Sophos HIPS: protecting against zero-day threats Effective protection fine-tuned by SophosLabs for you

HIPS detection in 4 layers

Our threat detection engine analyzes the behavior of code before it executes and prevents it from running if it is considered to be suspicious or malicious. It also uses runtime detection to intercept threats.

Pre-execution detection

• 1. Behavioral Genotype® Protection: Tuned to detect variants, families (like the Storm worm) and large categories of malware (like encrypted malware), Genotype Protection guards against unknown malware by analyzing behavior before code executes. It uses pre-execution scanning to determine the functionality of the code, and the behavior it is likely to exhibit, all without allowing the code to run. Our threat detection engine detects zero-day threats without the need for signature updates or separate HIPS software.

• View malicious behavior descriptions

• 2. Suspicious file detection: Where Behavioral Genotype Protection is tuned to detect only malicious files, suspicious file detection will identify files that are highly likely to be malicious, again doing this by determining what the behavior of a file would be if the file were to be run. This detection provides the benefits of a traditional runtime behavior-based system without impacting system performance, or the inherent security issue of allowing a file to run before detection takes place.

• View suspicious file definitions

Runtime detection

• 3. Suspicious behavior detection: This layer of detection watches all system processes for signs of active malware, such as suspicous writes to the registry, or file copy actions. It can be set to warn the administrator and/or block the process. Unlike other behavior-based detection systems, there is no need for the administrator to train or fine tune analysis, as SophosLabs experts do the fine tuning.

• View suspicious behavior definitions

• 4. Buffer overflow detection: A buffer overflow attack is reported when an attempt is made to exploit a running process using buffer overflow techniques. This detection system will catch attacks targeting security vulnerabilities in both operating system software and applications.

• Read more about buffer overflow detection

Storm worm stopped

Mark Harris, Global Director of SophosLabs, demonstrates the power of Sophos HIPS in stopping the Storm worm, detailing how one single Sophos HIPS identity detected nearly 5000 unique variants.

• Read the article

Behavioral Genotype protection

Behavioral Genotype Protection is built into all our email, web and endpoint products.

• Endpoint Security and Control
• Email Security and Control
• Web Security and Control

Award-winning detection

The expertise at SophosLabs has been recognized by independent testing organizations. Recognized bodies such as ICSA Labs, West Coast Labs, and Virus Bulletin have all certified Sophos.

• See awards and certifications

Safer computing practices

SophosLabs is committed not only to providing swift global responses to the latest threats, but also to education on safer computing practices to guard against malware.

• Stop viruses, spyware, adware
• Combat spam
• Avoid phishing

Technical papers

Lab experts have written and presented a range of papers for system administrators and security specialists.

• Read our technical papers