Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=unauthorized-file-protection

Unauthorized File Protection Policy

We're renaming Lockdown to Sophos Unauthorized File Protection (SUFP). We're also adding new controls for managing SUFP. This change doesn't affect the allowed or blocked files and folders you created in existing Lockdown policies. We encourage existing Server Lockdown customers to plan their transition to Unauthorized File Protection to benefit from the improved functionality.

Note

Locked servers must be unlocked before using the Unauthorized File Protection policy. For information on unlocking a server, see Server Summary.

Sophos Unauthorized File Protection (SUFP) tracks file operations performed by non-privileged processes that create, modify, or move Portable Executable (PE) files. It also tracks the creation of file hardlinks and the renaming of folders.  

Reputation check

SUFP leverages the reputation that SophosLabs assigns. A reputation score indicates how trustworthy a file is. SUFP uses reputation scores as follows:

  • Local files with high reputation are authorized for execution unless they match items on the policy blocklist.

    Administrators can use the Application Control policy to block the execution of files from legitimate and widely used applications. See Server Application Control Policy.

  • Local files with a low to medium reputation are tracked for changes. SUFP blocks file execution if an unauthorized process has modified the file.

  • Local files with any reputation, except Sophos and system files, are blocked if they match the SUFP policy blocklist.

    Note

    You can check the reputation score of a file using the Sophos Endpoint Self Help (ESH) tool. For more information, see File Information.

For more information on reputation scores, see Request latest intelligence.

Set up Unauthorized File Protection policy

Go to My Products > Server > Policies.

To set up a policy, do as follows:

  1. Go to My Products > Server > Policies.
  2. Create an Unauthorized File Protection policy. See Create or Edit a Policy.
  3. Open the policy's Settings tab and configure it as needed.

Enable tracking of unauthorized file changes

Turn on Enable tracking of unauthorized file changes.

You can select one of the following settings:

  • Monitor execution of unauthorized files without blocking: When turned on, Sophos Endpoint reports the execution of an unauthorized file to Sophos Central without blocking it.

    You can use these details to add necessary files to the allow list before turning on the Block execution of unauthorized file option.

  • Block execution of unauthorized file: When turned on, Sophos Endpoint blocks unauthorized file execution.

    When an execution is blocked, you see a pop-up message from Sophos Endpoint Agent that informs the user that a file has been blocked. Administrators can see the details on the Events tab in Servers. See Server Events.

You can see the most recent events of blocked files in the server Summary or Events tab. To see reports of events for a specific time interval, go to Reports > General Logs > Events.

Sophos EDR or XDR customers can also use custom Live Discover queries to retrieve all available event details from the sophos_unauthorized_actions_journal table.

To create or edit a custom query, see Edit or create queries.

To run a custom query, see Live Discover.

Allowed files/folders

You can allow executions of specific files or all files from specific folders or their subfolders. Files that match entries from this list are privileged.

Tip

We recommend you specify full file paths.

To allow a file or folder, do as follows:

  1. Click Add allowed file/folder.
  2. Select File or Folder.
  3. Enter the path of the file or folder. You can use wildcards and variables. See Windows scanning exclusions.
  4. Click Save.

Blocked files/folders

You can block executions of specific files or all files from specific folders or their subfolders.

To block a file or folder, do as follows:

  1. Click Add blocked file/folder.
  2. Select File or Folder.
  3. Enter the path of the file or folder. You can use wildcards and variables. See Windows scanning exclusions.
  4. Click Save.

MSI file installation

MSI files are installation packages commonly used to install software on Windows devices. They're not PE files, and SUFP applies special logic to handle them.

MSI files aren't blocked, but they can contain PE files that are extracted and executed during installation. If these PE files don't have high reputation scores, SUFP blocks them, and the installation fails. Even if the installation completes, SUFP blocks installed PE files if they don't have high reputation scores and don't match the policy allow list.

MSI file paths or folders containing MSI files can be added to the policy allow list and block list. SUFP checks whether MSI files match these lists when deciding whether to block installation or allow the execution of installed PE files or PE files extracted during installation.