EDR(Endpoint Detection & Response)

What is EDR?
According to Gartner, Endpoint Detection and Response (EDR) is defined as a
solution that “records and stores endpoint-system-level behaviors, use various data
analytics techniques to detect suspicious system behavior, provide contextual
information, block malicious activity, and provide remediation suggestions to restore
affected systems.

 Endpoint Detection and Response (EDR) provides tools that

allow administrators full visibility of what is happening across their estate.
Event/Incident Detection • View event and incident detections
and Response • Determine how to respond to a threat
• Isolate devices on the network

Threat Hunting & IT • Maintain IT security operations and hunt threats

Operations Hygiene • Compile detailed information from endpoints and
servers
• Remotely respond to threats with appropriate
actions
Forensic Investigation • Proactively seek and investigate persistent attacks
Forensic Investigation
• View relevant data associated with a security
incident

Provide Remote Support in • Instantly check a device to investigate and resolve

Real Time issues
• Monitor security throughout the network
• Support users remotely
Intercept X with EDR
 Live Discover (Cross estate SQL querying for threat hunting
and IT security operations hygiene)
 SQL Query Library (pre-written, fully customizable queries
 Suspicious Events Detection and Prioritization(Threat
DETECT Indicators)
 Fast Access, On-disk Data Storage (up to 90 days
 Scheduled Queries

 Threat Cases (Root Cause Analysis)

 Forensic Data Export
INVESTIGATE  Deep Learning Malware Analysis
 Advanced On-demand SophosLabs Threat Intelligence

 Remote Terminal Access (remotely investigate and take

action)
REMEDIATE
 On-demand Endpoint Isolation
 Single-click “Clean and Block”
Endpoint Threats.
Threats
Malicious attempt to damage or disrupt a computer network or system.

File Less Adware &

Malware Trojans
Attacks Spyware

DoS &
PUAs Ransomware Rootkits
DDoS
 Malware
 Malware is any software intentionally designed to cause damage to a computer, server, client, or computer network.

 When endpoint protection is considered, malicious software programs (malware) is often the primary concern.
Malware includes both known as well as never-seen-before malware. Often, solutions struggle to detect the
unknown malware.
 File-less Attacks(Memory Attacks)
 File-less malware is a type of malicious activity that uses native, legitimate tools built into a system to execute a cyber
attack. Unlike traditional malware, file-less malware does not require an attacker to install any code on a target’s system,
making it hard to detect.

 This file-less technique of using native tools to conduct a malicious attack is called “living off the land”.
Trojans
A Trojan horse is a type of malware that downloads onto a computer disguised as a legitimate program. A Trojan
horse is so-called due to its delivery method, which typically sees an attacker use social engineering to hide
malicious code within legitimate software. However, unlike computer viruses or worms, a Trojan does not self-
replicate, so it needs to be installed by a valid user.
How Do Trojans Work?
Unlike computer viruses, a Trojan horse cannot manifest by itself, so it needs a user to download the
server side of the application for it to work. This means the executable (.exe) file should be
implemented and the program installed for the Trojan to attack a device’s system.

A Trojan virus spreads through legitimate-looking emails and files attached to emails, which are
spammed to reach the inboxes of as many people as possible. When the email is opened and the
malicious attachment is downloaded, the Trojan server will install and automatically run every time
the infected device is turned on.
 Ransomware
 Ransomware is a type of malware attack in which the attacker locks and encrypts the victim’s data and then
demands a payment to unlock and decrypt the data.

 The two primary types of ransomware are file encryptors and disk encryptors (wipers). File encryptors are the most
common, which encrypt the victim’s files and holds them for ransom. Disk encryptors lock up the victim's entire hard
drive, not just the files, or wipes it completely
WannaCry
NotPetya
and Petya
Ryuk
 Adware , Spyware & PUAs
 By “adware” we consider any software that is designed to track data of your browsing habits and, based on that,
show you advertisements and pop-ups. Adware collects data with your consent — and is even a legitimate source
of income for companies that allow users to try their software for free, but with advertisements showing while
using the software.

 Spyware works similarly to adware, but is installed on your computer without your knowledge. It can contain
keyloggers that record personal information including email addresses, passwords, even credit card numbers,
making it dangerous because of the high risk of identity theft.

