Developing software that operates in ‘kernel-space’ – the highest level of privilege within a functioning system, granting direct access to memory, hardware, resource management, and storage – is crucial for securing sensitive products. By monitoring ‘user-space’, this technology enables users to observe the unprivileged environment where applications operate and safeguard against malicious code that attempts to avoid detection while executing within that realm, thereby providing enhanced security. However, this kernel entry also enables security solutions to combat more pernicious threats within the kernel itself. Malicious hackers often exploit vulnerabilities in operating systems by using techniques such as buffer overflows or format strings to gain unauthorized access to kernel space and execute code with elevated privileges.
Despite these risks, working in kernel-space still poses significant threats to the system’s stability and security. A critical misstep in this atmosphere, akin to an insidious update to a core system driver, could precipitate unforeseen outages and disruptions. If the driving force behind a query initiates upon system boot, it can have far-reaching consequences, necessitating affected hosts to reboot in recovery mode to minimize disruptions and ensure normal functioning.
As of the 2024.2 launch, Sophos’ Intercept X Supreme product leverages five kernel drivers. Drivers are thoroughly vetted with pertinent flags activated and deactivated, accompanied by newly introduced flags being initially disabled upon shipment. Sophos Intercept X and Sophos Central utilize characteristic flags to seamlessly enable new features on a regular basis. Sophos Central deploys function flags. New features are typically ‘punted’ by toggle flags, effectively disabling them until the corresponding flag is enabled, thereby allowing for controlled rollouts and iterative refinement before widespread adoption.
To foster greater understanding, this article delves into the fundamental components of driver behavior, examining the key factors that influence their actions as they start driving, explore signing mechanisms, and analyze the resulting outputs. To further mitigate potential disruptions, our safeguards include staged rollouts, which we will illustrate later in this piece, as well as other measures designed to minimize the risk of unexpected issues. Additionally, customers have the ability to configure these options in a way that suits their specific needs. While it’s true that Intercept X Superior and its components, including kernel drivers, have been integrated within since December 14, 2017, it’s also worth noting that we actively encourage transparency by accepting external bug submissions through our bug bounty program, which enables a culture of collaboration with the research community.
The following table provides a concise summary of the five kernel drivers included in the Intercept X Superior launch 2024.2:
| SophosEL.sys | 3.2.0.1150
| Kernel Driver | Sure | ELAMP* | The Sophos ELAM (Endpoint Local Access Manager) driver can prevent the execution of malicious boot-start system drivers. | |
| SophosED.sys | 3.3.0.1727
| File System Driver | Boot Begin | Sure | WHCP+ | The principle Sophos anti-malware driver |
| Sntp.sys | 1.15.1121
| Community Filter Driver | System Begin | Sure | WHCP+ | Sophos Community Menace Safety driver |
| Hmpalert.sys | 3.9.4.990
| File System Driver | System Begin
| Sure | WHCP+ | Sophos HitmanPro.Alert driver |
| SophosZtnaTap.sys | 9.24.6.3
| Community Filter Driver | On Demand | Sure | WHCP+ | Sophos Zero Trust Network Access (ZTNA) Tap driver allows organizations to seamlessly integrate their existing infrastructure with the Sophos ZTNA solution. By leveraging the Tap driver, administrators can simplify the process of deploying and managing ZTNA policies across their network, while also enhancing security posture by enforcing granular access controls at the application level. |
Sophos’ ELAM (Endpoint Leave-After-Mode) driver, designated as SophosEL.sys, provides anti-malware capabilities.
The driver includes an essential feature: a blocklist of identified malicious drivers that must be prohibited from running as boot-time drivers during system initialization. The blocklist, situated on the registry key underneath, is read by Sophos’ user-space malware detection logic upon detecting a malicious driver. During the next system startup, SophosEL.sys prevents this driver from loading.
| Enter | Description | Safety |
| HKLMSYSTEMCurrentControlSetServicesSophos ELAMConfig | Blocklist of known-bad drivers | ; Sophos Tamper Protected |
Prospects can configure remediation settings and permitted devices directly within Sophos Central.
