Skip to content

Content updates FAQ

A content update is an update to detection data, not product features.

Each content update is released in three stages. You can select the stage at which devices get the update in your Update Management policies.

Which types of updates are included in content updates?

Content updates include machine learning engines, threat definitions, and flags. They don't include new versions of products.

Read about our updating model here: Content updates and product architecture: Sophos Endpoint.

Do I need to set up content updates?

No. By default, we manage content updates for you. However, you can control the timing of these updates in your Update Management policies.

To change content update timings for your endpoints, see Timing of endpoint content updates.

To change content update timings for your servers, see Timing of server content updates.

What's the best way to configure content updates?

You can use different content update settings in different policies to roll out content updates gradually and with the least risk. Here's an example:

  • Put a small number of devices that are low risk, but also representative of your estate, into the first stage.
  • Put the majority of devices into the second stage.
  • Put critical devices into the third stage.

Make sure devices in the first stage are representative of your estate. If you don't, you won't find issues early. For example, if you don't include servers in the first stage, an issue that's specific to a server application might be found too late.

Don't put all devices into the third stage. If you only find issues at the last stage, you leave no time to react. Other customers might find most issues before you, but there might also be issues specific to your environment.

Is a default stage used if I don't select a stage in a policy?

Yes. If you turn on controlled timing of content updates, but don't select a stage in a policy, we'll use the second stage.

If you don't turn on controlled timing, we'll send content updates at a random time in our release cycle.

Do you test content updates before releasing them to first-stage customers?

Yes, we test the updates fully and use them within Sophos before release.

As with any release, you might find an issue in a specific customer environment. However, staged releasing means we can halt the release if you find an issue in the first two stages.

What's the time interval between stages?

The timing varies depending on the urgency and the type of update. Currently, it can be hours or weeks.

Does Sophos Central show which devices have the latest content updates, or which version they have?

No. Sophos Central doesn't show those details. However, Sophos Support can check the content update stage in the endpoint logs if they're investigating an issue.

Can Sophos bypass my settings to send out critical updates?

No. We can vary the time interval between stages, but we always send out updates at the stage you selected.

Is there a risk to configuring content updates?

No. These are the same staged updates we release automatically. This feature only lets you control the stage at which you receive your updates.

What should I do if I find an issue?

If you find an issue, change all your updating policies to get content updates at the third stage. Contact Sophos Support so we can investigate which content updates might be causing the issue.