Skip to content

Threat Protection Policy

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.


This page describes policy settings for endpoint computers. Different policy settings apply for servers.

Go to My Products > Endpoint > Policies to set up threat protection.

To set up a policy, do as follows:

  • Create a Threat Protection policy. See Create or Edit a Policy.
  • Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.

You can either use the default settings or change them.

If you change any of the settings in this policy and you want to find out what the default is, create a new policy. You don't have to save it, but it shows you the defaults.


SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types to provide the best protection.

By default, the policy uses our recommended settings.

These provide the best protection you can have without complex configuration. They offer the following:

  • Detection of known malware.
  • In-the-cloud checks to allow detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.

If you're using any non-recommended settings, you'll see warnings on the policy settings page.

Think carefully before you change the recommended settings because doing so may reduce your protection.

Live Protection

Live Protection checks suspicious files against the SophosLabs threat database. This helps detect the latest threats and avoid false positives. You can use it as follows:

  • Use Live Protection to check the latest threat information from SophosLabs online. This checks files during real-time scanning.
  • Use Live Protection during scheduled scans.

Turning off Live Protection reduces your protection and may increase false positives.

To see our threat database, go to Sophos Threat Center.

Deep Learning

Deep learning can automatically detect threats, particularly new and unknown threats that have not been seen before. It uses machine learning and does not depend on signatures.

Turning off Deep learning significantly reduces your protection.

Real-time Scanning - Local Files and Network Shares

Real-time scanning checks files for known malware when they're accessed and updated. It prevents known malicious programs from being run, and infected files from being opened by legitimate applications.

Local and remote files (files accessed from the network) are scanned by default.

Remote files lets you turn scanning of remote files on or off.

Turning off these options could allow known malware to be run or accessed.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them.

Scan downloads in progress

This setting controls whether we scan downloads and page elements before they reach the browser.

  • HTTP connections: We scan all elements and downloads.
  • HTTPS connections: We don't scan any elements, unless you turn on Decrypt websites using SSL/TLS.

Block access to malicious websites

This setting denies access to websites that are known to host malware.

We do a reputation check to see if the site is known to host malicious content (SXL4 lookup). If you turn off Live Protection, you're also turning off this check.

  • HTTP connections: All URLs are checked, including full HTTP GET requests.
  • HTTPS connections: Base URLs are checked (SNI). If you turn on Decrypt websites using SSL/TLS, all URLs are checked, including full HTTP GET requests.

Detect low-reputation downloads

This setting checks download reputation based on the file's source, how often it's downloaded, and more. Use the following options to decide how downloads are handled.

Set Action to take to Prompt User: The end user sees a warning when a low-reputation file is downloaded. They can then trust or delete the file. This is the default setting.

Set Reputation level to one of the following:

  • Recommended: Low-reputation files are automatically blocked. This is the default setting.
  • Strict: Medium and low-reputation downloads are automatically blocked and reported to Sophos Central.

For more information, see Download Reputation.


Remediation options are as follows:

Automatically clean up malware: Sophos Central automatically cleans up detected malware and logs the cleanup. You can see this in the Events list.


Windows computers always clean up detected items, regardless of this setting. You can only turn off automatic cleanup on Macs.

When Sophos Central cleans up a file, it removes the file from its current location and quarantines it in SafeStore. Files remain in SafeStore until they're allowed or removed to make room for new detections. You can restore files quarantined in SafeStore by adding them to Allowed applications. See Allowed applications.

SafeStore has the following default limits:

  • The single file limit is 100 GB.
  • The overall quarantine size limit is 200 GB.
  • The maximum number of files stored is 2000.

Enable Threat Graph creation. This helps you investigate the chain of events in a malware attack. We suggest you turn it on so that you can analyse attacks we've detected and stopped.

Runtime Protection

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic.

Protect document files from ransomware (CryptoGuard). This setting protects you against malware that restricts access to your files and then demands a fee to release them. The feature is on by default. We strongly recommend that you leave it on.

You can also use these options:

  • Protect from remotely run ransomware. This ensures protection across your whole network. We recommend that you leave it turned on.
  • Protect from Encrypting File System attacks. This protects 64-bit devices from ransomware that encrypts the file system. Choose which action you want to take if ransomware is detected. You can terminate ransomware processes or isolate them to stop them writing to the filesystem.
  • Protect from master boot record ransomware. This protects the device from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.

Protect critical functions in web browsers (Safe Browsing). This setting protects your web browsers against exploitation by malware via your web browser.