Microsoft-signed drivers and those certified by Sophos are excluded from both removal and blocking measures.
As a sophisticated boot-time driver, SophosED.sys commences operation during the ELAM processing sequence, preceding the loading of numerous other kernel drivers. Notably, this occurs before Windows user-space initialization and system drive mounting take place. It has three broad duties:
- Implementing robust tamper-evident security measures within the Sophos setup and configuration to prevent unauthorized modifications.
- Enhancing system event observability enables Sophos user-space components for shielding and identification purposes.
- Recording low-level system event occurrences in the Sophos Event Journals enables after-the-fact forensic analysis and evaluation.
Given that SophosED.sys initiates its operation before the file system becomes available, it relies on its service key to provide its entire configuration. Observe that each of the underneath inputs is beneath the HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Protection.
Filter driver altitudes inputs
The SophosED.sys driver is registered with Windows using a unique identifier, often referred to as an ordinal number, which defines its position within the stack of drivers.
| Enter | Description | Safety |
| HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseInstances | Microsoft allots a number of altitudes. | DACLs; Sophos Tamper Protected |
Tamper Safety inputs
The Sophos Tamper Safety configuration combines a blend of customer insurance policies, Sophos proprietary flags, and digitally signed manifests integrated within the agent.
| Enter | Description | Safety |
| HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionConfig | Buyer coverage (On/Off, configuration password*) | DACLs; Sophos Tamper Protected |
| HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionComponents HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseTamperProtectionServices | Directory of Confidential Assets, Entities, and Holdings | Verified by driver prior to loading. |
System Exercise Occasions inputs
The Sophos Central Malware Safety feature provides numerous configuration options, written by user-space processes to the SophosED.sys registry key, ensuring they are accessible upon driver loading.
| Enter | Description | Safety |
| HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseScanningConfig | Coverage for buyers: On/off, exclusions, and more. | DACLs; Sophos Tamper Protected |
| HKLMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseEndpointFlags | Sophos characteristic flags (varied) | DACLs; Sophos Tamper Protected |
Occasion Journal inputs
| Enter | Description | Safety |
| HLKMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseEventJournalConfig | Buyer coverage (exclusions, disk limits) | DACLs; Sophos Tamper Protected |
| HLKMSYSTEMCurrentControlSetServicesSophos Endpoint DefenseEventJournalFeatures | Since the registry setting controls whether occasional journals are enabled or disabled, the revised sentence could read: The presence of a DWORD value set to 1 in the relevant subkey enables occasional journaling. | DACLs; Sophos Tamper Protected |
Prospects are empowered to customize disk limits and efficiently manage exclusions within their Sophos Central Malware Protection coverage.
When a driver facility is available, primarily dependent on a combination of Buyer Protection and Sophos flags, Sophos user-space processes can dynamically configure various parameters.
- Process-specific mitigation settings are governed by a bitwise mask.
- Allowances and exclusions: configuring occasions to enable or disable course offerings.
- The waiting duration for which the driving force should anticipate a response from user-space; or, alternatively, whether it necessitates an asynchronous notification.
The Sntp.sys (Sophos Community Menace Safety) kernel driver registers for various events to intercept and potentially modify network traffic data. With Sophos Central’s comprehensive threat protection and internet management capabilities, distinct filters and callouts are dynamically configured.
Configuration settings are transmitted to the driving force by multiple consumer-mode processes in subsequent iterations.
- SophosNtpService.exe
- SophosNetFilter.exe
- SophosIPS.exe
- SSPService.exe
Consumerspace processes interact seamlessly with the operating system’s driving force via IOCTLs, leveraging learn and write operations. Connections to and from the driving force are safeguarded, exclusively allowing interactions with approved and authentic Sophos processes.
The filter driver intercepts incoming traffic from both browser-based and non-browser processes, with primary reliance on the policies defined within Sophos Central. Intercepted visitors are processed in user space by SophosNetFilter.exe and SophosIPS.exe, which may transmit altered content back to the driver, potentially displaying a blocked webpage for malicious content.
