Sophos Intercept X Comparison

  • 16 November 2016
  • 13 replies

Userlevel 7
Badge +33
Hey All,
I wanna share my response to a fellow community member and Webroot Ambassador@GryozoK in a post he made in a private area about Sophos Intercept X and it competing with Webroot. This will be a long post but I'll first place his quote first and then below my actual response due to my experience in vetting out all the "Next-Gen" Antivirus/Endpoint Security products and my real world review of it. I thought this would be beneficial to all the community as it dispels some of what Sophos is actually doing with Intercept X.
Here is @GryozoK Post:
Sophos says that InteceptX:
1. is ligth-weight agent
2. no agent daily updates
3. can protect against all 24 of the cpu level exploits
4. detects mass encryption (ransomware)
5. cut off connection to the attacking host
6. remediating any encrypted documents using a local mirror image copy
All these sayings above seems to be similar to what WSA advantages used to be up until now - and actually WSA cannot do 3.,4. and 5. today.
By the way, I was thinking that journaling and rollback was a proprietary Webroot technology, wasn't it?
We still would like to win the prospetcs. Can you help us, what advantages Webroot has today over Sophos InteceptX?
And here is my reply with first hand experience in utilizing all the aspects of the Sophos products:
I've actually just finished a vetting process of Sopho's products for the last month and I can surely address these for you.
1. Is a light weight agent:
- In actual fact it's roughly 9-12 different processes that run (just for Intercept X, Endpoint+InterceptX is more) that use 8-10%CPU and upwards of 300MB+ of memory idle and upwards of 500MB when running a scan or 730MB when doing remediation. Webroot uses roughly 10MB idle and 15 ish when scanning and 0 cpu idle and 25-50% scanning, but can be adjusted through policy.
2. No daily definition updates:
- while that part is true for Intercept X ONLY (Endpoint still requires signatures), the installation literally takes upwards of 15-25 minutes while the installer takes inventory of your system and downloads all the files to begin the installation of all the services and programs required.
3. Can protect against all 24 of the cpu level exploits:
- This is mainly true. Unless they are fileless attacks in memory, they'd ultimately require files/processes to be run which can possibly be picked up by Webroot. (this is an advantage for Sophos here)
4. Detects mass encryption:
- This is also somewhat true. They designed the agent to pick up on usage of cipher.exe, vssadmin.exe etc... and to look for very common repetative tasks such as encrypting large swaths of files. From my experience it's decently effective, but no different than Webroot if something gets past. Either way you're screwed.
5. Cut off connection to the attacking host.
- Again partly true. This can only happen if the Sophos network threat system knows the IP/Domain/Host to be bad. Webroot's outgoing firewall also looks at how processes/files communicate to outside sources and blocks if known bad. To me this is also something that needs to be addressed by whitelisting your internet connection with something like DNSThingy. Then you'll never have to worry about this ever again.
6. Remediating any encrypted documents using local mirror image copy:
- Somewhat an advantage for Sophos but requires more disk space. They rely on a backup image as well as shadow copies.
The disadvantage of both here is that it has to be picked up immediately by the agents in order to be recovered or in Webroot's term "rolled back." If in either case the malware was able to be executed and then as part of it's process, delete's itself etc.. then neither agent is able to know the originating source to follow the chain back and recover stuff.
NEVER consider this to be a silver bullet to a proper Backup Disaster Recovery (BDR) plan.
Journaling and Rollback the way Webroot implements it might be proprietary, but Sophos, SentinelOne both implement something similar. SentinelOne almost strictly relies on rolling things back (and is somwhat effective), rather than stopping at first encounter.
Our MSP is a huge partner with Webroot and even with that, I've gone and tested ALL the other Next Gen solutions out there and still come back to Webroot mostly for it's cost, multi-tennant console (others don't have that), effectivness, great support etc...
There's not one product out there yet that's as fast or light weight as Webroot. Sopho's Intercept X IS NOT lightweight, adds upwards of 8 seconds to boot times, 9-12 processes that take up huge amounts of memory etc.. can be a bitch to remove if you aren't careful in the console due to their Tamper Protection
It's also very important to know that Intercept X IS NOT a full antivirus/malware solution. It's really an add on for their Endpoint service that detects exploits and Ransomware. It relies heavily on their aquistion of HitManPro (which their HitmanPro Alert Service also gets installed to take up more memory) as their remediation engine.
So you can't completely replace an existing AV with just Intercept X as it doesn't cover all the bases. It can run alongside other AV's like Webroot, but if you go to install the Endpoint & Intercept X together it won't install at all and will absolutely force you to remove any and all other security products residing on the system.
I've tested Webroot and Intercept X with 10 different types of malware, 5 of them are Crypto-Ransomware:
- Webroot stopped 4 of the 5 Crypto-Ransomware completely with no need for any remediation as it wouldn't let me run it. The last was a known variant of Nemucod inside a .js file that Webroot doesn't scan script files, but it did pick up the A1.exe and was able to remediate the malware before it took hold. It blocked the rest of the regular mix of malware/PUA's
- Intercept X couldn't block a single regular malware/PUA because it doesn't do that sort of thing and relies on it's Endpoint to do that. I had to manually run the HitmanPro portion to scan and remove, if I hadn't the system would have had junk on it.
- The Intercept X agent was able to block 3 of the 5 Crypto-Ransomware completely with no need for any remediation the same as Webroot. It did however fully allow a variant of Cerber and it was fast acting enough that it deleted itself and there was no chance of remediation. The fourth was also the same variant of Nemucod that Webroot initially allowed, but in this case the agent didn't pick up the A1.exe right away and began to encrypt files. The neat thing was after maybe 50-60 files were encrypted, it finally did pick up the activity and was able to revert the changes. That was neat.
Overall though, you'll still need to have another AV to detect common malware/PUA's as Intercept X is ONLY an addition to their Endpoint offering or an add on to your existing AV from Webroot, Symantec, and what not.
The only thing that really impressed me the most was being able to manage all of the offerings from Sophos from one single console that looks way better, easier to navigate etc... Webroot really needs to get all of their offerings available to businesses under the GSM, especially the mobile, then add backup/sync.. Get rid of Web Security or integrate it into WRSA completely as nobody needs/wants/uses a proxy like that hardly anymore. But stay tuned for more on the GSM.
Lastly I wouldn't recommend Intercept X strictly for the fact that it's NOWHERE NEAR as light as they claim, it's install can literally take upwards of a half hour, and it's detection/remediation is basically comparable to Webroot anyway, and for a lot less price/endpoint.

