Of the products examined this month, this one had the easiest start-up. It also clearly showed its anti-malware pedigree. One of the things that has plagued us recently is what we consider substandard documentation. When we have difficulty deploying a product under test, we naturally turn to the documentation for guidance. Often that guidance is not forthcoming. First, we had no difficulty deploying in this case, but if we had we would have found the quick-start guide more than adequate.
This is an Attack Phase tool but it has overtones of phase three, Cleanup, in one of the nicest functions we've seen. We tested it with both Locky and Satan RaaS. Prior to attempting to detonate the ransomware samples in a protected environment, we detonated each on in an unprotected virtual machine. We had to play a couple of tricks on Satan to get to ignore that it was in a virtual machine. In each case, encryption of several thousand files took just seconds. We reverted the machines and applied the Sophos tools.
We saw no indication that either sample had detonated successfully. If, however, it had, the tool catches the attempted encryption, saves a copy of the target file and when everything is over and the malware is gone, it restores the saved copy. It's a sort of on-demand backup on a file-by-file basis with the ransomware making the demand by virtue of trying to encrypt the file.
The Intercept X product adds this functionality on top of any vendor's anti-malware product. We have observed Windows Defender responding slowly to certain types of malware, including ransomware in the lab. For many types of malware, that poses no great difficulty, but in a ransomware attack it can be disastrous since within two minutes or less the damage is done. The addition of Intercept X can mitigate that problem.
Additionally, we liked the root cause analysis. This is very graphical but with very good drill-down that gives you a clear view of what happened during an attack. Cleanup of the malware itself is, as one would expect, automatic.
Pricing for this tool is quite reasonable and given that enhanced 24/7 support is included at no extra cost, this is a very good value. In the matter of support, we usually are interested when "enhanced support" is available at no extra cost. In this case, it's the real deal. That said, under most circumstances we can't see a lot of need for support given simple deployment and straightforward operation.
However, there are occasional issues and the support section of the website has a large and vocal community. For example, one user reported that he had tested Intercept X with a simulator from a competitor and it appeared that CryptoGuard - the active tool in Intercept X - didn't stop the simulator. In fact it did, but the simulator reported it wrong. Sophos, of course, reported the fault to the other vendor.
In addition to the community questions, there is a blog, forums, a file download area and a knowledgebase. With all of this functionality readily at hand, calling support should be only rarely necessary.
Documentation is first-rate and, overall, we really liked this product and the results it produces.