Mitigate exploits in vulnerable applications. This setting protects applications that are prone to exploitation by malware. You can select which application types to protect.

Protect processes. This helps prevent the hijacking of legitimate applications by malware. You can choose from the following options:

  • Prevent process hollowing attacks. Also known as “process replacement” or DLL injection. Attackers commonly use this technique to load malicious code into a legitimate application to try to bypass security software.

    Turning off this setting makes it easier for an attacker to bypass your security software.

  • Prevent DLLs loading from untrusted folders. This protects against loading DLL files from untrusted folders.

  • Prevent credential theft. This prevents the theft of passwords and hash information from memory, registry, or hard disk.
  • Prevent code cave utilisation. This detects malicious code that's been inserted another, legitimate application.
  • Prevent APC violation. This prevents attacks from using Application Procedure Calls (APC) to run their code.
  • Prevent privilege escalation. This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.

Dynamic shellcode protection. This setting detects the behaviour of hidden remote command and control agents and prevents attackers from gaining control of your networks.

Validate CTF Protocol caller. This setting blocks applications that attempt to exploit a vulnerability in CTF, a component in all versions of Windows. The vulnerability allows a non-administrator attacker to hijack any Windows process, including applications running in a sandbox. We recommend that you turn Validate CTF Protocol caller on.

Prevent side loading of insecure modules. This setting prevents an application from side-loading a malicious DLL that poses as an ApiSet Stub DLL. ApiSet Stub DLLs serve as a proxy to maintain compatibility between older applications and newer operating system versions. Attackers can use malicious ApiSet Stub DLLs to bypass tamper protection and stop anti-malware protection.

Turning this off significantly reduces your protection.

Protect browser cookies used for MFA sign in. This setting prevents unauthorized applications from decrypting the AES key used to encrypt multi-factor authentication (MFA) cookies.

Prevent malicious beacons connecting to command-and-control servers. This setting identifies and blocks beacons that attempt to evade detection by remaining encrypted.

Protect network traffic

  • Detect malicious connections to command-and-control servers. This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
  • Prevent malicious network traffic with packet inspection (IPS). This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications. This option is turned off by default.

Detect malicious behaviour. This setting protects against threats that are not yet known. It does this by detecting and blocking behaviour that is known to be malicious or is suspicious.

AMSI Protection. This setting protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI).

Code forwarded using AMSI is scanned before it runs, and the endpoint then notifies the applications used to run the code about threats. If a threat is detected, an event is logged.

Prevent the removal of AMSI registration. This setting ensures that AMSI can't be removed from your computers.

Adaptive Attack Protection

Turn on extra protections automatically when a device is under attack. This setting enables a more aggressive set of protections when an attack is detected. These extra protections are designed to disrupt the actions of an attacker.

You can also turn on Adaptive Attack Protection features permanently.

  • Enable protection in safe mode. This setting enables Sophos protection when devices are running in Safe Mode. Some components and features, such as Message Relay and Update Cache, aren’t available in Safe Mode.
  • Block safe mode abuse. This setting detects and blocks activities that indicate an attacker is trying to put the device into Safe Mode.

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.

Block QUIC browser connections

Select Block QUIC (Quick UDP Internet Connections) browser access to websites to prevent these connections.

QUIC enabled browsers can bypass our website checking for some sites. Blocking QUIC ensures that we apply SSL/TLS decryption and checking to those sites.

By default, this setting is off.

SSL/TLS decryption of HTTPS websites

Decrypt websites using SSL/TLS. This setting lets devices decrypt and check the contents of HTTPS websites for threats.

If we decrypt a website that's risky, we block it. We show the user a message and give them the option to submit the site to SophosLabs for reassessment.

By default, decryption is off.

If HTTPS decryption is on in the policy that applies to a device:

  • HTTPS decryption is also on for Web Control checks on that device.
  • The protection features in Real-time Scanning - Internet can also see the full site contents, downloads, and page URLs

If you turn on this feature, you'll decrypt all HTTPS traffic and this can slow down browsing.

HTTPS decryption exclusions

By default, we exclude certain site categories from decryption. These are categories that contain personal information such as banking and webmail sites.

You can change the exclusions in the general settings. Go to My Products > General Settings > General > SSL/TLS decryption of HTTPS websites.

Device Isolation

If you select this option, we isolate devices from the network if they report their health as red. A device's health is "red" if it has threats detected, has out-of-date software, isn't compliant with policy, or isn't properly protected.


