Threat Protection Policy

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

CAUTION This help page describes policy settings for workstation users. Different policy settings apply for servers.

To set it up:

  • Create a Threat Protection policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is enabled.

You can either use the recommended settings or change them.

Note SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types in order to provide the best protection.
Note If an option is locked global settings have been applied by your partner. You can still stop detecting applications, exploits and ransomware by going to the events list.

Use recommended settings

Click Use recommended settings if you want to use the settings Sophos recommends. These provide the best protection you can have without complex configuration.

If we change our recommendations in future, we’ll automatically update your policy with new settings.

The recommended settings offer:

  • Detection of known malware.
  • In-the-cloud checks to enable detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.
CAUTION Think carefully before you change the recommended settings because doing so may reduce your protection.

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database.

You can select these options:

  • Use Live Protection to check the latest threat information from SophosLabs online. This checks files during real-time scanning.
  • Use Live Protection during scheduled scans

Deep Learning

Deep learning uses advanced machine learning to detect threats. It can identify known and previously unknown malware and potentially unwanted applications without using signatures.

Deep learning is only available with Sophos Intercept X.

Real-time Scanning - Local Files and Network Shares

Real-time scanning scans files as users attempt to access them. It allows access if the file is clean.

Local files are scanned by default. You can also select this option:

  • Remote files: This scans files on network shares.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them. You can select these options:

  • Scan downloads in progress
  • Block access to malicious websites: This denies access to websites that are known to host malware.
  • Detect low-reputation files: This warns if a download has a low reputation. The reputation is based on a file's source, how often it is downloaded and other factors. For more information, see knowledge base article 121319. You can specify:
    • The Action to take on low-reputation downloads: If you select Prompt user, users will see a warning when they download a low-reputation file. They can then trust or delete the file. This is the default setting.
    • The Reputation level: If you select Strict, medium-reputation as well as low-reputation files will be detected. The default setting is Recommended.


Remediation options are:

  • Automatically clean up malware: Sophos Central will try to clean up detected malware automatically.

    If the cleanup succeeds, the malware detected alert is deleted from the alerts list. The detection and cleanup are shown in the events list.

    Note Automatic cleanup doesn't apply to PE (Portable Executable) files, like applications, libraries and system files. PE files are quarantined and can be restored.
  • Enable Threat Case creation: Threat cases let you investigate the chain of events in a malware attack and identify areas where you can improve your security.
  • Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central: This sends details of potential threats to Sophos. Ensure it's turned on in any policy for computers where you want to do threat searches.
    Note This option is available if you have Intercept X Advanced with EDR.

Runtime Protection

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic. You can select:

  • Protect document files from ransomware (CryptoGuard): This protects document files against malware that restricts access to files, and then demands a fee to release them. You can also choose to protect 64-bit computers against ransomware run from a remote location.
  • Protect from master boot record ransomware: This protects the computer from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.
  • Protect critical functions in web browsers (Safe Browsing): This protects your web browsers against exploitation by malware.
  • Mitigate exploits in vulnerable applications: This protects the applications most prone to exploitation by malware. You can select which application types to protect.
  • Advanced: Customize exploit mitigation settings: This displays more options.
  • Protect processes: This helps prevent the hijacking of legitimate applications by malware. You can choose to:
    • protect against process replacement attacks (process hollowing attacks).
    • protect against loading .DLL files from untrusted folders.
  • Protect network traffic. You can choose these options:
    • Detect malicious connections to command and control servers. This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
    • Prevent malicious network traffic with packet inspection. This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications.
  • Detect malicious behavior (HIPS): This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.
  • AMSI Protection (with enhanced scan for script-based threats): This protects against malicous code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI). Code forwarded via AMSI is scanned before it runs and the applications used to run the code are notified of threats by Sophos. If a threat is detected, an event is logged.

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.

Device Isolation

If you select this option, devices will isolate themselves from your network if their health is red. A device's health is red if it has threats detected, has out-of-date software, isn't compliant with policy, or isn't properly protected.

You can still manage isolated devices from Sophos Central. You can also use scanning exclusions or global exclusions to give limited access to them for troubleshooting.

You can't remove these devices from isolation. They will communicate with the network again once their health is green.

Scheduled Scanning

Scheduled scanning performs a scan at a time or times that you specify.

You can select these options:

  • Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.
    Note The scheduled scan time is the time on the endpoint computers (not a UTC time).
  • Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.
    Note Scanning archives may increase the system load and make scanning significantly slower.

Scanning exclusions

You can exclude files, folders, websites or applications from scanning for threats, as described below.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the users the policy applies to.

Note If you want to apply exclusions to all your users and servers, set up global exclusions on the Global Settings > Global Exclusions page.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website, potentially unwanted application or device isolation).
  3. Specify the item or items you want to exclude.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or for both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Desktop Messaging

Note You must switch off Use recommended settings to set up Desktop Messaging.

You can add a message to the end of the standard notification. If you leave the message box empty only the standard message is shown.

Desktop Messaging is on by default.

Note If you switch off Desktop Messaging you will not see any notification messages related to Threat Protection.

Click in the message box and enter the text you want to add.