receives compensation from some of the companies listed on this page. Advertising Disclosure


Sophos Intercept X Advanced with EDR Review

Brian Nadel

By combining artificial intelligence with behavioral analysis and tight exploit protection, Sophos Intercept X Advanced with EDR provides a layered defense that can thwart most malware attacks. Its single-agent approach shows dividends with a lower impact on performance, and the program's policies can be applied to a single computer or your company's entire digital infrastructure. With the ability to peek into any of the business's computers, gray out changes and forensically examine attacks, the Sophos Central management console can keep its software up to date but falls short of providing full patch management.

Sophos Intercept X Advanced with EDR

Sophos Intercept X Advanced with EDR

The Verdict

Its single-agent malware protection may not be perfect, but Sophos Intercept X Advanced with EDR offers a lot for security-minded small businesses. Its mix of traditional and next-generation defenses includes extensive protection against various attacks.

Intercept X Advanced with EDR is not only one of the least expensive security programs around, but it protects against a multitude of exploits and can recover your company's data from a ransomware attack, making it a winner for small businesses on a tight budget.

View all our internet security and antivirus software reviews on our best picks page.   


Behind the scenes, Sophos Intercept X provides effective, though not airtight, protection against a variety of malware attacks while protecting your company's network from infiltration. The defenses are arranged in overlapping layers to catch attack vectors that slip through other defenses.

Overall, it combines traditional viral signature matching of known bad agents with heuristic behavioral monitoring for the early signs of an infection. Anything dangerous is quarantined, but those that are new and could do harm are examined locally with Intercept X's deep-learning AI techniques and sent to Sophos' cloud lab for analysis. The company pushes out several updates a day to stay on top of new threats.

Unlike many of its peers, Intercept X Advanced with EDR doesn't use an isolated sandbox to safely try out potentially dangerous code. This keeps the security software from inordinately slowing system performance.

Your IT administrator can designate policies that can be applied to as few or many employees as you need in an unlimited number of groups. Intercept X can warn you when a USB flash drive is plugged in and block its contact with the rest of the system. For remote logons, the program can use two-factor authentication, but unlike Kaspersky Endpoint Security for Business Advanced, Intercept X can't require that systems use a Trusted Platform Module to enter the company's network.

Intercept X has a variety of specific shields, including real-time scanning of files, data loss protection, network threat protection and malicious behavior detection. Its paramount CryptoGuard Ransomware protection uses behavioral monitoring to look for any malicious encryption of system files. It might let a few files get scrambled, but once it's sure an attack is underway, the system stops it dead in its tracks and, in less than a second, starts rolling those files back to their original state, as if nothing ever happened.

In addition to using an online database to thwart connections with potentially dangerous websites, Intercept X can stop unwanted apps from being installed. It can foil fileless exploits as well by using an array of 25 deep-learning techniques to recognize the attack's attributes and disarm it.

The program doesn't include a firewall to keep outsiders out, but Sophos sells a wide variety of hardware-based firewalls that work well with the Intercept X software family. While Intercept X Advanced with EDR frequently updates itself with the latest threats and fixes, it falls short of a full patch management system to make sure that the operating system and major apps have the latest software.

While it does without a file shredder for getting rid of embarrassing items, Intercept X does shred malware it finds, rendering it harmless. The system can tap into the Windows BitLocker file encryption software to manage it across the company and store its keys. This is an extra-cost option.

As its name states, Intercept X Advanced with EDR has endpoint detection and response (EDR), an essential feature for a forensic examination of an attack. Easy to set up and use, the EDR software presents a flow chart of each portion of the attack, along with details as to how the software infiltrated the company and what damage it did. While the visual approach is excellent and instructive, its results can be exported as a CSV file for importing into Excel.

Intercept X Advanced Specs

Sophos Intercept X Advanced with EDR uses a single agent to perform its range of protective services, from ransomware remediation to malware signature matching. It works on recent PCs and Macs as well as phones and tablets that use iOS (iPhones and iPads) and Androids. In addition, the server version works with Microsoft Azure servers.  

