Endpoint: Threat Protection

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types in order to provide the best protection.

Use recommended settings

Click Use recommended settings if you want to use the settings Sophos recommends. These provide the best protection you can have without complex configuration.

If we change our recommendations in future, we’ll automatically update your policy with new settings.

The recommended settings offer:

  • Detection of known malware.
  • In-the-cloud checks to enable detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.

Deep Learning

Deep learning uses advanced machine learning to detect threats. It can identify known and previously unknown malware and potentially unwanted applications without using signatures.

Deep learning is only available with Sophos Intercept X.

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database.

You can select these options:

Use Live Protection to check the latest threat information from SophosLabs online: This checks files during real-time scanning.

Real-time Scanning - Local Files and Network Shares

Real-time scanning scans files as users attempt to access them, and allows access if the file is clean.

Local files are scanned by default. You can also select Remote files to scan files on network shares.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them. You can select these options:

Scan downloads in progress

Block access to malicious websites: This denies access to websites that are known to host malware.

Detect low-reputation files: This warns if a download has a low reputation. The reputation is based on a file's source, how often it is downloaded and other factors.

You can specify:

  • Action to take on low-reputation downloads: If you select Prompt user, users will see a warning when they download a low-reputation file. They can then trust or delete the file. This is the default setting.
  • Reputation level: If you select Strict, medium-reputation as well as low-reputation files will be detected. The default setting is Recommended.

Remediation

Remediation options are:

  • Automatically clean up malware: Sophos Central will try to clean up detected malware automatically.

    If the cleanup succeeds, the malware detected alert is deleted from the alerts list. The detection and cleanup are shown in the events list.

    Automatic cleanup doesn't apply to PE (Portable Executable) files, like applications, libraries and system files. PE files are quarantined and can be restored.

  • Enable Threat Case creation: Threat cases let you investigate the chain of events in a malware attack and identify areas where you can improve your security.
  • Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central: This sends details of potential threats to Sophos. Ensure it's turned on in any policy for computers where you want to do threat searches.
    Note This option is available if you have Intercept X Advanced with EDR.
    Restriction You must turn this option on in both Endpoint and Server Protection to use Intercept X Advanced with EDR.

Runtime Protection

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic. You can select:

Protect document files from ransomware (CryptoGuard): This protects document files against malware that restricts access to files, and then demands a fee to release them. You can also choose to protect 64-bit computers against ransomware run from a remote location.

Protect from master boot record ransomware: This protects the computer from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.

Protect critical functions in web browsers (Safe Browsing): This protects your web browsers against exploitation by malware.

Mitigate exploits in vulnerable applications: This protects the applications most prone to exploitation by malware. You can select which application types to protect.

Protect processes: This helps prevent the hijacking of legitimate applications by malware. You can select these options:

  • Prevent process hollowing attacks: This prevents process replacement attacks.
  • Prevent DLLs loading from untrusted folders: This prevents loading of .DLL files from untrusted folders.
  • Prevent credential theft: This prevents the theft of passwords and hash information from memory, registry, or hard disk.
  • Prevent code cave utilisation: This detects malicious code that's been inserted into another, legitimate application.
  • Prevent APC violation: This prevents attacks from using Application Procedure Calls (APC) to run their code.
  • Prevent privilege escalation: This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.

Protect network traffic: You can select these options:

  • Detect malicious connections to command and control servers: This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
  • Prevent malicious network traffic with packet inspection (IPS): This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications.

Detect malicious behavior (HIPS): This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.

AMSI Protection (with enhanced scan for script-based threats): This protects against malicous code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI). Code forwarded via AMSI is scanned before it runs and the applications used to run the code are notified of threats by Sophos. If a threat is detected, an event is logged.

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.

Device Isolation

If you select this option, devices will isolate themselves from your network if their health is red. A device's health is red if it has threats detected, has out-of-date software, isn't compliant with policy, or isn't properly protected.

You can still manage isolated devices from Sophos Central. You can also use scanning exclusions or global exclusions to give limited access to them for troubleshooting.

You can't remove these devices from isolation. They will communicate with the network again once their health is green.

Scheduled Scanning

Scheduled scanning performs a scan at a time or times that you specify.

You can select these options:

  • Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.
    Note The scheduled scan time is the time on the endpoint computers (not a UTC time).
  • Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.

Exclusions

You can exclude files, folders, websites or applications from scanning for threats, as described below.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the users the policy applies to.

Note If you want to apply exclusions to all your users and servers, set up global exclusions on the Global Settings > Global Exclusions page.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website, potentially unwanted application, or device isolation).
  3. Specify the item or items you want to exclude.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or for both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings, and click Update.

Desktop Messaging

You can add a message to the end of the standard notification. If you leave the message box empty only the standard message is shown.

Enable Desktop Messaging for Threat Protection is on by default. If you switch it off you will not see any notification messages related to threat protection.

Enter the text you want to add.