Skip to content

Server Threat Protection Policy

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

Go to My Products > Server > Policies to set up threat protection.

To set up a policy, do as follows:

  • Create a Threat Protection policy. See Create or Edit a Policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.

You can either use the default settings or change them.

If you change any of the settings in this policy and you want to find out what the default is, create a new policy. You don't have to save it, but it shows you the defaults.


SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types to provide the best protection.

By default, the policy uses our recommended settings.

These provide the best protection you can have without complex configuration. They offer the following:

  • Detection of known malware.
  • In-the-cloud checks to allow detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.
  • Automatic exclusion of activity by known applications from scanning.

If you're using any non-recommended settings, you'll see warnings on the policy settings page.

Think carefully before you change the recommended settings because doing so may reduce your protection.


You can only use some options on Windows servers.

Live Protection

Live Protection checks suspicious files against the SophosLabs threat database. This helps detect the latest threats and avoid false positives. You can use it as follows:

  • Use Live Protection to check the latest threat information from SophosLabs online. This checks files during real-time scanning.
  • Use Live Protection during scheduled scans.


    On Linux, scheduled scans always use Live Protection, regardless of this setting.

Turning off Live Protection reduces your protection and may increase false positives.

To see our threat database, go to Sophos Threat Center.

Deep Learning

Deep learning can automatically detect threats, particularly new and unknown threats that have not been seen before. It uses machine learning and does not depend on signatures.

Turning off Deep learning significantly reduces your protection.

Real-time Scanning - Local Files and Network Shares

Real-time scanning checks files for known malware when they're accessed and updated. It prevents known malicious programs from being run, and infected files from being opened by legitimate applications.

Scan provides real-time scanning of local and remote files (files accessed from the network) by default. Select Local if you only want to scan files on the device.

  • on read: This scans files when you open them.
  • on write: This scans files when you save them.

Enable scan for Server Protection for Linux agent provides real-time scanning on Linux devices. This applies to Sophos Protection for Linux, but not to the legacy Sophos Anti-Virus product. See Remediation.

Turning off these options could allow known malware to be run or accessed.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them.

Scan downloads in progress

This setting controls whether we scan downloads and page elements before they reach the browser.

  • HTTP connections: We scan all elements and downloads.
  • HTTPS connections: We don't scan any elements, unless you turn on Decrypt websites using SSL/TLS.

Block access to malicious websites

This setting denies access to websites that are known to host malware.

We do a reputation check to see if the site is known to host malicious content (SXL4 lookup). If you turn off Live Protection, you're also turning off this check.

  • HTTP connections: All URLs are checked, including full HTTP GET requests.
  • HTTPS connections: Base URLs are checked (SNI). If you turn on Decrypt websites using SSL/TLS, all URLs are checked, including full HTTP GET requests.

Detect low-reputation downloads

This setting checks download reputation based on the file's source, how often it's downloaded, and more. Use the following options to decide how downloads are handled.

Set Action to take to Prompt User: The end user sees a warning when a low-reputation file is downloaded. They can then trust or delete the file. This is the default setting.

Set Reputation level to one of the following:

  • Recommended: Low-reputation files are automatically blocked. This is the default setting.
  • Strict: Medium and low-reputation downloads are automatically blocked and reported to Sophos Central.

For more information, see Download Reputation.

Real-time Scanning - Options

Automatically exclude activity by known applications. This setting excludes widely-used applications, as recommended by their vendors.

For more information, see Sophos Central Server: Automatically excluded third-party products


Remediation options are as follows:

Automatically clean up malware: Sophos Central automatically cleans up detected malware and logs the cleanup. You can see this in the Events list.


Windows computers and Linux devices running Sophos Protection for Linux always clean up detected items, regardless of this setting.

When Sophos Central cleans up a file, it removes the file from its current location and quarantines it in SafeStore. Files remain in SafeStore until they're allowed or removed to make room for new detections. You can restore files quarantined in SafeStore by adding them to Allowed applications. See Allowed applications.