New systems or employees can be set up with the software via the Sophos website or sent an email with a preconfigured link. Downloading and installing the agent took us a little over 16 minutes on an HP EliteBook Folio G1 notebook, putting it on par with Kaspersky Endpoint Security for Business Advanced. All the company's default settings and policies are preloaded, so forget about manually loading license numbers.

As the software installs, a progress bar fills in. When it is running, the administrator can send any suspect file to Sophos for analysis.

Security and Performance

A half-step behind the best when it comes to detecting and eradicating infections, all of Sophos' business software uses the same malware-scanning technology. According to AV-TEST's January-February 2019 survey, it caught and rendered harmless nearly every threat.

To start, the Sophos software caught 99.3% in January's Zero Day tests, slightly below the industry average of 99.7% and well back of Kaspersky's and Bitdefender's 100% scores. However, that was raised to 100% scores on February's Zero Day tests and both months' widespread exploits for Windows 10 systems.

Sophos has an ace up its malware sleeve. It may match the best of the security world in detection, but the Sophos software takes the lead with no annoying false positives (Bitdefender and Kaspersky had two false positives each).

Its single-agent philosophy did moderately slow down a test computer's operations, with a survey of 50 websites loading 20% slower than average. By contrast, it launched a dozen popular programs only 6% slower, half the performance hit of the average, according to the AV-TEST results.

It's easy to set the system to scan for malware, but it is slow at going through the computer's files, taking 47 minutes and 51 seconds to perform a complete scan on our HP EliteBook Folio notebook with Windows 10, a 1.2GHz M7 processor, 8GB of RAM and 250GB of solid-state storage. That's more than double the time it took to scan the same system using Kaspersky Endpoint Security for Business Advanced. Unlike the competition, the software lacks the ability to run a quick scan of a system's most critical and potentially vulnerable files.


The program's status screen is simple and straightforward, and it doesn't get in the way. It takes up about half of an HD desktop and can't be enlarged or run in full screen; you can move it around, though.

Up top are two quickie checkmark icons for system and data protection. If anything needs attention or the system is under attack, they turn to yellow exclamation points or red triangles.

Click the top tab for Events and you get a list of items the software blocked. If this is too much, you can filter the list. To keep curious employees from changing key configuration choices, the Settings section doesn't show up unless the employee has the correct password. It can be retrieved only through the management console. With it, we had in front of us on/off switches for all the major features of the program.

Below this are the program's six main protection categories: malware, controlled items, malicious traffic, web threats, malicious behavior and exploits. Any recent activity shows up, and you can click it to get further information.

The Help link in the lower right takes you to the Sophos support site, while the About link displays the versions of the program and virus definitions. There's a useful diagnostic tool that runs through the program's major functions to make sure everything is working properly.

Since this is a lot of information in your face, the Sophos Central administrative console summarizes everything nicely with a dashboard page. It shows the number of protected systems, servers and email security. At the bottom is a nice Global Security News area that shows headlines of interest.

The left column of choices can be a handful to navigate, with access to Alerts, Logs, Devices, Global Settings and more. Below are add-ons, like server protection and firewall management. At the bottom is access to free trials of the company's software to try out.

Sophos Support and Pricing

Sophos provides full 24-hour online and phone support for Intercept X Advanced with EDR. You can call, send emails or use a chat window to interact with support technicians.

The Sophos Community is invaluable for those who like to solve problems themselves. It has a nice forum for airing concerns and fixing problems. The current software is in beta but worked well and was stable.

Intercept X Advanced with EDR is available from Sophos and various managed service providers (MSPs). The first 10 seats cost $38 each, about half the $75 that Kaspersky charges for Endpoint Security Business Advanced. At 50 or more licenses, the price drops to $31, making it one of the best bargains among small business security programs.

Image Credit: Zephyr18 / Getty Images
Sophos Intercept X Advanced with EDR

Sophos Intercept X Advanced with EDR

The Verdict

Its single-agent malware protection may not be perfect, but Sophos Intercept X Advanced with EDR offers a lot for security-minded small businesses. Its mix of traditional and next-generation defenses includes extensive protection against various attacks.

Brian Nadel Contributing Writer
Brian is a technology writer based north of New York City. He writes stories for, Tom's Guide, ComputerWorld and Scholastic Magazines. He is the former editor-in-chief of Mobile Computing & Communications magazine.