Prospects can add specific individual websites to their enable or block listing within Sophos Central.
The Hmpalert.sys driver reinforces Sophos CryptoGuard’s capabilities to identify and thwart massive file encryption attempts initiated by malicious software, specifically ransomware variants. The software further refines its security settings by determining which exploit mitigation techniques are applied when individual processes are initiated and executed.
The Hmpalert.sys driver processes a multitude of input parameters, in conjunction with various registry subkeys and I/O control operations.
| Enter | Description | Safety |
| HKLMSYSTEMCurrentControlSetServiceshmpalert | Software program configuration | DACLs; Sophos Tamper Protected |
| HKLM SYSTEMCurrentControlSetServiceshmpalertConfig | Buyer coverage | DACLs; Sophos Tamper Protected |
| HKLM SYSTEMCurrentControlSetServicesSophos Endpoint DefenseEndpointFlags | Sophos characteristic flags (varied) | DACLs; Sophos Tamper Protected |
Policyholders can enable or disable mitigation techniques and manage exclusions within Sophos Central’s Malware Protection coverage.
N/A
The SophosZtnaTap.sys is a proprietary OpenVPN TAP driver developed by Sophos. When a shopper installs the Sophos Zero Trust Network Access (ZTNA) agent, the underlying technology dynamically intercepts DNS queries for managed applications, seamlessly redirecting users to the pertinent Sophos ZTNA gateways. ZTNA purposes and gateways are configured through Sophos Central’s policies and stored in the registry.
The settings for Inputs to SophosZtnaTap.sys are controlled via a Windows Registry subkey.
| Enter | Description | Safety |
| HKLMSOFTWARESophosManagementPolicyNetworkPerimeter | Can a robust zero-trust network access (ZTNA) buyer coverage ensure seamless connectivity for remote workers? ZTNA’s gateways and certificates must align to safeguard sensitive data. | DACLs; Sophos Tamper Protected |
Customers can manage their Zero Trust Network Access (ZTNA)-secured applications and gateways directly from the Sophos Central portal.
N/A
Sophos CryptoGuard has successfully countered bulk encryption threats on permanent storage devices for more than 10 years. The Intercept X model 2024.1.1 now introduces the innovative feature of CryptoGuard ExFAT, further safeguarding ExFAT partitions typically found on portable USB drives.
CryptoGuard ExFAT underwent significant improvements and rigorous testing between September 2023 and March 2024. This characteristic was protected by a flag titled ‘hmpa.cryptoguard-exfat.out there.’
Sophos Engineering successfully deployed the software program internally with the flag enabled in a ‘Dogfood launch’ that commenced on March 22, 2024.
The Intercept X model 2024.1.1 was deployed to Sophos and subsequently rolled out to prospects through a controlled software release process spanning from May 21, 2024, to June 6, 2024. Despite this, the characteristic remained latent for everyone except Sophos engineers at this point.
The ‘hmpa.cryptoguard-exfat.out there’ flag was enabled through a controlled flag enablement process from June 10, 2024 to June 26, 2024.
Prospects can select from two distinct software programme models: short-term support or long-term support. This action locks the software program, prompting the customer to choose an alternative software package until they do so. Prospective customers who select the ‘Sophos Really Useful’ option receive regular updates to their software. Beyond software program deployments, they also receive incremental feature-flag activations for novel functionalities within the application, akin to a standard software release. Sophos has significantly advanced this course of action to improve stability and prevent the emergence of new threats globally for all potential customers.
Kernel drivers form the foundation of Intercept X Superior’s efficacy and Windows endpoint security overall, but we also recognize that operating in kernel space is not without its risks.
On this article, we delve into the kernel drivers within Intercept X Superior (as of launch 2024.02), exploring what they do, how they’re signed, their inputs, management prospects, and additional safeguards implemented – including gradual, phased rollouts of new features, and exemptions to minimize disruption risks.
While no system can completely eliminate risk, we have prioritized transparency by disclosing the fine print of our driver agreements and detailed our approach to safeguarding customers from potential threats with maximum security.
