Intercept X Banner
Jarvis Mishler

Jarvis Mishler

HATech Academy – Sophos Intercept X

Download the presentation here: HATech Academy – Sophos Intercept X

Watch the training video here:

Watch Intro to Sophos Intercept X Training from hatechdevops on www.twitch.tv

Do you want to check out Sophos Intercept X for Server or Sophos Intercept X for Endpoint to experience next-gen security for yourself? Follow the labs below to signup for a free trial and get hands-on with cutting edge security!

Lab 1 – Setup Your Free Trial

  1. Start by clicking this link for your Intercept X Free Trial or clicking the free trial button at hatech.io/sophos.
  2. Enter your Name and Email then click Next
  3. Enter Job Role, Phone Number, and Company then click Submit
  4. Check your inbox for the Activation Email and click Create Password
  5. Choose a Password, click both checkmark boxes, then click Activate Account

That’s it. Your free trial is ready and Sophos products are already enabled for you to try!

Lab 2 – Setup Your Instances

The easiest way to test Intercept X for both Endpoint and Server is to setup two virtual machines in your Microsoft Azure Account.

Create a Resource Group

  1. Login to your Azure Account
  2. Click on the Resource Groups menu
  3. Click ‘+’ add to create a new Resource Group
  4. Provide a name for the Resource Group like “Sophos”
  5. For this lab choose West US for the Region
  6. Click OK

Create a Linux Server

  1. Select the Virtual Machines menu
  2. Click ‘+’ to create a new Virtual Machine Instance
  3. Choose Ubuntu Server 16.04 as the instance OS
  4. Click Create
  5. Give it a name like “sophos-server”
  6. Provide a Username
  7. Choose Password instead of SSH Key and enter a password
  8. Select the Resource Group that you created above
  9. Click OK
  10. Choose B1MS as the instance size
  11. Click OK
  12. Click SSH under Basic Network Security Group
  13. Click OK to exit the Optional settings
  14. Check the Summary and click Create

Create a Windows Client

  1. Select the Virtual Machines menu
  2. Click ‘+’ to create a new Virtual Machine Instance
  3. Choose Windows Client and Windows 10 Pro Version 1709 as the instance OS
  4. Click Create
  5. Give it a name like ‘sophos-client’
  6. Provide a Username
  7. Choose Password instead of SSH Key and enter a password
  8. Select the Resource Group that you created above
  9. Click OK
  10. Choose B1MS as the instance size (make sure to turn off after demo)
  11. Click Select
  12. Select RDP under Basic Network Security Group
  13. Click OK to exit the Optional settings
  14. Check the Summary and click Create

Lab 3 – Install the Intercept X Agent

Linux Server Agent Install

  1. Copy your Linux Server’s IP address from Azure
  2. SSH into your Linux Server
  3. Go to Server Protection > Protect Devices in Sophos Central
  4. Right click to copy the link to your Linux install script
  5. Download the install script on your Linux Server
    • wget https://api-cloudstation-us-east-2.prod.hydra.sophos.com/api/download//SophosInstall.sh
  6. Run the Sophos Install Script
    • sudo bash SophosInstall.sh

Windows Server Agent Install

  1. Copy your Windows Client’s IP address from Azure
  2. RDP into your Windows Client
  3. Go to Server Protection > Protect Devices in Sophos Central
  4. Right click to copy the link to your Windows install script
  5. Download the install script on your Windows machine
  6. Open the link in your browser:
  7. Run the Sophos Installer
  8. Run SophosSetup.exe
  9. Click to Restart after installation
  10. Click Finish to restart your Windows Client

Lab 4 – Configure Web Policy

Modify the Base Web Policy

  1. Go to Endpoint Protection > Policies in Sophos Central
  2. Select the Base Policy under Web Control
  3. Open the Settings tab
  4. For Acceptable Web Usage, choose Let Me Specify
  5. For Excessive Bandwidth, choose Let Me Specify
  6. For Peer to Peer, choose Block
  7. Click Save to update the Base Policy

Test the Modified Web Policy

  1. RDP into your Windows Client
  2. Open Microsoft Edge
  3. Navigate to thepiratebay.org

Additionally, you can navigate to following URL to test various Web Policy rules since the links are already categorized for testing by Sopohos:

http://sophostest.com/

Lab 5 – Configure Application Policy

Modify the Base Application Policy

  1. Go to Endpoint Protection > Policies in Sophos Central
  2. Select the Base Policy under Application Control
  3. Open the Settings tab
  4. In the Controlled Applications box, click Add/Edit List
  5. Under Archive Tool, check the box for 7-Zip and click Save to List
  6. Toggle Detect Controlled Application When Users Access Them to On/Green
  7. Select Block the Detected Application
  8. Under Desktop Messaging, enter a notification message
  9. Click Save to update the Base Application Policy

Test the Modified Web Policy

  1. RDP into your Windows Client
  2. Open Microsoft Edge
  3. Navigate to 7-zip.org
  4. Click Download for the x64 Bit version of 7zip
  5. Run the Installer
  6. Click Install at the prompt and then Close
  7. Open the Start Menu and start 7-Zip File Manager
  8. Watch for your Sophos prompt at the bottom right

Lab 6 – Run a Malware Test

To see the full breadth of what Intercept X can do, let’s give something that identifies as malicious code running on your machine.

  1. RDP into your Windows Client
  2. Download the Highscores+[bening].zip tool located here:
  1. Open the zip file and copy the HighScore executable to the Desktop
  2. Run HighScore.exe
  3. Watch for the Sophos prompt when malicious software is detected

Let’s check out the full Root Cause Analysis of the breach.

  1. Go to Endpoint Protection > Root Cause Analysis in Sophos Central
  2. Click on the event link for ML/PE-A
  3. Click the Artifacts tab to see which files where affected
  4. Click the Visualize tab to see the data flow triggered by the event

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

You must be logged in to post a comment.