We gave Sophos Intercept X Endpoint Protection an Editors' Choice designation the last time we tested hosted endpoint protection solutions and it's only gotten better in the intervening year. Its Sophos Central dashboard is even more intuitive than the last time we saw it, but it now has better customization and an end-to-end security view that's easy to understand out of the box. Add excellent threat detection and new threat analysis capabilities and Sophos is a shoo-in for another Editors' Choice award alongside Bitdefender GravityZone Ultra and F-Secure Elements.
Sophos Intercept X Pricing and Plans
A minor complaint about Sophos is that it sells Intercept X Endpoint Protection only via the partner channel, which means there's very little in the way of transparent pricing on Sophos' website. Company spokespersons put Intercept X's basic price range between $20.00 to $40.00 per user per year depending on the features selected. Value-added resellers may add additional fees for service and support.
Considering the long list of advanced features this suite provides, however, its pricing makes it our bang-for-the-buck winner, hands down. By way of contrast, another Editors' Choice winner, Bitdefender GravityZone Ultra, goes for $57.40 per endpoint per year or $287 per year for five devices. If you want to evaluate Sophos Intercept X Endpoint yourself, there's a free trial is available on the website.
One caveat is that heavy Linux users might want to look elsewhere. While Sophos provides find full support for macOS, Windows 10, iOS, and Android, Linux support only comes in the form of added-cost server licenses and there's no support for Linux desktop endpoints.
Similar Products
ESET Protect Complete
F-Secure Elements
Avast Business Antivirus Pro Plus
Panda Security Adaptive Defense
Trend Micro Worry-Free Services Advanced
Bitdefender GravityZone Business Security Enterprise
Vipre Endpoint Security Cloud
Kaspersky Endpoint Security Cloud Plus
McAfee MVision Cloud
Getting Started
The Sophos Central dashboard is where all of the magic happens. Once you log in, you’ll see a high-level overview of active alerts, their severity, and the number of devices affected. Nearly everything is clickable and will take you to the related module. Below this section of the dashboard is a usage summary showing which devices are protected and which ones have been inactive. If a device drops off the map for a while, it could be a cause for concern, so this good information to have at a glance. If you are using Sophos Email Security, you also get a summary of email threat activity.
To get started quickly, you can hop down to the Protect Devices section. From there, you can click the appropriate download link for your system. Once the agent is installed, which takes only a minute or two, your device is protected. If you are using a mobile device, there is a mobile enrollment wizard on the same page. Adding users is similarly easy under the People section. You can add users one at a time or import them from CSV files.
Further down on the dashboard is the Alerts panel. This is where all threats are cataloged and displayed as they are discovered. As they are resolved, you can check and mark them off the list. If a particular threat is cited more than once, you can group the instances with a simple toggle switch. If any threat requires manual cleanup or additional activity, you can click into the threat’s hyperlink and see what the next steps are. Most of the time, all you'll need is a restart to clear the issue.
The Devices section is also easy to use. To view the details of a specific device, you can click to get a quick summary of the products installed, recent events, current system status, and policies. Security Health under the Status tab is fairly detailed and can give you a quick rundown if anything is amiss, such as out of date software or an active threat. You can also see at a glance which policies apply to that device.
Policy Settings and EDR
If there is a downside to Sophos, it's the overwhelming number of options for policy configuration. The good news is that all the default policies have the essential features included, so there isn’t much to do here unless you want to get crafty or if you have specific requirements for device or web control. There are seven categories of policies you can add, ranging from Application Control to Web Control and each has its own unique set of settings to tweak. Each policy can apply to either users or devices, so there is a lot of flexibility.
The anti-ransomware features offer a lot to work with. Intercept X brings an excellent combination of deep learning and exploit detection to the table, so it can quickly and easily figure out whether a piece of software is up to mischief. It also employs a feature called CryptoGuard to automatically recover any damaged files and protect against ransomware encryption attempts. Furthermore, the root cause analysis feature can track what happens as a program executes, so whatever it does can be rolled back later, if necessary. Combined with a firewall that knows how to look for various kinds of hostile traffic, Sophos Intercept X is a winner.
