How Cohesity Sophos integration detects zero day threats in backups

Backups are no longer a passive insurance policy. In most ransomware incidents, the fastest path back to operations is a restore, and attackers know it. They try to poison backups, hide dormant tooling inside snapshots, or rely on fileless tradecraft that never looks like a classic executable.

Cohesity’s threat protection approach treats backup data as an active security surface. In Cohesity Data Cloud, Sophos powered malware scanning is positioned as an inspection engine for backup content, using a mix of signature based detection, heuristic analysis, and file emulation to uncover threats that traditional metadata checks miss. (cohesity.com)

This article breaks down what that means in practice, when you should scan, how incremental scanning reduces overhead, and how to operationalize results so restore decisions are faster and safer.

Why zero-day threats show up in backups

A backup set can contain malicious artefacts even when production controls look healthy. Common scenarios include:

• A compromised endpoint drops tooling into user shares that are routinely backed up
• A threat actor plants a backdoor and waits, expecting it to be restored later
• A security team contains the incident, but cannot quickly prove which restore point is clean
• A fileless technique runs in memory, but leaves secondary artefacts such as scripts, loaders, scheduled tasks, or staged payloads on disk

The practical risk is not only data loss. It is reinfection during recovery. If you restore a clean operating system but bring back a contaminated file share snapshot, you have rebuilt the attacker’s foothold.

Cohesity’s threat protection messaging explicitly frames this: regular scans help find latent malware in snapshots before it detonates, and scanning supports clean recovery workflows. (cohesity.com)

What Cohesity embeds from Sophos, and what it is designed to catch

Cohesity Data Cloud describes its Sophos powered malware scanning engine as using three main techniques:

1. Signature based detection
2. Heuristic analysis
3. File emulation (cohesity.com)

This combination matters because zero day is rarely a single capability. In the real world, “zero day” outcomes usually come from one of these patterns:

Polymorphic and fast changing malware

Signatures catch known threats, but polymorphism changes the byte patterns. Heuristics and emulation help identify suspicious structure or behaviour even when the file hash is new.

Script heavy and fileless activity

“Fileless” does not mean “leaves no trace.” It specifically calls out for Sophos-powered Emulation is especially relevant for polymorphic Malware and evasive samples that do not match known signatures can still exhibit suspicious behavior. To address this, incremental scans can be scheduled to align with the business's risk tolerance. The primary payload may run from memory or a script interpreter, while the staging artifacts and persistence mechanisms are saved on disk.

Sophos positions its endpoint protections to detect fileless attacks via techniques like AMSI inspection for scripts and memory oriented detections. (sophos.com)
Even if your backup scan is not an endpoint sensor, understanding these methods helps explain why multi technique scanning is valuable when inspecting backup content for suspicious scripts and droppers.

Dormant malware in cold data

Backups preserve older states. That is the point. It also means they preserve older infections that were never executed again. Scheduled snapshot scanning is designed to find these “sleeping” artefacts before you restore them into a live environment. (cohesity.com)

Snapshot level inspection versus metadata checks

Security teams sometimes confuse “scan the backup” with “scan the backup job.” They are different.

• Metadata checks confirm the backup completed, is immutable, and meets retention rules
• Snapshot content inspection looks inside the backed up dataset and evaluates file content

Cohesity’s positioning is explicitly about scanning snapshot data, not only job telemetry. Its threat scanning is described as operating on an object’s snapshot data to detect malware within it. (cohesity.com)

This is a key architectural point for CISOs and security managers: if your control only validates backup integrity, you have not validated the safety of restore.

When scanning happens across the recovery lifecycle

A mature model uses backup scanning at multiple decision points, not only after an incident. From an operational perspective, the most useful pattern is:

During routine backup cycles

Use scheduled scans to reduce the backlog of unknown restore points. Cohesity emphasises running threat scans at regular intervals and gives scheduling controls. (cohesity.com)

This turns “clean restore point selection” from an emergency task into a steady state process.

Before restoration

The highest stakes moment is right before you reintroduce data to production. A pre restore scan is essentially a gate. If the restore point is flagged, you either move to an earlier snapshot or restore only known good subsets.

Even if your platform allows restores, your process should treat “restore approval” as a security decision, not only an IT decision.

After IOC detections or threat intel updates

When your SOC receives new indicators, you want to answer: Is that artefact present in any backup copy? Cohesity supports threat hunting constructs such as hash based searches across the data estate, which aligns to this “IOC triggered scan” workflow. (cohesity.com)

During incident response and recovery validation

Cohesity’s broader threat protection narrative connects scanning and recovery workflows, enabling teams to jointly scan, investigate, and restore without switching tools. (cohesity.com)
That matters because recovery work is typically cross functional, and delays often come from handoffs and revalidation loops.

How incremental scanning reduces overhead without sacrificing coverage

The common objection to deep scanning backups is cost and time. You can scan everything, but you might not like the runtime.

Cohesity addresses this with incremental scanning, which scans only the delta between the previous and most recent snapshots. (cohesity.com)

From a technical operations lens, incremental scanning provides three advantages:

1. Predictable scanning windows  
   Your scan load tracks data change rate, not total protected capacity.
2. Faster detection of newly introduced threats  
   If a malicious file lands today, it should appear in the delta, so you do not need to rescan last month’s clean content to find it.
3. Snapshot level continuity  
   You still maintain a chain of inspection across restore points. This is critical for confident “last known good” selection.

A practical best practice is to run a full scan when onboarding a new workload or after a major security event, then run incremental scans on a schedule that matches business tolerance for risk.