SafeStore has the following default limits:

  • The single file limit is 100 GB.
  • The overall quarantine size limit is 200 GB.
  • The maximum number of files stored is 2000.

Enable Threat Graph creation. This helps you investigate the chain of events in a malware attack. We suggest you turn it on so that you can analyse attacks we've detected and stopped.

Runtime Protection

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic.

Protect document files from ransomware (CryptoGuard). This setting protects you against malware that restricts access to your files and then demands a fee to release them. The feature is on by default. We strongly recommend that you leave it on.

You can also use these options:

  • Protect from remotely run ransomware. This ensures protection across your whole network. We recommend that you leave it turned on.
  • Protect from Encrypting File System attacks. This protects 64-bit devices from ransomware that encrypts the file system. Choose which action you want to take if ransomware is detected. You can terminate ransomware processes or isolate them to stop them writing to the filesystem.
  • Protect from master boot record ransomware. This protects the device from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.

Protect critical functions in web browsers (Safe Browsing). This setting protects your web browsers against exploitation by malware via your web browser.

Mitigate exploits in vulnerable applications. This setting protects applications that are prone to exploitation by malware. You can select which application types to protect.

Protect processes. This helps prevent the hijacking of legitimate applications by malware. You can choose from the following options:

  • Prevent process hollowing attacks. Also known as “process replacement” or DLL injection. Attackers commonly use this technique to load malicious code into a legitimate application to try to bypass security software.

    Turning off this setting makes it easier for an attacker to bypass your security software.

  • Prevent DLLs loading from untrusted folders. This protects against loading DLL files from untrusted folders.

  • Prevent credential theft. This prevents the theft of passwords and hash information from memory, registry, or hard disk.
  • Prevent code cave utilisation. This detects malicious code that's been inserted another, legitimate application.
  • Prevent APC violation. This prevents attacks from using Application Procedure Calls (APC) to run their code.
  • Prevent privilege escalation. This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.

Enable CPU branch tracing. CPU malicious code detection is a feature of Intel processors that allows tracing of processor activity for detection. We support it on Intel processors with the following architectures: Nehalem, Westmere, Sandy Bridge, Ivy Bridge, Haswell, Broadwell, Goldmont, SkyLake, and Kaby Lake. We don't support it if there is a legitimate hypervisor on the computer.

Dynamic shellcode protection. This setting detects the behaviour of hidden remote command and control agents and prevents attackers from gaining control of your networks.

Validate CTF Protocol caller. This setting blocks applications that attempt to exploit a vulnerability in CTF, a component in all versions of Windows. The vulnerability allows a non-administrator attacker to hijack any Windows process, including applications running in a sandbox. We recommend that you turn Validate CTF Protocol caller on.

Prevent side loading of insecure modules. This setting prevents an application from side-loading a malicious DLL that poses as an ApiSet Stub DLL. ApiSet Stub DLLs serve as a proxy to maintain compatibility between older applications and newer operating system versions. Attackers can use malicious ApiSet Stub DLLs to bypass tamper protection and stop anti-malware protection.

Turning this off significantly reduces your protection.

Protect browser cookies used for MFA sign in. This setting prevents unauthorized applications from decrypting the AES key used to encrypt multi-factor authentication (MFA) cookies.

Protect network traffic

  • Detect malicious connections to command-and-control servers. This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
  • Prevent malicious network traffic with packet inspection (IPS). This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications.

Linux runtime detections. This setting gives you runtime visibility and threat detection for Linux server workloads and containers. You can manage these alerts in the threat analysis center. See Detections.


In order to use Linux Runtime Detections, you must have an approptiate license. See Server Linux Runtime Detection Policy.

Prevent malicious beacons connecting to command-and-control servers. This setting identifies and blocks beacons that attempt to evade detection by remaining encrypted.

Detect malicious behaviour. This setting protects against threats that are not yet known. It does this by detecting and blocking behaviour that is known to be malicious or is suspicious.

