when injected into consumer processes, produces a unique digital fingerprint for each detection event and transmits it to the associated service for logging purposes.
To stay ahead of the curve in managing evolving risks, it is crucially important to regularly update security products with fresh intelligence to effectively counter emerging threats. Despite the potential for corruption, it’s crucial to have safeguards in place to ensure that updates are genuine, authenticated, and validated.
This article provides an in-depth look at the content material updates used in Intercept X, covering their nature, frequency of delivery, validation and verification methods, the specific low-privileged processes they’re loaded into, and our strategies for staging and managing these updates.
We touched on the challenge of balancing safety and security in our previous discussion about Intercept X kernel drivers. While navigating this risk can be perilous, we’re committed to mitigating it with transparency.