What signature, heuristic, and emulation mean in backup scanning terms

It helps to translate scanning techniques into outcomes that a recovery team can act on.

Signature based detection

This is the fastest and most deterministic layer. It identifies known malware families and known bad patterns. It is excellent for quickly triaging obvious infections in large datasets. (cohesity.com)

Operational takeaway: use signature hits to immediately quarantine a restore point from consideration and pivot to “how far back do we need to go.”

Heuristic analysis

Heuristics identify suspicious traits even when the specific sample is new. In backup datasets, heuristics are especially useful for:

• Unusual executable packing traits
• Suspicious macro enabled documents
• Script patterns that resemble droppers or downloaders
• Odd combinations of file structure and behaviour hints

Operational takeaway: treat heuristic findings as “needs investigation,” not always as “confirmed malware.” Your goal is to prevent reinfection, so err on the side of safer restore points when timelines allow.

File emulation

Emulation attempts to observe what a file would do when executed, without running it in production. This is one of the techniques Cohesity calls out directly for Sophos powered scanning. (cohesity.com)

Operational takeaway: emulation is especially relevant for polymorphic malware and evasive samples that do not match signatures, because behaviour often remains suspicious even when bytes change.

Zero day detection is never perfect. The best outcome is not “we catch everything,” but “we reduce the chance that recovery reintroduces an active threat.” Use scanning results as part of a clean recovery decision, alongside identity resets, segmentation, endpoint reimaging, and controlled reentry.

Connecting backup scanning to broader threat intelligence and sandboxing

Cohesity pairs Sophos powered scanning with other capabilities, including Google Threat Intelligence context and secure sandbox analysis for suspicious files. (cohesity.com)

For security leadership, the design principle is layered validation:

• Sophos engine helps identify malware content using multiple techniques (cohesity.com)
• Threat intelligence context helps analysts understand whether an indicator is actively exploited, and prioritise response (cohesity.com)
• Sandbox analysis helps reduce uncertainty for unknown files by detonating them in a controlled environment (cohesity.com)

If you already run sandboxing in your SOC, the value here is workflow proximity: the file is already in the backup environment, so you can evaluate it without extracting and rebuilding evidence chains under pressure.

Operational best practices for CISOs and security managers

Define restore point acceptance criteria

Do not wait for an incident to decide what “clean enough” means. Define acceptance criteria such as:

• Must pass malware scan with no high confidence detections
• Must be older than the earliest known compromise time
• Must exclude certain paths or file classes if business permits
• Must be validated via staged restore in an isolated network segment

Make scanning part of recovery time objectives.

If your RTO assumes instant restore, but your validation takes days, your RTO is not real. Use incremental scans and scheduled routines so the “clean point” decision is fast when it matters. (cohesity.com)

Use stop on infection style workflows when time is critical

In practice, recovery teams often need the first clean restore point, not a full forensic map of every infected snapshot. Cohesity’s NetBackup roadmap highlights a stop-on-infection workflow that halts at first detection and moves to the next recovery point, improving time to a usable candidate. (cohesity.com)

Even if your environment is not NetBackup, the principle is sound: prioritise mechanisms that accelerate “find a clean restore point” under pressure.

Plan for cross team handoffs.

Backup teams own the platform. Security teams own the risk decision. Scanning only helps if the findings are shared Sophos-powered scanning in Data Cloud reflects a broader shift: cyber resilience depends on security controls in the backup layer, no signature-based scanning, incremental scanning to reduce overhead, and operationalis is justn a format multi-tenant SOC, an AI-guided automation layer can help standardise and simplify signature-based scanning, incremental scanning to reduce overhead, and operationalising results for Microsoft Sentinel operations through conversational investigation and guided workflows, which can be useful when both teams can act on.

This is where security operations platforms matter. If your SOC runs Microsoft Sentinel, build playbooks that:

• Ingest backup scanning alerts
• Create incidents with asset context and business impact tags
• Trigger follow up actions, like isolating a workload restore plan or opening a change record

If you operate a multi tenant SOC, an AI guided automation layer can help standardize these workflows across customers without requiring every analyst to become a backup specialist. For example, SecQube focuses on simplifying Microsoft Sentinel operations through conversational investigation and guided workflows, which can be useful when backup security signals need to be triaged quickly in a busy SOC. link

What to ask in a technical validation

If you are evaluating backup scanning as part of cyber recovery, ask questions that expose real operational behaviour:

• Does the scan inspect snapshot content, or only metadata and change rate signals
• Can we run full scans and incremental delta scans, and how do we choose when to use each (cohesity.com)
• How are findings represented for restore point selection and audit evidence
• What happens when a threat is detected, and can scanning move efficiently to the next candidate restore point (cohesity.com)
• How do we integrate alerts with our SOC tooling and incident process

The goal is not to buy another security feature. It is to shorten the time between “we have backups” and “we have a verified clean recovery path.”

Closing perspective: treat backups as a live attack surface

Cohesity’s embedding of Sophos powered scanning inside Data Cloud reflects a broader shift: cyber resilience depends on security controls in the backup layer, not only in endpoints and networks. The emphasis on signature detection, heuristics, and file emulation speaks directly to the reality of zero day, polymorphic, and fileless threats. (cohesity.com)

If you adopt this model, the biggest win is not a dashboard metric. It is confidence. When you need to restore, you are not guessing which snapshot is safe. You are choosing based on inspection, context, and repeatable workflow.

       

      Sophos-powered malware scanning is positioned as an inspection engine for backup content, using a mix of signature-based to scan, how incremental scanning to reduce overhead, and how to operationalise results so that restoration can be achieved.