 Potentially unwanted applications (PUA): PUAs are

applications that are not technically malware, but are
likely not something you want running on your
machine, such as adware. PUA detection has become
increasingly important with the rise of cryptomining
programs used in cryptojacking attacks.
 DoS & DDoS
 A denial-of-service (DoS) attack is a security threat that occurs
when an attacker makes it impossible for legitimate users to
access computer systems, network, services or other information
technology (IT) resources. Attackers in these types of attacks
typically flood web servers, systems or networks with traffic that
overwhelms the victim's resources and makes it difficult or
impossible for anyone else to access them.

 A DDoS attack is similar to a DoS attack, except that while a DoS attack uses one computer or network to spawn
an attack, a DDoS attack uses multiple. DDoS attacks are launched from multiple systems, while DOS (denial-of-
service) attacks originate from just one system. DDoS attacks are faster and harder to block than DOS attacks.
DOS attacks are easier to block because there is only one attacking machine to identify.
 Rootkits
 A Rootkit is defined as a malicious computer software hidden deep inside a PC and remains undetectable.
Although this software on their own may not be harmful, they hide worms, bot & malware. Attackers can have ‘root’
access to the user’s computer using a harmful software. Hence, it is considered extremely dangerous for user’s privacy
and PC users need an anti-rootkit software.
Endpoint Security
Techniques
Modern Techniques vs. Traditionnel Techniques
 Anti-Virus solutions have been around for a while and are proven to be very effective against known threats.
There are a variety of foundational techniques that traditional endpoint protection solutions have relied on.
However, as the threat landscape has shifted, unknown threats, such as malware that has never been seen
before, have become more and more common.
Foundational Capabilities
 Anti-malware/antivirus: Signature-based detection of known malware. Malware engines should have the ability to
inspect not just executables but also other code such as malicious JavaScript found on
websites.

 Application lockdown : Preventing malicious behaviors of applications, like a weaponized Office document that
installs another application and runs it.

 Behavioral monitoring/Host : This foundational technology protects computers from unidentified viruses and suspicious
Intrusion Prevention behavior. It should include both pre-execution and runtime behavior analysis.
Systems (HIPS):

 Web protection URL lookup and blocking of known malicious websites. Blocked sites should include those
that may run JavaScript to perform cryptomining, and sites that harvest user authentication
credentials and other sensitive data.
Endpoint web filtering allows administrators to define which file types a user can download
 Web control
from the internet.
If an adversary is able to go unnoticed, DLP capabilities would be able to detect and prevent
 Data loss prevention (DLP): the last stage of some attacks, when the attacker is attempting to exfiltrate data. This is
achieved by monitoring a variety of sensitive data types.
Modern Capabilities
 Machine learning: There are multiple types of machine learning methods, including deep learning neural
networks, random forest, bayesian, and clustering. Regardless of the methodology,
machine learning malware detection engines should be built to detect both known and
unknown malware without relying on signatures. The advantage of machine learning is
that it can detect malware that has never been seen before, ideally increasing the overall
malware detection rate. Organizations should evaluate the detection rate, the false
positive rate, and the performance impact of machine learning-based solutions

 Anti-exploit: Anti-exploit technology is designed to deny attackers by preventing the tools and
techniques they rely on in the attack chain. For example, exploits like EternalBlue and
DoublePulsar were used to execute the NotPetya and WannaCry ransomware. Anti-exploit
technology stops the relatively small collection of techniques used to spread malware and
conduct attacks, warding off many zero-day attacks without having seen them previously

 Ransomware-specific: Some solutions contain techniques specifically designed to prevent the malicious
encryption of data by ransomware. Often ransomware specific techniques will also
remediate any impacted files. Ransomware solutions should not only stop file
ransomware, but also disk ransomware used in destructive wiper attacks that tamper
with the master boot record.
Modern Capabilities-Contd’
 Credential theft protection Technology designed to prevent the theft of authentication passwords and hash
information from memory, registry, and off the hard disk.

 Process protection (privilege Protection built to determine when a process has a privileged authentication token
escalation) inserted into it to elevate privileges as part of an active adversary attack. This should be
effective regardless of what vulnerability, known or unknown, was used to steal the
authentication token in the first place

 Process protection (code Prevents use of techniques such as code cave and AtomBombing often used by
cave): adversaries looking to take advantage of the presence of legitimate applications.
Adversaries can abuse these calls to get another process to execute their code.