New to the product is endpoint detection and response (EDR), which takes the form of a Threat Analysis Center. You can clear threats straight from this module, and you can also isolate the affected devices while you figure out where the threat came from. It gives you a helpful summary, including whether business data was involved when the threat took place, and what the root cause was. Using this information, you can concoct strategies to prevent similar attacks in the future. Bitdefender GravityZone Ultra also has built-in EDR capabilities with its Risk Dashboard, but this is one area where Sophos Intercept X does better.
Root Cause Analysis
Next to automatic response, one of the most useful features Sophos Intercept X has to offer is root cause analysis. It’s one thing to say that your systems are protected, but it’s often more useful to know how and why an attack happened. This can help with not only protecting your systems in the future, but also educating users on what they should or shouldn't do. For instance, if an employee downloads an unsanctioned application that has ransomware hitching a ride, that incident can be brought to light in the next security meeting. Sophos broadly groups these components into three parts: Overview, Artifacts, and Visualize.
Overview describes the threat and gives you the rundown on where it was found and when. Artifacts tells you about the changes that the threat tried to make to the system. Visualize shows you a diagram displaying the path of infection and how the malware tried to interact with the rest of the system. Besides being one of only three products in this roundup having this kind of analysis available, we feel Sophos Intercept X does the best job of presenting the data because it's not only clear, it's also very easy to pick up and with a minimum of technical fuss.
Detection Performance
As you'd expect from an Editors' Choice winner, when we ran Sophos Intercept X through our endpoint threat detection testing suite, it got top marks. The first test involved its anti-phishing capabilities. No browser plugins are required for this functionality, but we did ensure that HTTPS decryption was enabled for phishing sites that used SSL. We selected ten known phishing pages from PhishTank, a collection of suspected and verified phishing websites. Sophos detected and blocked all ten.
Next, we used Metasploit’s AutoPwn 2 feature, to launch a browser-based attack against the system using a known vulnerable version of Chrome with the Java 1.7 runtime installed. The attacks launched were designed to allow remote shell access, but none succeeded.
We then simulated executing a standard Meterpreter binary that was tacked onto the end of Windows Calculator. The executable was immediately stopped on launch and removed from the desktop. We also tested a set of Veil 3.0 encoded Meterpreter executables, which included PowerShell, Auto-IT, Python, and Ruby. All of them were detected, and we were unable to proceed with any further access tests.
Lastly, we tested a set of known malware executables called TheZoo, and attempted to run them with the network connection disabled. Every one of them was quarantined before it had the chance to run, confirming that Sophos’s signature-based detection works well. There were no noticeable delays from when the malware was deployed to when it was quarantined.
Third-party testing corroborates these findings. AV-Comparatives shows Sophos as having a 97.8% protection rate in its 2021 real-world protection test. It’s worth noting that in 2 of 16 instances, the success of the infection relied on the end-user. Again, these are great results that put Sophos on par with players like Bitdefender and Kaspersky Endpoint Security Cloud.
Excellent and Advanced Threat Protection
Sophos Intercept X perfectly blends protection with ease of use and tools for putting businesses into a more proactive posture. The price is right, and it has tools for the experienced security professional without sacrificing the ability for a layperson to install and manage it. It’s an excellent choice for any business looking to keep its network protected without spending a lot of time and money to do so. For that reason, it shares the Editors' Choice with Bitdefender Gravityzone Ultra and F-Secure Elements.
Sophos Intercept X Endpoint Protection keeps its Editors' Choice rating this year with an even more intuitive interface, an updated threat analysis capability, and excellent overall threat detection.
Like What You're Reading?
Sign up for Lab Report to get the latest reviews and top product advice delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
