Skip to content

Server Linux Runtime Detection Policy

Linux Runtime Detection (RTD) policies monitor a host's running processes and applications. When configuring an RTD policy for the Sophos Protection for Linux Agent, you can leverage the SophosLabs default detections or use an RTD Profile. RTD Profiles use the SophosLabs default content with the option to turn individual rules on or off and update allow and block lists. See Linux Runtime Detection Profiles.


To use Linux Runtime Detection policies, ensure that Linux runtime detections is turned on in the Server Threat Protection policy. See Runtime Protection.

You must also have one of the following licenses:

  • Intercept X Advanced for Server with XDR
  • Intercept X Advanced for Server with MDR Complete

Set up Linux Runtime Detection

To set up a policy, do as follows:

  1. Go to My Products > Server > Policies
  2. Create a Linux Runtime Detection policy. See Create or Edit a Policy.
  3. Open the policy's Settings tab and configure the following policy settings:

    • Make sure Enable Linux Runtime Detection is turned on.
    • Select whether you want to use Sophos Labs Default Detection or Linux Runtime Detection Profile. If you select Linux Runtime Detection Profile, you must select the Profile and Version you want to use.
  4. Ensure the policy is turned on.

  5. Click Save.