 Endpoint detection and EDR solutions should be able to provide detailed information when hunting down
response (EDR): evasive threats, keeping IT security operations hygiene in excellent health and analyzing
detected incidents. It is important to match the size and skillset of your team with the
complexity and ease of use of the tool being considered. For example, selecting a
solution that provides detailed threat intelligence and guidance, making it quick and
easy to respond to a threat..
Modern Capabilities-Contd’
 Incident Endpoint tools should at a minimum provide insight into what has occurred to help avoid
response/Synchronized future incidents. Ideally, they would automatically respond to incidents, without a need for
Security analyst intervention, to stop threats from spreading or causing more damage. It is
important that incident response tools communicate with other endpoint security tools as
well as network security tools.

 Managed Threat Response MTR delivers 24/7 threat hunting, detection and response delivered by a team of experts
(MTR) as a fully managed service. Analysts should be able to respond to potential threats, look
for indicators of compromise and provide detailed analysis on events that took place,
where, when, how and why.

The ”power of the plus”: combining multiple techniques for comprehensive endpoint security.
 SOPHOS Central Endpoint & Server Protection

History
 Sophos Group plc is a British security software and hardware company.
Sophos develops products for communication endpoint, encryption,
network security, email security, mobile security and unified threat
management.

 Sophos was founded by Jan Hruska and Peter Lammer and began
producing its first antivirus and encryption products in 1985.

Sophos Endpoint Protection makes it simple to secure your Windows, Mac and
Linux systems against malware and other endpoint threats.

Highlights
 Proven protection including anti-malware, HIPS and malicious traffic detection
 Web, application, device and data control for comprehensive policy enforcement
 Web filtering enforced on the endpoint whether users are on or off the corporate
network .
 Forensic-level system cleanup
 Choose cloud-based Sophos Central to manage your deployment
 Automatically respond to incidents by synchronizing security between your
endpoints and your firewall
Sophos in Gartner

Product Matrix
 Central Endpoint Protection
 Intercept X Intercept X Advanced (Endpoints)
Intercept X Advanced with EDR (Endpoints)
Intercept X Advanced for Server
Intercept X Advanced for Server with EDR
Sophos Central

 Sophos Central is a unified cloud-based console for managing your

Sophos Central products. It leverages synchronized security to
simplify threat investigation and remediation which minimizes the
threat impact on your estate.

Sophos Central Endpoint Protection

Sophos Endpoint Protection makes it simple to secure your Windows, Mac and
Linux systems against malware and other endpoint threats. Sophos endpoint
protection integrates proven technology like malicious traffic detection with real-
time threat intelligence from SophosLabs to help you prevent, detect and
remediate threats with ease. Web, application, and peripheral access policies can
follow your users anywhere they go. And, your firewall and endpoints can share a
security heartbeat.

Innovative protection
Complete control
Lightning performance
Sophisticated simplicity
Flexible licensing and deployment
 Intercept X Advanced, Intercept X Advanced with EDR and Intercept X
Advanced with MTR

Sophos Intercept X is the world’s best endpoint protection. It stops the latest
cybersecurity threats with a combination of deep learning AI, anti-ransomware
capabilities, exploit prevention and other techniques.

Stop Unknown Threats

Block Ransomware
Prevent Exploits
Layered Defenses
Synchronized Security
Endpoint Detection and Response (EDR)
Straightforward Management
Managed Threat Response (MTR)

Intercept X Advanced for Server , Intercept X Advanced for Server with EDR
Secure your cloud, on-premises and virtual servers from never-seenbefore malware,
ransomware and fileless attacks and get unparalleled visibility across your entire estate
with EDR that streamlines threat hunting and IT operations tasks.
 Stop the Latest Threats
 Get Unparalleled Visibility
 Take Control of Your Servers
 Simplify Management and Deployment
 Secure Your Entire Estate
 Managed Threat Response (MTR)
Sophos Endpoint Protection Features
Sophos Server Protection Features
 Sophos Central Endpoint & Server Protection Licensing

Product Type Unit

Central Intercept X Advanced for Server with EDR Subscription per Server
Central Intercept X Advanced for Server Subscription per Server
Central Server Protection Subscription per Server
Central Intercept X Advanced with EDR Subscription per User
Central Intercept X Advanced Subscription per User
Central Endpoint Intercept X Subscription per User
Central Endpoint Protection Subscription per User

• Most customers will be licensed per user.