AMSI Protection. This setting protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI).

Code forwarded using AMSI is scanned before it runs, and the endpoint then notifies the applications used to run the code about threats. If a threat is detected, an event is logged.

Prevent the removal of AMSI registration. This setting ensures that AMSI can't be removed from your computers.

Enable Sophos Security Heartbeat: This setting sends server “health” reports to each Sophos Firewall registered with your Sophos Central account. If more than one firewall is registered, reports go to the nearest one available. If a report shows that a server may be compromised, the firewall can restrict its access.

Adaptive Attack Protection

Turn on extra protections automatically when a device is under attack. This setting enables a more aggressive set of protections when an attack is detected. These extra protections are designed to disrupt the actions of an attacker.

SSL/TLS decryption of HTTPS websites

If you select Decrypt HTTPS websites using SSL/TLS, we decrypt and check the contents of HTTPS websites for threats.

If we decrypt a website that’s risky, we block it. We show the user a message and give them the option to submit the site to SophosLabs for reassessment.

By default, decryption is off.


If decryption is on in the Threat Protection policy that applies to a device, it's also on for Web Control checks on that device.

Real-time scanning for Linux

If you select Enable scan for Server Protection for Linux Agent, we scan files as users try to access them. We allow access if the file is clean.

By default, real-time scanning for Linux is off.

Scheduled scanning

Scheduled scanning performs a scan at a time or times that you specify.

You can select these options:

  • Enable scheduled scan. This lets you define a time and one or more days when scanning should be performed.

    The scheduled scan time is the time on the endpoint computers (not a UTC time).

  • Enable deep scanning. If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.

Scanning exclusions

Some applications have their activity automatically excluded from real-time scanning. See Automatic Exclusions.

You can also exclude other items or activity by other applications from scanning. You might do this because a database application accesses many files, which triggers many scans and impacts a server's performance.

To set up exclusions for an application, you can use the option to exclude processes running from that application. This is more secure than excluding files or folders.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the servers the policy applies to.

If you want to apply exclusions to all your users and servers, set up global exclusions on the My Products > General Settings > Global Exclusions page.

For help on using exclusions see Using exclusions safely.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, process, website, potentially unwanted application).

  3. Specify the item or items you want to exclude. The following rules apply:

    • File or folder (Windows). On Windows, you can exclude a drive, folder, or file by full path. You can use wildcards and variables. Examples:

      • Folder: C:\programdata\adobe\photoshop\ (add a slash for a folder)
      • Entire drive: D:
      • File: C:\program files\program\*.vmg
    • File or folder (Linux). On Linux, you can exclude a folder or file. You can use the wildcards ? and *. Example: /mnt/hgfs/excluded.

    • Process (Windows). You can exclude any process running from an application. This also excludes files that the process uses (but only when accessed by that process). If possible, enter the full path from the application, not just the process name shown in Task Manager. Example: %PROGRAMFILES%\Microsoft Office\Office 14\Outlook.exe


      To see all processes or other items that you need to exclude for an application, see the application vendor's documentation.


      You can use wildcards and variables.

    • Website (Windows). You can specify websites as an IP address, IP address range (in CIDR notation), or domain. Examples:

      • IP address:
      • IP address range: The appendix /24 symbolizes the number of bits in the prefix common to all IP addresses of this range. Thus /24 equals the netmask 11111111.11111111.11111111.00000000. In our example, the range includes all IP addresses starting with 192.168.0.
      • Domain:

      If you exclude a website, we don't check the category of the website and it's excluded from web control protection. See Server Web Control Policy.

    • Potentially Unwanted Application (Windows/Mac/Linux). You can exclude applications that are normally detected as spyware. Specify the exclusion using the same name under which the system detected it, for example "PsExec" or "Cain n Abel". Find more information about PUAs in the Sophos Threat Center.

      Think carefully before you add PUA exclusions because doing so may reduce your protection.

