Skip to content

Sophos Protection for Linux

You can find general help on getting started in Sophos Central in our startup guide. See Sophos Central startup guide.

Configure and manage your devices

You manage and configure Sophos Protection for Linux in Sophos Central. You can do the following:

  • Install Sophos Protection for Linux on your devices. See Server Protection.
  • Check for issues on your Linux devices that require your action. Alerts tell you if there is anything you need to do. See Alerts.
  • Manage your Linux devices using the Servers page. For example you can manage the protection software installed on your devices. See Servers.

    You also can see the full details for a Linux device and manage it. To do this, click on a device name in Servers. See Server Summary.

    The Server Protection version number shown under Installed component versions on the device page should match that reported on the device in /opt/sophos-spl/plugins/av/VERSION.ini.

  • Manage antivirus and threat protection settings using threat protection policies. See Server Threat Protection Policy.

  • Manage when Sophos Protection for Linux updates on your devices. See Server Update Management Policy.

    Sophos Central applies the first appropriate updating policy to your Linux devices. See About Policies.



If you use Sophos XDR Sensor, on-demand scans aren't available.

You can schedule a scan from Sophos Central. You can do this in your threat protection policies.

You can run a scan on a device. To do this, go to the device page and click Scan Now.

You also can run a scan using Sophos Protection for Linux from the command line. Sophos Protection for Linux has an agent called Server Protection, which you can use to run on-demand scans on your Linux devices. See Server Protection agent.


Events are logged in /opt/sophos-spl/plugins/av/log/av.log before being sent to Sophos Protection for Linux. You see event information in Sophos Central in the events log. See Events.

PUA detections

Potentially Unwanted Application (PUA) detections are turned on by default for scheduled, on-demand, and on-access scanning. If you don't want to get alerts for PUA detections, add exclusions for the PUAs in the Threat Protection Policy or Global Exclusions. See Resolve PUA alerts.

PUA detections are turned off by default when using avscanner. You can turn on PUA detections and create exclusions for PUA alerts from the command line. See Server Protection agent.

Outbreak mode

A Linux device will report an outbreak if it experiences more than 100 detections in a single day. The single day is counted from midnight to midnight, local time, for the Linux device. See Deal with outbreaks.