• Note that some customers are entitled to license per device, as described in the
section titled General exception for Education, Health and Government Entities.
 To clarify, if you’re shown as overusing your license, it won’t prevent additional
installations and won’t affect the policy settings in effect.
 A device offline for more than 30 days will not use any license.
 A user with two devices, one using Endpoint Protection only and one running
both Endpoint Protection and Intercept X, will use 1 license of Endpoint
Protection (not two licenses despite having two devices) and one license of
Intercept X.
 A device cannot be associated with multiple users at the same time.
(When an administrator logs into a computer to install Sophos, the computer will initially be associated with the
administrator and contribute to his or her license usage. Once the installation is finished and the same administrator
logs out, the computer and its license will then be associated with the next user that will log in. In Sophos Central, only
one device will appear and one license used. Two users will be listed, one for the administrator and one for the next
user that logged in).
 If a user logs into two computers using the same login credentials (e.g., domain
login), there will be one user shown in Sophos Central and two associated
devices.
 Sophos Central Endpoint System Requirements

Windows Endpoint System Requirements

Endpoint Intercept X Intercept X Advanced Intercept X Advanced with EDR

Platforms support Intercept X
Protection Advanced with EDR and MTR
Disk space: 2 GB Disk space: 2 GB Disk space: 4 GB
Disk space: 8 GB free Disk space: 8 GB free
Windows 7,8,8.1 free free free
RAM: 4 GB RAM: 4 GB
and 10 RAM: 2 GB RAM: 2 GB RAM: 4 GB
Cores: 2 Cores: 2
Cores: 2 Cores: 2 Cores: 2

Intercept X system resource usage

Hard disk space varies based on what Cryptoguard is doing with regards to file cache for
potential rollback. This fluctuates as we copy then release files that are being interacted with by
processes prior to conviction/exoneration.

CPU utilization

CPU
Description
utilization
< 0.1% When deployed and protecting a lightly used computer and recording activity for future Threat Case generation.
When actively monitoring a suspect activity like installing new software, evaluating a process for ransom
< 2%
conviction/exoneration, and recording activity for Threat Case.
Utilization immediately after detection as Threat Case data collection runs and cleanup is actively removing the
Up to 1%
components of the attack.

Memory utilization

Memory
Description
utilization
Most of this is the Sophos Data Recorder (100MB) that is collecting activity events for use when a Threat Case
150-200 MB
report is required

Notes: (on behavior when malware has been convicted and remediation is underway):

 The Threat Case generation will often coincide with Sophos Clean; thus, more resources
will be used in these scenarios. Disk, CPU, and memory will all temporarily spike.
 The Threat Case generation can consume up to 1 full core during this generation phase on
a typical laptop with 4 cores up to 25% of CPU.
 Mac System Requirements
Platforms support Endpoint Protection Intercept X Advanced (MTR Included)
macOS 10.14, 10.15, 11
Intel-based Macs (64-bit) Disk space: 2 GB free Disk space: 2 GB free
macOS 11 (Rosetta 2 Emulation) RAM: 2 GB RAM: 2 GB
Arm-based Macs (M1)

Windows Server System Requirements

Intercept X Advanced for Intercept X Advanced for Server
Platforms supported Server Protection
Server with EDR
Disk space: 5 GB
Disk space: 8 GB free Disk space: 10 GB free
Windows Server 2008 R2, SBS 2011, 2012. 2012 free
RAM: 8 GB RAM: 8 GB
R2, 2016 and 2019 RAM: 4 GB
Cores: 2 Cores: 2
Cores: 2

Intercept X system resource usage

Hard disk space varies based on what Cryptoguard is doing with regards to file cache for potential rollback. This
fluctuates as we copy then release files that are being interacted with by processes prior to conviction/exoneration.

CPU utilization

CPU
Description
utilization

< 01.% When deployed and protecting a lightly used machine and recording activity for future Threat Case generation.

When actively monitoring a suspect activity like installing new software, evaluating a process for ransom
< 2%
conviction/exoneration, and recording activity for Threat Case.

