Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=unauthorized-file-protection

Unauthorized File Protection Policy

We've renamed Server Lockdown to Unauthorized File Protection. New controls for managing Unauthorized File Protection have been added. These changes don't affect the allowed or blocked files and folders you created in existing Server Lockdown policies. We encourage existing Server Lockdown customers to plan their transition to Unauthorized File Protection to benefit from the improved functionality.

Note

Locked servers must be unlocked before using the Unauthorized File Protection policy. For information on unlocking a server, see Server Summary.

Unauthorized File Protection tracks file operations performed by non-privileged processes that create, modify, or move Portable Executable (PE) files. It also tracks the creation of file hardlinks and the renaming of folders.  

Reputation check

Unauthorized File Protection leverages the reputation that SophosLabs assigns. A reputation score indicates how trustworthy a file is. Unauthorized File Protection uses reputation scores as follows:

  • Local files with high reputation are authorized for execution unless they match items on the policy blocklist.

    Administrators can use the Application Control policy to block the execution of files from legitimate and widely used applications. See Server Application Control Policy.

  • Local files with a low to medium reputation are tracked for changes. Unauthorized File Protection blocks file execution if an unauthorized process has modified the file.

  • Local files with any reputation, except Sophos and system files, are blocked if they match the Unauthorized File Protection policy's blocklist.

    Note

    You can check the reputation score of a file using the Sophos Endpoint Self Help (ESH) tool. For more information, see File Information.

For more information on reputation scores, see Request latest intelligence.

Set up Unauthorized File Protection policy

Go to My Products > Server > Policies.

To set up a policy, do as follows:

  1. Go to My Products > Server > Policies.
  2. Create an Unauthorized File Protection policy. See Create or Edit a Policy.
  3. Open the policy's Settings tab and configure it as needed.

Enable tracking of unauthorized file changes

Turn on Enable tracking of unauthorized file changes.

You can select one of the following settings:

  • Monitor execution of unauthorized files without blocking: When turned on, Sophos Endpoint reports the execution of an unauthorized file to Sophos Central without blocking it.

    You can use these details to add necessary files to the allow list before turning on the Block execution of unauthorized file option.

  • Block execution of unauthorized file: When turned on, Sophos Endpoint blocks unauthorized file execution.

    When an execution is blocked, you see a pop-up message from Sophos Endpoint Agent that informs the user that a file has been blocked. Administrators can see the details on the Events tab in Servers. See Server Events.

You can see the most recent events of blocked files in the server Summary or Events tab. To see reports of events for a specific time interval, go to Reports > General Logs > Events.

Sophos EDR or XDR customers can also use custom Live Discover queries to retrieve all available event details from the sophos_unauthorized_actions_journal table.

To create or edit a custom query, see Edit or create queries.

To run a custom query, see Live Discover.

Allowed items

You can allow executions of specific files or all files from specific folders or their subfolders. Items that match entries from this list are privileged.

Tip

We recommend you specify full file paths.

To allow an item, do as follows:

  1. Click Add allowed item.

  2. On the Add new allowed item dialog, do as follows:

    1. Select File, Folder, or SHA256.

    2. Enter the path of the file or folder or the SHA-256 value.

      You can use wildcards and variables for files and folders only. See Windows scanning exclusions.

    3. Click Save.

  3. On the Server Protection page, click Save.

Blocked items

You can block executions of specific files or all files from specific folders or their subfolders.

To block a file or folder, do as follows:

  1. Click Add blocked item.

  2. On the Add new blocked item dialog, do as follows:

    1. Select File, Folder, or SHA256.

    2. Enter the path of the file or folder or the SHA-256 value.

      You can use wildcards and variables for files and folders only. See Windows scanning exclusions.

    3. Click Save.

  3. On the Server Protection page, click Save.

MSI file installation

MSI files are installation packages commonly used to install software on Windows devices. They're not PE files, and Unauthorized File Protection applies special logic to handle them.

MSI files aren't blocked, but they can contain PE files that are extracted and executed during installation. If these PE files don't have high reputation scores, Unauthorized File Protection blocks them, and the installation fails. Even if the installation completes, Unauthorized File Protection blocks installed PE files if they don't have high reputation scores and don't match the policy allow list.

MSI file paths or folders containing MSI files can be added to the policy allow list and block list. Unauthorized File Protection checks whether MSI files match these lists when deciding whether to block installation or allow the execution of installed PE files or PE files extracted during installation.