Threat Protection Policy

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

Restriction This page describes policy settings for workstation users. Different policy settings apply for servers.

Go to Endpoint Protection > Policies to set up threat protection.

To set up a policy, do as follows:

  • Create a Threat Protection policy. See Create or Edit a Policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.

You can either use the recommended settings or change them. You can find a video on how to set up a Threat Protection policy in Set up Threat Protection.

If you change any of the settings in this policy and you want to find out what the default is, create a new policy. You don't have to save it, but it shows you the defaults.

Note SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types to provide the best protection.
Note If an option is locked, your partner or Enterprise administrator has applied global settings. You can still stop detecting applications, exploits, and ransomware by going to the events list.

Use recommended settings

Warning Think carefully before you change the recommended settings because doing so may reduce your protection.

Click Use recommended settings if you want to use the settings we recommend. These provide the best protection you can have without complex configuration.

If we change our recommendations in the future, we’ll automatically update your policy with new settings.

The recommended settings offer:

  • Detection of known malware.
  • In-the-cloud checks to allow detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.

Set up Threat Protection

This video explains how to set up a Threat Protection policy and includes our recommendations for best practices.

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database. See Sophos Threat Center.

You can select these options:

  • Use Live Protection to check the latest threat information from SophosLabs online. This checks files during real-time scanning.
  • Use Live Protection during scheduled scans

Deep Learning

Deep learning uses advanced machine learning to detect threats. It can identify known and previously unknown malware and potentially unwanted applications without using signatures.

Deep learning is only available with Sophos Intercept X.

Real-time Scanning - Local Files and Network Shares

Real-time scanning scans files as users attempt to access them. It allows access if the file is clean.

Local files are scanned by default. You can also select this option:

  • Remote files: This scans files on network shares.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them. See Download Reputation. You can select these options:

  • Scan downloads in progress
  • Block access to malicious websites: This denies access to websites that are known to host malware.
  • Detect low-reputation files: This warns if a download has a low reputation. The reputation is based on a file's source, how often it is downloaded, and other factors. You can specify:
    • The Action to take on low-reputation downloads: If you select Prompt user, users will see a warning when they download a low-reputation file. They can then trust or delete the file. This is the default setting.
    • The Reputation level: If you select Strict, medium-reputation, as well as low-reputation files, are detected. The default setting is Recommended.


Remediation options are:

  • Automatically clean up malware: Sophos Central will try to clean up detected malware automatically.

    If the cleanup succeeds, the malware detected alert is deleted from the alerts list. The detection and cleanup are shown in the events list.

    Note We always clean up PE (Portable Executable) files like applications, libraries, and system files, even if you turn off automatic cleanup. PE files are quarantined and you can restore them if they're smaller than 50MB.
  • Enable Threat Graph creation: Threat graphs let you investigate the chain of events in a malware attack and identify areas where you can improve your security.

Runtime Protection

Restriction You must join the Early Access Program to use some options.

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic. You can select:

  • Protect document files from ransomware (CryptoGuard): This protects document files against malware that restricts access to files and then demands a fee to release them. You can also choose to protect 64-bit computers against ransomware run from a remote location.
  • Protect from Encrypting File System attacks: This protects the computer from ransomware that encrypts the file system. Choose which action you want to take if the ransomware is detected. You can terminate ransomware processes or isolate them to stop them writing to the filesystem.
  • Protect from master boot record ransomware: This protects the computer from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.
  • Protect critical functions in web browsers (Safe Browsing): This protects your web browsers against exploitation by malware.
  • Mitigate exploits in vulnerable applications: This protects the applications most prone to exploitation by malware. You can select which application types to protect.
  • Protect processes: This helps prevent the hijacking of legitimate applications by malware. You can choose these options:
    • Prevent process hollowing attacks. This protects against process replacement attacks.
    • Prevent DLLs loading from untrusted folders. This protects against loading .DLL files from untrusted folders.
    • Prevent credential theft. This prevents the theft of passwords and hash information from memory, registry, or hard disk.
    • Prevent code cave utilisation. This detects malicious code that's been inserted into another, legitimate application.
    • Prevent APC violation. This prevents attacks from using Application Procedure Calls (APC) to run their code.
    • Prevent privilege escalation. This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.
  • Protect network traffic. You can choose these options:
    • Detect malicious connections to command and control servers. This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
    • Prevent malicious network traffic with packet inspection (IPS). This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications.
  • Detect malicious behavior (HIPS): This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.
  • Detect malicious behavior: This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.
    Restriction You must join the Early Access Program to use this option.
  • AMSI Protection (with enhanced scan for script-based threats): This protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI). Code forwarded using AMSI is scanned before it runs, and Sophos notifies the applications used to run the code of threats. If a threat is detected, an event is logged. You can prevent the removal of AMSI registration on your computers. See Antimalware Scan Interface (AMSI).

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.

Device Isolation

If you select this option, devices isolate themselves from your network if their health is red. A device's health is red if it has threats detected, has out-of-date software, isn't compliant with policy, or isn't properly protected.

You can still manage isolated devices from Sophos Central. You can also use scanning exclusions or global exclusions to give limited access to them for troubleshooting.

You can't remove these devices from isolation. They communicate with the network again once their health is green.

Scheduled Scanning

Scheduled scanning performs a scan at a time or times that you specify.

You can select these options:

  • Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.
    Note The scheduled scan time is the time on the endpoint computers (not a UTC time).
  • Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.
    Note Scanning archives may increase the system load and make scanning significantly slower.

Scanning exclusions

You can exclude files, folders, websites, or applications from scanning for threats, as described below.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the users the policy applies to.

Note If you want to apply exclusions to all your users and servers set up global exclusions on the Global Settings > Global Exclusions page.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website, potentially unwanted application, or device isolation).
  3. Specify the item or items you want to exclude.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion must be valid for real-time scanning, for scheduled scanning, or both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

For more information on the exclusions you can use see:

Exploit Mitigation exclusions

You can exclude applications from protection against security exploits. For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

Adding exclusions reduces your protection.

Adding exclusions using the global option, Overview > Global Settings > Global Exclusions, creates exclusions that apply to all users and devices.

We recommend that you use this option and assign the policy containing the exclusion only to those users and devices where the exclusion is necessary.

Restriction You can only create exclusions for Windows applications.

To create a policy exploit mitigation exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Exploit Mitigation (Windows).

    A list of the protected applications on your network shows.

  3. Select the application you want to exclude.
  4. If you don't see the application you want, click Application not listed?. You can now exclude your application from protection by entering its file path. Optionally, use any of the variables.
  5. Under Mitigations, choose from the following:
    • Turn off Protect Application. Your selected application isn't checked for any exploits.
    • Keep Protect Application turned on and select the exploit types that you do or don’t want to check for.
  6. Click Add or Add Another. The exclusion is added to the list on the Global Exclusions page.

    The exclusion only applies to users or devices that you assign this policy to.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Desktop Messaging

Note You must switch off Use recommended settings to set up Desktop Messaging.

You can add a message to the end of the standard notification. If you leave the message box empty, only the standard message is shown.

Desktop Messaging is on by default.

Click in the message box and enter the text you want to add.