Utilization immediately after detection as Threat Case data collection runs and cleanup is actively removing the
Up to 1
components of the attack

Memory utilization

Memory
Description
utilization
Most of this is the Sophos Data Recorder (100MB) that is collecting activity events for use when a Threat Case
150-200 MB
report is required
Notes: (on behavior when malware has been convicted and remediation is underway):

 The Threat Case generation will often coincide with Sophos Clean; thus, more resources
will be used in these scenarios. Disk, CPU, and memory will all temporarily spike.
 The Threat Case generation can consume up to 1 full core during this generation phase on
a typical laptop with 4 cores up to 25% of CPU

Sophos Anti-Virus for Linux: System requirements

Sophos Anti-Virus for Linux 10

Sophos Anti-Virus for Linux 10 offers additional capabilities which include Malicious
Traffic Detection and Sophos Security Heartbeat™ (applies to Central Server Protection
license).

Here is the list of the recommended system requirements:

 Supported distributions (latest minor point or LTS version):

o Amazon Linux, Amazon Linux 2
o CentOS 7/8
o Debian 9, 10
o Oracle Linux 6/7/8
o Red Hat Enterprise Linux 7/8
o SUSE 12/15
o Ubuntu 16/18 LTS
 System type: x86_64
 Library version: GNU C Library (Glibc) 2.11+
 Kernel version: Kernel 2.6.32+
 Free disk space: 1 GB
 Free Memory: 1 GB
 Stack sizes: Non-default stack sizes are not supported.
 Language version: English and Japanese (EUC and UTF-8). Shift JIS and JIS are
not supported.
 For Docker containers, SAV for Linux can not guarantee to offer 100% on-access
coverage of files within containers, so container scanning is not supported.
 RHEL and CentOS 6.x is no longer supported (since 1st December 2020)
 Sophos Central Managed Endpoint components and services
Components
The following components are located on Sophos Central managed endpoints.

Component Description
Sophos Anti-Virus This scans files for viruses, suspicious files and behaviors, spyware, adware, and unauthorized software.
Sophos Anti-Virus provides all the detection, disinfection, and reporting features on the workstations.
Sophos AutoUpdate This keeps endpoint components (including malware IDEntity files) up to date, including itself, whenever
there are newer versions available.
Will also download when the local AutoUpdate cache is incomplete or when the catalog in the share has
changed.
Sophos Management MCS on endpoint computers receives messages from the Sophos Cloud and routes them to other components
Communications System for implementing.
It also sends messages back to the server regarding the health and configuration of the endpoint installation
(Sophos Cloud and UTM Endpoint).
Sophos Endpoint Firewall You can monitor and configure Windows Firewall (and monitor other registered firewalls) on your
computers and servers using a Windows Firewall policy.
Sophos Network Threat Intercepts outgoing network traffic and then makes use of Sophos System Protection to determine the
Protection reputation of the destination.
Forwards the results to the HIPS system to determine any follow on actions.
Sophos Endpoint Defense This feature is focused on preventing undesired actions by administrators, for example stopping services and
(SED) killing processes.

Sophos Clean Cleanup of threats detected by Intercept X and Exploit Prevention. Also cleans threats for PE files.
Sophos HitmanPro Alert Advanced threat protection. Includes Ransomware protection (Cryptoguard)
Sophos File Scanner Used to scans files for reputation, deep learning, and Application ID.
Sophos Health Service Monitors the status of all existing Sophos services.
Sophos Endpoint UI Sophos user interface
Sophos Self Help Tool A tool to find, troubleshoot and resolve issues with Windows endpoints and servers using the Sophos
Endpoint Agent
Sophos Live Query Allows administrators to gain visibility into their environment and get immediate answers to any pressing
question. It allows direct access to a device to understand it's current running state and historic activity.
Sophos Live Response Allows administrators to remotely connect to devices and get access to the command-line interface to in
order to perform further investigation or take actions
Sophos Managed Threat Used by the Managed Threat Response service for threat hunting and monitoring for suspicious activity
Response
Sophos AMSI Protection The Sophos Antimalware Scan Interface (AMSI) Protection integrates into applications for Windows 10,
Windows Server 2016 and Windows Server 2019 and allows for the most common malware scanning and
protection techniques
Services
The following services run on the Sophos Central managed endpoints.

