Synchronized Security

Synchronized Security lets you do as follows:

• Scan and block computers that send spam or viruses.
• Reject connections to or from other devices on the network that may be unsafe.

Scan computers that send spam or viruses

Synchronized Security monitors outbound mail, and takes action if 5 or more emails that are classified as spam, or contain viruses are sent from a mailbox within a 10 minute period.

To turn the feature on or off, do as follows:

1. Click the Global Settings icon .
2. Go to Protection & Remediation, and click Synchronized Security.
3. Turn on or off Scan computers that send spam or viruses.

The blocking process works like this:

1. The originating mailbox is identified.
2. The owner of the mailbox is identified, along with any devices assigned to the owner of the mailbox.

3. The mailbox is blocked from sending emails for 1 hour. After 1 hour, the mailbox is unblocked automatically. You can't unblock it any sooner.

   Lockout periods increase every time the blocking process is triggered. The amount of time the mailbox is blocked for is doubled every time the spam threshold is reached. The previous block period needs to end before another can start. These timed blocks can't be removed and you have to let them expire.

   After 6 times, the mailbox will be blocked permanently, and the owner will not be able to send any email from that mailbox. If you believe a permanently blocked mailbox should be unblocked, please contact Sophos support. See Sophos Support .

4. Sophos Anti-Virus runs an on-demand scan on the devices linked to the mailbox.

5. An alert is sent to the administrator saying that the sender has been blocked.
6. The events report is updated to show that the mailbox has been blocked.

Reject connections from other devices

You can configure devices to reject connections to or from other devices with red health or with a missing Security Heartbeat.

1. Click the Global Settings icon .
2. Go to Protection and Remediation, and click Synchronized Security.
3. Under Reject connections from other devices, turn on Allow devices to reject connections from other devices with red health.
4. Set up Exclusions if you need to.
5. Click Save.

When a device triggers a red health or missing Security Heartbeat alert, all other devices on the same subnet are informed that the device is unsafe.

If the unsafe device tries to access another device, you will see an event logged in Sophos Endpoint on the destination device:

Access request from computer <computer name> denied because it may be unsafe

If a device tries to access an unsafe device, you will see an event logged in Sophos Endpoint on the source device:

Access to computer <computer name> denied because it may be unsafe

You cannot override the rejected state on a rejected device locally. To allow access to or from the device, it must revert to a healthy state.

Exclusions for servers

You might have servers that are critical for your organization. In this case, set up exclusions to ensure that devices always accept connections from these servers even if their health is red. Servers that are used as an update cache or message relay are excluded by default. This allows them to offer updates or a communication route for your devices.

1. Click the Global Settings icon .
2. Go to Protection and Remediation, and click Synchronized Security.
3. Under Reject connections from other devices, in Exclusions, select the server or servers and move them to the Excluded list.
4. Click Save.