13 replies

Userlevel 5
Badge +4
I did not see this product comparison when it was first published; I'm glad that it was brought back to our collective attentions. Something of this nature on all of the major products would be great to have as a resource.
Badge +2
Thank you!
Userlevel 4
Badge +6
I agree that we need to have this as a battle sheet against all major competitors. We often get asked 'Why Webroot' and we speak from experience, but they want to see a comparison chart, similar to buying and comparing anything purchased these days.
Userlevel 7
Badge +33
Hey All,

I really appreciate the bouquet thrown my way in regards to my post. I only wanna give real world, in the trenches experiences and findings. I also won't pull punches regardless. If ya don't talk tough and point out flaws then nothing gets done to fix or better develop a solution.

Would you want me to write more comparisons to all the others such as Cylance/SentinelOne/Deep Instinct/Barkly aka Alert Logic now? I don't think I'd have time to write as much detail, but can definitely give points or answer questions on those as well. I have full access to all of those consoles and have done thorough testing with them in real world and lab environments.

Really the update to my post above with regards to Webroot right now currently is that the Web Security Proxy stuff no longer exists and has been replaced with their DNS Protection offering. Webroot still doesn't actively yet (they are working on it), detect/stop/delete/quarantine malicious scripts and macros or detect exploits yet. They also do not have (they need to get working on), any sort of investigation tools showing process tree history of execution etc... And they also still do not show full local or network path to threats found on alerts. This makes remediation more difficult.

But I'd be more than happy to answer any questions you have with the other products compared to Webroot.


John H
Nerds On Site
Userlevel 2
Badge +3
I tried Sophos Intercept X a few months ago and had a very similar experience. The product was not bad, but it is not nearly as "light" as they claim it to be. I also agree that the console was rather nice. I was originally going to purchase the minimum number of licenses because I have 1 client that has software that Webroot does not work well with. They have reached out to Webroot a few times, but they said nothing has ever been done about it. So for that 1 client, I have to use a different security suite. At the end of the day, Intercept X was shiny, but I didn't see it being superior over Webroot.

@jhartnerd123 I'd like to see your thoughts on Cylance. We have a client that uses us, but not our Webroot solution. They have Cylance and they seem pretty happy with it.
Badge +6
I've not used Sophos before, but as others have stated, this kind of in depth comparison for the major competitors is a BIG plus.
Userlevel 4
Badge +4
The most effective approach is to remain open minded and share feedback, resist allowing a feature list to drive strategy, rather determine what's important and shortlist then test.
Userlevel 7
Badge +8
Really useful. Thank you.
Userlevel 7
Badge +63
Hello all just to say this is the Webroot Community so please keep that in mind as this was a 2 1/2 year old subject and discussing other products could go against the Community Guidelines please see here:

Don’t Promote Other Organizations and Causes
The Webroot Community should be used to share information about issues related to Webroot, Webroot products and services, and cybersecurity in general. Please do not attempt to promote a separate organization or cause. Links to third-party security vendors and other vendors not supported by Webroot will be removed. Spam posts (links to malicious sites, phishing attempts, solicitations, etc.) will be removed without notice and the user will be banned.

Thanks and with respects,
Badge +2
This post was posted 2 years ago and I think it still holds up well. Thanks for the info.
Userlevel 7
Badge +48
Thanks for bringing this to our attention @TripleHelix. We appreciate that you’re always looking out for integrity of the community. Thank you.

Upon review, the Community Team feels that this thread provides a comparison of AV products and is more in line of being informational than promotional.

Thank you again for taking the time to write this up @jhartnerd123.
Userlevel 7
Badge +33
My apologies. Never an intended promo piece. I think it was more or less a habit of signing specific things.

Thanks for the heads up.
Userlevel 6
Badge +6
I don't have experience with Sophos, but I agree that having a competitor battle-sheet is a great idea. It would be a very useful sales tool.