Threat Protection Policy

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

Restriction This help page describes policy settings for workstation users. Different policy settings apply for servers.

To set it up:

  • Create a Threat Protection policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is enabled.

You can either use the recommended settings or change them.

If you change any of the settings in this policy and you want to find out what the default is, create a new policy. You don't have to save it, but it shows you the defaults.

Note SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types to provide the best protection.
Note If an option is locked, your partner has applied global settings. You can still stop detecting applications, exploits, and ransomware by going to the events list.

Use recommended settings

Click Use recommended settings if you want to use the settings we recommend. These provide the best protection you can have without complex configuration.

If we change our recommendations in the future, we’ll automatically update your policy with new settings.

The recommended settings offer:

  • Detection of known malware.
  • In-the-cloud checks to allow detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.
Warning Think carefully before you change the recommended settings because doing so may reduce your protection.

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database.

You can select these options:

  • Use Live Protection to check the latest threat information from SophosLabs online. This checks files during real-time scanning.
  • Use Live Protection during scheduled scans

Deep Learning

Deep learning uses advanced machine learning to detect threats. It can identify known and previously unknown malware and potentially unwanted applications without using signatures.

Deep learning is only available with Sophos Intercept X.

Real-time Scanning - Local Files and Network Shares

Real-time scanning scans files as users attempt to access them. It allows access if the file is clean.

Local files are scanned by default. You can also select this option:

  • Remote files: This scans files on network shares.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them. You can select these options:

  • Scan downloads in progress
  • Block access to malicious websites: This denies access to websites that are known to host malware.
  • Detect low-reputation files: This warns if a download has a low reputation. The reputation is based on a file's source, how often it is downloaded, and other factors. You can specify:
    • The Action to take on low-reputation downloads: If you select Prompt user, users will see a warning when they download a low-reputation file. They can then trust or delete the file. This is the default setting.
    • The Reputation level: If you select Strict, medium-reputation, as well as low-reputation files, are detected. The default setting is Recommended.


Remediation options are:

  • Automatically clean up malware: Sophos Central will try to clean up detected malware automatically.

    If the cleanup succeeds, the malware detected alert is deleted from the alerts list. The detection and cleanup are shown in the events list.

    Note We always clean up PE (Portable Executable) files like applications, libraries, and system files, even if you turn off automatic cleanup. PE files are quarantined and can be restored.
  • Enable Threat Case creation: Threat cases let you investigate the chain of events in a malware attack and identify areas where you can improve your security.
  • Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central: This sends details of potential threats to Sophos. Ensure it's turned on in any policy for computers where you want to do threat searches.
    Note This option is available if you have Intercept X Advanced with EDR.

Runtime Protection

Restriction You must join the Early Access Program to use some options.

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic. You can select:

  • Protect document files from ransomware (CryptoGuard): This protects document files against malware that restricts access to files and then demands a fee to release them. You can also choose to protect 64-bit computers against ransomware run from a remote location.
  • Protect from Encrypting File System attacks: This protects the computer from ransomware that encrypts the file system. Choose which action you want to take if the ransomware is detected. You can terminate ransomware processes or isolate them to stop them writing to the filesystem.
  • Protect from master boot record ransomware: This protects the computer from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.
  • Protect critical functions in web browsers (Safe Browsing): This protects your web browsers against exploitation by malware.
  • Mitigate exploits in vulnerable applications: This protects the applications most prone to exploitation by malware. You can select which application types to protect.
  • Protect processes: This helps prevent the hijacking of legitimate applications by malware. You can choose these options:
    • Prevent process hollowing attacks. This protects against process replacement attacks.
    • Prevent DLLs loading from untrusted folders. This protects against loading .DLL files from untrusted folders.
    • Prevent credential theft. This prevents the theft of passwords and hash information from memory, registry, or hard disk.
    • Prevent code cave utilisation. This detects malicious code that's been inserted into another, legitimate application.
    • Prevent APC violation. This prevents attacks from using Application Procedure Calls (APC) to run their code.
    • Prevent privilege escalation. This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.
  • Protect network traffic. You can choose these options:
    • Detect malicious connections to command and control servers. This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
    • Prevent malicious network traffic with packet inspection (IPS). This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications.
  • Detect malicious behavior (HIPS): This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.
  • Detect malicious behavior: This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.
    Restriction You must join the Early Access Program to use this option.
  • AMSI Protection (with enhanced scan for script-based threats): This protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI). Code forwarded using AMSI is scanned before it runs, and Sophos notifies the applications used to run the code of threats. If a threat is detected, an event is logged. You can prevent the removal of AMSI registration on your computers.

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.

Device Isolation

If you select this option, devices isolate themselves from your network if their health is red. A device's health is red if it has threats detected, has out-of-date software, isn't compliant with policy, or isn't properly protected.

You can still manage isolated devices from Sophos Central. You can also use scanning exclusions or global exclusions to give limited access to them for troubleshooting.

You can't remove these devices from isolation. They communicate with the network again once their health is green.

Scheduled Scanning

Scheduled scanning performs a scan at a time or times that you specify.

You can select these options:

  • Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.
    Note The scheduled scan time is the time on the endpoint computers (not a UTC time).
  • Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.
    Note Scanning archives may increase the system load and make scanning significantly slower.

Scanning exclusions

You can exclude files, folders, websites, or applications from scanning for threats, as described below.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the users the policy applies to.

Note If you want to apply exclusions to all your users and servers set up global exclusions on the Global Settings > Global Exclusions page.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website, potentially unwanted application, or device isolation).
  3. Specify the item or items you want to exclude.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion must be valid for real-time scanning, for scheduled scanning, or both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Desktop Messaging

Note You must switch off Use recommended settings to set up Desktop Messaging.

You can add a message to the end of the standard notification. If you leave the message box empty, only the standard message is shown.

Desktop Messaging is on by default.

Click in the message box and enter the text you want to add.