Sophos Intercept X -deep learning against zero-day malware?

What are the advantages of the brand new Deep Learning against zero-day malware? The fight against malware is almost as old as computers themselves. Initially thought to be more of a harmless joke, it has now grown into a danger for private individuals and companies that should not be underestimated. The appearance of the first dangerous computer viruses provided the impetus for the development of anti-virus software. However, these only react to the symptoms - the damage to the user has usually already been done.

Classic virus scanners work with the help of signatures. This virtual fingerprint helps the virus scanner to clearly identify a virus as such. This has the advantage that known threats are detected reliably and quickly. The disadvantage: malware that is already known can be protected from being detected again by simply changing the code, a so-called "mutation".

Purely signature-based antivirus solutions are therefore only reactive - preventive protection is not possible. To be effective, signatures must be updated regularly, at best several times a day. Conversely, this often leaves the computer unprotected from new threats for up to several hours. In today's world, where viruses spread worldwide within minutes, this is unacceptable. Furthermore, signature databases are often up to several megabytes in size. Depending on the size of the company, this can put a real strain on the corporate network and, in the worst case, require the use of servers to cache the updates.

Therefore, a purely reactive approach is no longer an option today. Malware is becoming more and more sophisticated, making it a reliable tool for espionage and blackmail - in other words, anything but a harmless joke. The answer of the developers of antivirus scanners: the use of a so-called heuristic analysis. This involves examining unknown files with an algorithm and observing how they behave on the user's computer. Compared to signatures, the detection of unknown threats is quite possible with this method. Circumventing the detection by changing the malware is also prevented, as the malware still behaves in the same way. But there are disadvantages here, too: "False-positive" detections, i.e. an erroneous detection of a harmless file as malware, occur again and again, since some software behaves at least partially in the same way as malware. In such cases, so-called "whitelists" have to be maintained or the algorithm has to be adapted by the manufacturer.

What does Sophos do differently with Intercept X?

Let's get one thing straight from the start: Sophos has not reinvented the wheel. But they have chosen a new approach. To improve the heuristic analysis, Sophos uses so-called Deep Learning. This involves training virtual neural networks to recognise malware. The disadvantage of Deep Learning is that a huge amount of training material is needed to effectively train the algorithm. Deep Learning is therefore a very costly procedure, but it offers many advantages to the end user: The detection rate increases significantly compared to conventional heuristic analyses and the rate of "false positives" decreases considerably. Through small, incremental updates, the algorithm, which according to Sophos only requires 20 MB of storage space, is constantly developed further and thus does not burden the company network.

Protection against malware that is not dependent on signatures, requires only small updates and can detect new threats reliably and quickly. Sophos offers all this with Intercept X. Files can be analysed within milliseconds, even before they can be executed. This also ensures preventive protection. New malware can already be detected without the scanner needing an update. The user himself only notices this when Intercept X sounds the alarm because it has detected a threat.

Sophos has produced a video demonstrating how Intercept X reacts to a threat. In this case, the Petya ransomware, which shook the world last year together with WannaCry.