Skip to content

Server Protection: Default settings

The server threat protection base policy includes these standard options.

We recommend that you leave these settings turned on. These provide the best protection you can have without complex configuration.


Think carefully before you change the recommended settings because doing so may reduce your protection.


You can only use some options on Windows servers.

You must join the Early Access Program to use some options.

Runtime Protection

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic.

Protect network traffic. You can choose these options:

  • Detect malicious connections to command and control servers. This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
  • Prevent malicious network traffic with packet inspection (IPS). This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications.

Enable Sophos Security Heartbeat: This sends server “health” reports to each Sophos Firewall registered with your Sophos Central account. If more than one firewall is registered, reports go to the nearest one available. If a report shows that a server may be compromised, the firewall can restrict its access.

AMSI Protection (with enhanced scan for script-based threats). This protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI). We scan code forwarded by AMSI before it runs, and we notify the applications used to run the code of threats. If a threat is detected, an event is logged. You can prevent the removal of AMSI registration on your servers. See Antimalware Scan Interface (AMSI).

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database.

Use Live Protection to check the latest threat information from SophosLabs online: This checks files during real-time scanning.

  • Use Live Protection during scheduled scans

Real-time scanning - Local files and network shares

Real-time scanning scans files as users attempt to access them and allows access if the file is clean.

local and remote: If you select local instead, we don't scan files in network shares.

on read: This scans files when you open them.

on write: This scans files when you save them.

Real-time scanning - Internet

Real-time scanning scans internet resources as users attempt to access them. See Download Reputation.

Scan downloads in progress.

Block access to malicious websites: This denies access to websites that are known to host malware.

Detect low-reputation files: This warns if a download has a low reputation. The reputation is based on a file's source, how often it is downloaded, and other factors. You can specify:

  • The Action to take on low-reputation downloads: If you select Prompt user, users see a warning when they attempt to download a low-reputation file. This is the default setting.
  • The Reputation level: If you select Strict, medium-reputation, as well as low-reputation files, are detected. The default setting is Recommended.


Automatic cleanup of malware: Sophos Central tries to clean up malware automatically.

If the cleanup succeeds, the malware detected alert is deleted from the alerts list. The detection and cleanup are shown in the events list.

PE files are quarantined and you can restore them if they're smaller than 100GB.


This setting applies to Sophos for Virtual Environments and Sophos Anti-Virus for Linux (Legacy). The Windows and Linux Server products always clean up detected items, regardless of this setting.

Real-time scanning - Options

Automatically exclude activity by known applications: This prevents Sophos Central from scanning files used by certain widely-used applications. For a list of these applications, see Automatic Exclusions. You can manually exclude activity by other applications by using the Exclusions options.

Detect malicious behavior (HIPS): This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious. We're phasing out this option and replacing it with the following one.

Detect malicious behavior: This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.

  • Adaptive active adversary protection: This protection disrupts the actions of a threat actor during a hands-on attack.

You must join the Early Access Program to use this option.

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.