Choice of two engines

Kaspersky SDK or Sophos SAVI

More maths than malware fragments

Both engines rely more on heuristics (formulas or algorithms) and features than signatures (pieces of malware code) that need constant updates.

Both engines work offline and online

Unlike other solutions that need constant access to the cloud.

Kaspersky SDK

The Kaspersky anti-malware toolkit has been used by Check Point for years to provide enhanced malware detection. Despite the usage of third-party engine, Check Point is not a vendor that just integrates technology and rebrands — they have an impressive array of inhouse-developed technology.

The Kaspersky toolkit offers broad coverage of threats, including but not limited to executables, modules, scripts, PDF phishing and many more. Check Point makes use of Kaspersky Urgent Detection System to provide up-to-the minute intelligence.

Urgent Detection System enhances detection when there is access to the cloud. Internal Kaspersky systems constantly discover new threats through web crawling, threat researching and hunting, and others. Automated platform classifies files as malicious in a matter of few minutes and blacklist the file hash. This allows the file to be blocked quickly before other protection methods have been created, which could take hours.

  • Provides file type detection and unpacking for a wide range of packers
  • Very broad coverage of malware
  • Very high detection rate online and offline proven on independent tests
  • Kernel mode driver detects stubborn rootkits
  • Detects malware for Windows, Mac OS, Linux, Android and iOS.
  • Very low false positives rate

Sophos Standard Antivirus Interface (SAVI)

Sophos is another engine available to Check Point customers. Keep reading below to find out why it is even offered, when Kaspersky is one of the best (if not the best) engines in the industry.

Sophos engine is based on the company's behavioural genotype. Sophos generates behavioural models for threats instead of traditional signatures and much like Kaspersky Urgent Detection System, includes cloud lookups that provide quick protection. Note that from DNS Monitoring and albeit these detections were enabled recently by Check Point, we did not see any communication to Sophos server, which suggests that hashes are most likely fed to a Check Point server.
 Cloud-based detections always carry the name Mal/Generic-S (confirmed malicious) and Mal/Generic-R (suspicious)
Sophos database consists of two parts - temporary and permanent. The temporary database runs for about a month and is usually below 10 MB in size.

On every update, instead of having a whole massive database rewritten, only a small portion of it has to be modified. This leads to reduced traffic and disk usage and prolongs the life of SSDs. 
Once a month, the temporary and permanent databases are merged together, the temporary database is reset and the cycle repeats.

Now the not-so-great part:
The Sophos engine scans only executables and modules – it is unable to handle scripts. In their own products, Sophos blocks malicious scripts mainly through InterceptX (rebrand of Hitman Pro.Alert which they acquired). However, Sophos engine in Check Point requires other components such as Threat Emulation and Behavioural Guard to be enabled — these components melt the difference between the two engines.

Sophos savi benefits
  • Quick updates with very little traffic and disk activity provide high-performance solution.
  • Runs as part of the Threat Emulation Service instead and not as a separate one reducing resource usage.
  • Provides decent detection rate
  • Does include cloud lookup
  • Very accurate and easy to understand naming and classification of threats.
  • Detects malware for Windows, Mac and Linux
  • Very low false positives rate



  • Provides better performance
  • Quicker, smaller updates with less resource usage and longer hardware life
  • Runs as part of threat emulation
  • Covers only executables and modules
  • From our tests, it is slower to respond to new threats
  • Requires other components to be used as well which melt the difference between the two engines in terms of detection.

This is not the only way malware is blocked.

Go back and see other tech that assists in blocking malware, including the newest and most sophisticated threats.