Service name Process Description

Sophos Anti-Virus SAVService.exe This service starts and runs anti-virus software components, including the
Service on-access scanner.
Dependencies: RPC service.
Sophos Anti-Virus SAVAdminService.exe Where available it reports to the Windows Security Center (WSC)
Status Reporter providing information about Sophos Anti-Virus.
On computers without the WSC, the service runs but does nothing.
Sophos AutoUpdate ALSvc.exe Monitors a distribution folder (share) and updates endpoint components
Service (including malware IDEntity files) whenever there are newer versions
available.
Will also download when the local AutoUpdate cache is incomplete or
when the catalog in the share has changed.
Sophos Clean SophosClean.exe Cleans up malware detected by Intercept X (HMPA), Exploit Prevention,
and PE files.
Sophos Device Sdcservice.exe Performs device control functions such as detecting and blocking
Control Service unauthorized USB devices attached to the computer.
Dependencies: RPC service.
Sophos Device Sophos.Encryption.BitLockerService.exe Manages BitLocker disk encryption.
Encryption Service
Sophos Endpoint SEDService.exe Prevents undesired actions to Sophos components which is explained
Defense Service further on KBA 123654.
Sophos File Scanner SophosFS.exe Used to scans files for reputation, deep learning, and Application ID.
Service
Sophos Live Query SophosLiveQueryService.exe Used to manage and performs live query actions on the device.
Sophos Health SophosHealth.exe Determines the health status of the endpoint.
Service
Sophos MCS Agent mcsagent.exe Management Communications Agent
Sophos MCS Client mcsclient.exe Management Communications Client
Sophos Network SntpService.exe Intercepts outgoing network traffic and then makes use of Sophos System
Threat Protection Protection to determine the reputation of the destination.
Forwards the results to the HIPS system to determine any follow on
actions.
Sophos SafeStore SophosSafestore64.exe Allows customers and Sophos to release items from the SafeStore which
will move the items back to their original locations, basically reverting
them to a state before removal. This is the primary remediation agent for
Machine Learning and Exploit prevention detections.

Sophos System SSPService.exe Gathers and records information from other Sophos components on the
Protection Service system and can look up information from Sophos cloud services.
The information gathered from multiple sources is used intelligently to
improve the detection of malicious files, processes, and traffic.
Sophos Web Control Swc_service.exe Manages Web Control policies.
Service Dependencies: RPC service.
Sophos Web Swi_service.exe Protects against threats from malicious websites.
Intelligence Service
Sophos Web Filter swi_filter.exe Ensures web usage is safe and consistent with policy. (Windows
8+/2012+ only).
HitmanPro.Alert hmpalert.exe Exploit mitigation and web browser intrusion detection, real-time, and
service behavior-based.
Sophos Managed SophosMTR.exe Threat hunting and monitoring for suspicious activity
Threat Response
 Users, Groups & Roles

Users (People)

 Adding Users
People are a key element of management in Sophos Central. Users can have policies
assigned to them,be associated with endpoints and be assigned administrative roles to
manage Sophos Central.

Users can be created in the following five ways:

• They can be created manually
• Imported using a CSV file
• Synchronized from a Directory Service (either Active Directory or Azure Active Directory)
• Created automatically during an endpoint installation
• Created automatically when a user logs into a managed endpoints

User Groups
 People groups provide a way of applying policies to users with the same requirements and
can be manually created in Sophos Central as well as being synchronized from an Active
Directory.
 A user can be a member of multiple groups and you can filter the ‘People Groups’ list to
show all groups, show your Sophos Central-managed groups or show your Active Directory
groups.
  To add a new user group, navigate to People > Groups > Add Group

Role Management

 When a user is manually created, by default they are given the role of ‘User’. This role can
be changed. Sophos Central supports role-based access control which is managed using
role management. This allows users to be given administrative rights by assigning them a
pre-defined role.
To view the pre-defined roles, navigate to Global Settings > Role Management.
 Administration roles allow you to specify the responsibility level and security access of your
users.
 The pre-defined roles cannot be edited or deleted.
 Super Admin:-
 The Super Admin role has access to everything in Sophos Central.
 Only those assigned the Super Admin role can manage user roles.
 The account you use to register for a Sophos Central account is automatically
assigned the Super Admin role.

 Admin
 The Admin role has access to almost everything in Sophos Central, apart
from the ability to manage roles and role assignments.
  HelpDesk

 Partial access
 Can view sensitive logs and reports
 Receives alerts and can clear them.
 Can update Sophos Agent software
 Can scan endpoints
 Read only Access to settings

 Read Only
 Read only access
 Can view sensitive logs and reports
 Receives alerts
They are unable to assign policies, change settings, clear alerts, or update the Sophos Agent
software on endpoints.