Forum Discussion

Austin Ewachiw's avatar
Austin Ewachiw
Copper Contributor
Mar 08, 2023

We have some Sophos Endpoints, what would happen if I enrolled them into the MS Defender cloud?

We have a small percentage of high value users that we upgraded standard endpoint to Sophos Endpoint with Intercept X.  For the remainder of the devices, I have begun enrolling them into MS 365 Defender.  The visibility I now get for the Defender clients is excellent.  What would happen if I extended the enrollment script for 365 Defender to those devices?  Would Sophos disable Defender anti virus (tampering has been turned on) for those clients?  

 

Thanks for any thoughts on this.

  • Groove200's avatar
    Groove200
    Brass Contributor
    It would work fine, Defender would show as being in EDR Block Mode, Sophos would still be the active AV.
    To switch tamper off on Sophos, uninstall anmd then Defender (after reboot) would become the active AV.
    We're mid migrating all devices off of Sophos so are familiar with how it works. If Sophos is active AV, you still get most of the rich info from Defender, and a little bit of extended protection from EDR block mode (which is a post infection detection defence, as opposed to the proactive that the AV is providing)
    • Jonhed's avatar
      Jonhed
      Steel Contributor

      If Sophos is just AV, it will work fine as others have mentioned.
      MDE does not support environments with other EDR software installed(or so I was told by support in the past), so you should check if Intercept X includes EDR functionality though.

      I do not have any experience with Sophos, but looking at the link below it looks like EDR might be included.
      https://www.sophos.com/en-us/products/endpoint-antivirus

  • DanJenkin's avatar
    DanJenkin
    Copper Contributor

    Sorry I don't have an answer but I am also interested to know whether we can have the advantages of device visibility in MS 365 Defender alongside a Sophos endpoint installation.

Resources