    • Detected Exploits (Windows/Mac). You can exclude any exploit that has already been detected. We'll no longer detect it for the affected application and no longer block the application.

      You can also exclude detected exploits using a detection ID. You can you use this option if you're working with Sophos Support to resolve a false positive detection. Sophos Support can give you a detection ID and you can then exclude the false positive detection. To do this, click Exploit not listed? and enter the ID.


      This turns off CryptoGuard ransomware protection for this exploit for the affected application on your Windows servers.

    • AMSI Protection (Windows). On Windows, you can exclude a drive, folder, or file by its full path. We don't scan code in this location. You can use the wildcard * for file name or extension. See Antimalware Scan Interface (AMSI).

    • Server isolation (Windows). Device isolation (by an administrator) is available for servers if you are signed up to the Early Access Program for Intercept X Advanced for Server with XDR.

      You can allow isolated devices to have limited communications with other devices.

      Choose whether isolated devices will use outbound or inbound communications, or both.

      Restrict those communications with one or more of these settings:

      • Local Port: Any device can use this port on isolated devices.
      • Remote Port: Isolated devices can use this port on any device.
      • Remote Address: Isolated devices can only communicate with the device with this IP.

      Example 1: You want remote desktop access to an isolated device so that you can troubleshoot.

      • Select Inbound Connection.
      • In Local Port, enter the port number.

      Example 2: You want to go to an isolated device and download cleanup tools from a server.

      • Select Outbound Connection.
      • In Remote Address, enter the address of the server.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or both.

  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

For more information on the exclusions you can use see:

Exploit Mitigation exclusions

You can exclude applications from protection against security exploits. For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

Adding exclusions reduces your protection.

Adding exclusions using the global option, General Settings > Global Exclusions, creates exclusions that apply to all users and devices.

We recommend that you use this option and assign the policy containing the exclusion only to those servers where the exclusion is necessary.


You can only create exclusions for Windows applications.

To create a policy exploit mitigation exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Exploit Mitigation (Windows).

    A list of the protected applications on your network shows.

  3. Select the application you want to exclude.

  4. If you don't see the application you want, click Application not listed?. You can now exclude your application from protection by entering its file path. Optionally, use any of the variables.
  5. Under Mitigations, choose from the following:

    • Turn off Protect Application. Your selected application isn't checked for any exploits.
    • Keep Protect Application turned on and select the exploit types that you do or don’t want to check for.
  6. Click Add or Add Another. The exclusion only applies to servers that you assign this policy to.

    Download Reputation

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.


If you exclude a website, we don't check the category of the website and it's excluded from web control protection. See Server Web Control Policy.

For more help with Exploit Mitigation exclusions see the following:

Ransomware Protection Exclusions

You can exclude applications or folders used by applications from protection against ransomware.

You might want to exclude an application that we've incorrectly detected as a threat or an application that is incompatible with ransomware protection. For example, if you have an application that encrypts data, you might want to exclude it. This stops us from detecting the application as ransomware.

Or you might want to exclude folders used by specific applications that show performance issues when being monitored by ransomware protection. For example, you might want to exclude folders used by backup applications.

Adding exclusions reduces your protection.

Adding exclusions using the global option, General Settings > Global Exclusions, creates exclusions that apply to all servers.

We recommend that you add exclusions in a policy and assign that policy only to those users and devices where the exclusions are necessary.

To create a policy ransomware protection exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Ransomware Protection (Windows).

  3. Choose whether you want to exclude a process or a folder.

    Choose Process to exclude an application.

  4. In VALUE, enter the path for the process or folder you want to exclude.

    You can only exclude a folder by its local path. You can't exclude it by its remote path in UNC format, for example \\servername\shared-folder.

    You can use variables when you exclude processes or folders. See Exploit mitigation or ransomware wildcards and variables.

  5. Click Add or Add Another. The exclusion only applies to servers that you assign this policy to.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Desktop Messaging

Desktop messaging sends you notifications about threat protection events. It's on by default.

You can enter your own message to add to the end of standard notifications.