Sophos Central uses a wider range of factors to determine health. This can mean it reports a different health status for a device, from the device itself. This doesn't affect isolation. We only use a red health status given by a device to isolate it.

You can still manage isolated devices from Sophos Central. You can also use scanning exclusions or global exclusions to give limited access to them for troubleshooting.

You can't remove these devices from isolation. You need to fix a device's issues and return it to "green" health so that we'll remove it from isolation.

We recommend that you assess the impact of this option on your network before applying it. To do this, turn it on in a policy, and apply the policy to a representative sample of devices.

Scheduled Scanning

Scheduled scanning performs a scan at a time or times that you specify.

Scheduled scanning is a legacy technique to detect malware. It's rarely needed now that we have background scanning. It can increase system load and slow down scanning significantly. We recommend you don't use scheduled scans unless necessary.

You can select these options:

  • Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.


    The scheduled scan time is the time on the endpoint computers (not a UTC time).

  • Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.

Scanning exclusions

You can exclude files, folders, websites, or applications from scanning for threats.

Exclusions set in a policy are only used for the users and devices the policy applies to. If you want to apply exclusions to all your users and devices, set up global exclusions. To do this, go to My Products > General Settings > Global Exclusions.

Adding exclusions can reduce your protection. Use them carefully.

For help on using exclusions see Using exclusions safely.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website, potentially unwanted application, or device isolation).

  3. Specify the item or items you want to exclude. The following rules apply:

    • Potentially Unwanted Application (Windows/Mac/Linux). You can exclude applications that are normally detected as spyware. Specify the exclusion using the same name under which the system detected it, for example "PsExec" or "Cain n Abel". Find more information about PUAs in the Sophos Threat Center.

      Think carefully before you add PUA exclusions because doing so may reduce your protection.

    • File or folder. In the Active for drop-down list, specify if the exclusion must be valid for real-time scanning, for scheduled scanning, or both.

    • Detected Exploits (Windows/Mac). You can exclude detected exploits using a detection ID. You can use this option if you're working with Sophos Support to resolve a false positive detection. Sophos Support can give you a detection ID and you can then exclude the false positive detection. To do this, click Exploit not listed? and enter the ID.
  4. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.


If you exclude a website, we don't check the category of the website and it's excluded from web control protection. See Web Control Policy.

For more information on the exclusions you can use see:

Exploit Mitigation exclusions

You can exclude applications from protection against security exploits. For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

Adding exclusions reduces your protection.

We recommend that you apply the policy containing the exclusion only to those users and devices where the exclusion is necessary.


You can only create exclusions for Windows applications.

To create a policy exploit mitigation exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Exploit Mitigation and Activity Monitoring (Windows).

    A list of the protected applications on your network shows.

  3. Select the application you want to exclude.

  4. If you don't see the application you want, click Application not listed?. You can now exclude your application from protection by entering its file path. Optionally, use any of the variables.
  5. Under Mitigations, choose from the following:

    • Turn off Protect Application. Your selected application isn't checked for any exploits.
    • Keep Protect Application turned on and select the exploit types that you do or don't want to check for.
  6. Click Add or Add Another

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

For more help with Exploit Mitigation exclusions see the following:

Ransomware Protection Exclusions

You can exclude applications or folders used by applications from protection against ransomware.

You might want to exclude an application that we've incorrectly detected as a threat or an application that is incompatible with ransomware protection. For example, if you have an application that encrypts data, you might want to exclude it. This stops us from detecting the application as ransomware.

You might also want to exclude folders used by applications that show performance issues when monitored by ransomware protection. For example, you might want to exclude folders used by backup applications.

Adding exclusions reduces your protection.

We recommend that you add exclusions in a policy and assign that policy only to those users and devices where the exclusions are necessary.

To create a policy ransomware protection exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Ransomware Protection (Windows) or Ransomware Protection (Mac).

  3. Choose whether you want to exclude a process or a folder.

    Choose Process to exclude an application.

  4. In VALUE, enter the path for the process or folder you want to exclude.

    You can only exclude a folder by its local path. You can't exclude it by its remote path in UNC format, for example \\servername\shared-folder.

    You can use variables when you exclude processes or folders.

  5. Click Add or Add Another.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

For more help with Ransomware Protection exclusions see Ransomware Protection exclusions.

Desktop Messaging

Desktop messaging sends you notifications about threat protection events. It's on by default.

You can enter your own message to add to the end of standard notifications.