Server Threat Protection Policy

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

Restriction You can only use some options on Windows servers.
Note If an option is locked, your partner or Enterprise administrator has applied global settings. You can still stop detecting applications, exploits, and ransomware by going to the events list.

Go to Server Protection > Policies to set up threat protection.

To set up a policy, do as follows:

  • Create a Threat Protection policy. See Create or Edit a Policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.

You can either use the recommended settings or change them.

Warning Think carefully before you change the recommended settings because doing so may reduce your protection.
Note SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types to provide the best protection.

For more information on how we assess threats see Sophos Threat Center.

Intercept X Advanced for Server

If you have this license, your threat protection policy offers protection from ransomware and exploits, signature-free threat detection, and "threat cases" for analysis of threat events.

We recommend that you use these settings for maximum protection.

Note If you turn on any of these features, servers assigned to this policy use an Intercept X Advanced for Server license.

See Server Protection: Intercept X Advanced.

Server Protection default settings

We recommend that you leave these settings turned on. These provide the best protection you can have without complex configuration.

These settings offer:

  • Detection of known malware.
  • In-the-cloud checks to allow detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.
  • Automatic exclusion of activity by known applications from scanning.

See Server Protection: Default settings.

Scheduled scanning

Scheduled scanning performs a scan at a time or times that you specify.

This form of scanning is turned on by default for servers.

You can select these options:

  • Enable scheduled scan. This lets you define a time and one or more days when scanning should be performed.
    Note The scheduled scan time is the time on the endpoint computers (not a UTC time).
  • Enable deep scanning. If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.
    Note Scanning archives may increase the system load and make scanning significantly slower.

Scanning exclusions

Some applications have their activity automatically excluded from real-time scanning. See Automatic Exclusions.

You can also exclude other items or activity by other applications from scanning. You might do this because a database application accesses many files, which triggers many scans and impacts a server's performance.

Tip To set up exclusions for an application, you can use the option to exclude processes running from that application. This is more secure than excluding files or folders.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the servers the policy applies to.

Note If you want to apply exclusions to all your users and servers, set up global exclusions on the Overview > Global Settings > Global Exclusions page.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, process, website, potentially unwanted application).
  3. Specify the item or items you want to exclude. The following rules apply:
    • File or folder (Windows). On Windows, you can exclude a drive, folder, or file by full path. You can use wildcards and variables. Examples:
      • Folder: C:\programdata\adobe\photoshop\ (add a slash for a folder)
      • Entire drive: D:
      • File: C:\program files\program\*.vmg
    • File or folder (Linux). On Linux, you can exclude a folder or file. You can use the wildcards ? and *. Example: /mnt/hgfs/excluded.
    • File or folder (Sophos Security VM). On Windows guest VMs protected by a Sophos security VM, you can exclude a drive, folder, or file by full path, just as you can for other Windows computers. You can use the wildcard * but only for file names.
      Note By default, exclusions apply to all guest VMs protected by the security VM. For exclusions on one or more specific VMs.
    • Process (Windows). You can exclude any process running from an application. This also excludes files that the process uses (but only when accessed by that process). If possible, enter the full path from the application, not just the process name shown in Task Manager. Example: %PROGRAMFILES%\Microsoft Office\Office 14\Outlook.exe
      Note To see all processes or other items that you need to exclude for an application, see the application vendor's documentation.
      Note You can use wildcards and variables.
    • Website (Windows). You can specify websites as an IP address, IP address range (in CIDR notation), or domain. Examples:
      • IP address:
      • IP address range: The appendix /24 symbolizes the number of bits in the prefix common to all IP addresses of this range. Thus /24 equals the netmask 11111111.11111111.11111111.00000000. In our example, the range includes all IP addresses starting with 192.168.0.
      • Domain:
    • Potentially Unwanted Application (Windows). You can exclude applications that are normally detected as spyware. Specify the exclusion using the same name under which the system detected it. Find more information about PUAs in the Sophos Threat Center.
    • Detected Exploits (Windows/Mac). You can exclude any exploit that has already been detected. We'll no longer detect it for the affected application and no longer block the application.
      Note This turns off CryptoGuard ransomware protection for this exploit for the affected application on your Windows servers.
    • AMSI Protection (Windows). On Windows, you can exclude a drive, folder, or file by its full path. We don't scan code in this location. You can use the wildcard * for file name or extension. See Antimalware Scan Interface (AMSI).
    • Server isolation (Windows). Device isolation (by an administrator) is available for servers if you are signed up to the Early Access Program for Intercept X Advanced for Server with XDR.

      You can allow isolated devices to have limited communications with other devices.

      Choose whether isolated devices will use outbound or inbound communications, or both.

      Restrict those communications with one or more of these settings:

      • Local Port: Any device can use this port on isolated devices.
      • Remote Port: Isolated devices can use this port on any device.
      • Remote Address: Isolated devices can only communicate with the device with this IP.

      Example 1: You want remote desktop access to an isolated device so that you can troubleshoot.

      • Select Inbound Connection.
      • In Local Port, enter the port number.

      Example 2: You want to go to an isolated device and download cleanup tools from a server.

      • Select Outbound Connection.
      • In Remote Address, enter the address of the server.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

For more information on the exclusions you can use see:

Exploit Mitigation exclusions

You can exclude applications from protection against security exploits. For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

Adding exclusions reduces your protection.

Adding exclusions using the global option, Overview > Global Settings > Global Exclusions, creates exclusions that apply to all users and devices.

We recommend that you use this option and assign the policy containing the exclusion only to those servers where the exclusion is necessary.

Restriction You can only create exclusions for Windows applications.

To create a policy exploit mitigation exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Exploit Mitigation (Windows).

    A list of the protected applications on your network shows.

  3. Select the application you want to exclude.
  4. If you don't see the application you want, click Application not listed?. You can now exclude your application from protection by entering its file path. Optionally, use any of the variables.
  5. Under Mitigations, choose from the following:
    • Turn off Protect Application. Your selected application isn't checked for any exploits.
    • Keep Protect Application turned on and select the exploit types that you do or don’t want to check for.
  6. Click Add or Add Another. The exclusion is added to the list on the Global Exclusions page.

    The exclusion only applies to servers that you assign this policy to.

    Download Reputation

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Desktop Messaging

You can add a message to the end of the standard notification. If you leave the message box empty, only the standard message is shown.

Desktop Messaging is on by default.

Click in the message box and enter the text you want to add.