Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/enterprise/help/en-us/index.html?contextId=endpoint-threat-protection

Endpoint: Threat Protection

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

Note

This page describes policy settings for endpoint computers. Different policy settings apply for servers.

SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types in order to provide the best protection.

Warning

Think carefully before you change the recommended settings because doing so may reduce your protection.

If we change our recommendations in the future, we’ll automatically update your policy with new settings.

The recommended settings offer:

  • Detection of known malware.
  • In-the-cloud checks to enable detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.

For more information on how we assess threats, see Sophos Threat Center.

Deep Learning

Deep learning uses advanced machine learning to detect threats. It can identify known and previously unknown malware and potentially unwanted applications without using signatures.

Deep learning is only available with Sophos Intercept X.

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database.

You can select these options:

Use Live Protection to check the latest threat information from SophosLabs online: This checks files during real-time scanning.

Real-time Scanning - Local Files and Network Shares

Real-time scanning scans files as users attempt to access them, and allows access if the file is clean.

Local files are scanned by default. You can also select Remote files to scan files on network shares.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them. You can select these options:

Scan downloads in progress: This setting controls whether we scan downloads and page elements before they reach the browser.

  • HTTP connections: We scan all elements and downloads.
  • HTTPS connections: We don't scan any elements, unless you turn on Decrypt websites using SSL/TLS.

Block access to malicious websites: This denies access to websites that are known to host malware.

Detect low-reputation files: This setting checks download reputation based on the file's source, how often it's downloaded, and more. Use the following options to decide how downloads are handled.

You can specify:

  • Action to take on low-reputation downloads: Set to one of the following options:

    • Prompt user: When a file with an unknown or low reputation is selected for download, the user is prompted to either block it or trust and allow the download. This is the default setting.
    • Log only: Downloaded file details are recorded in the local log, but the user won't receive any prompts.

  • Reputation level: Set to one of the following options:

    • Recommended: Low-reputation files are automatically blocked. This is the default setting.
    • Strict: Medium and low-reputation downloads are automatically blocked and reported to Sophos Central.

See Download reputation.

Remediation

Remediation options are:

  • Automatically clean up malware: Sophos Central automatically cleans up detected malware and logs the cleanup. You can see this in the Events list.

    Restriction

    Windows computers always clean up detected items, regardless of this setting. You can restore items that have been cleaned up on Windows. You can't restore these items on Macs, but we still recommend you turn on automatic cleanup on Macs.

    When Sophos Central cleans up a file, it removes the file from its current location and quarantines it in SafeStore. Files remain in SafeStore until they're allowed or removed to make room for new detections. You can restore files quarantined in SafeStore by adding them to Allowed applications. See Allowed applications.

    SafeStore has the following default limits:

    • The single file limit is 100 GB.
    • The overall quarantine size limit is 200 GB.
    • The maximum number of files stored is 2000.

  • Enable Threat Graph creation: Threat cases let you investigate the chain of events in a malware attack and identify areas where you can improve your security.

Runtime Protection

You must join the Early Access Program to use some options.

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic. You can select:

Protect document files from ransomware (CryptoGuard): This protects document files against malware that restricts access to files and then demands a fee to release them. You can also choose to protect 64-bit computers against ransomware run from a remote location.

You can also use these options:

  • Protect from remotely run ransomware: This ensures protection across your whole network. We recommend that you leave it turned on.
  • Protect from Encrypting File System attacks: This protects the computer from ransomware that encrypts the file system. Choose which action you want to take if ransomware is detected. You can terminate ransomware processes or isolate them to stop them writing to the file system.

Protect from master boot record ransomware: This protects the computer from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.

Protect critical functions in web browsers (Safe Browsing): This protects your web browsers against exploitation by malware.

Mitigate exploits in vulnerable applications: This protects the applications most prone to exploitation by malware. You can select which application types to protect.

Protect processes: This helps prevent the hijacking of legitimate applications by malware. You can choose from these options:

  • Prevent process hollowing attacks: This protects against process replacement attacks.

    Turning off this setting makes it easier for an attacker to bypass your security software.

  • Prevent DLLs loading from untrusted folders: This protects against loading .DLL files from untrusted folders.

  • Prevent credential theft: This prevents the theft of passwords and hash information from memory, registry, or hard disk.
  • Prevent code cave utilisation: This detects malicious code that's been inserted into another, legitimate application.
  • Prevent APC violation: This prevents attacks from using Application Procedure Calls (APC) to run their code.
  • Prevent privilege escalation: This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.

Dynamic shellcode protection: This detects the behavior of covert remote access agents and prevents attackers from gaining control of your networks.

Validate CTF Protocol caller: This intercepts and blocks applications that attempt to exploit CTF.

A vulnerability in a Windows component, only known as “CTF”, present in all versions back to Windows XP, allows a non-administrative, unauthorized attacker to hijack any Windows process, including applications that are running in a sandbox.

Prevent side loading of insecure modules: This prevents an application from side-loading a malicious DLL that poses as an ApiSet Stub DLL.

ApiSet Stub DLLs are DLLs that serve as a proxy to maintain compatibility between older applications and newer operating system versions. Attackers may place malicious ApiSet Stub DLLs to manipulate this functionality, or bypass tamper protection and stop anti-malware protection.

Turning this off significantly reduces your protection.

Protect browser cookies used for MFA sign in. This prevents unauthorized applications from decrypting the AES key used to encrypt multi-factor authentication (MFA) cookies.

Prevent malicious beacons connecting to command-and-control servers: This setting identifies and blocks beacons that attempt to evade detection by remaining encrypted.

Monitor use of driver APIs: This setting detects attempted abuse of APIs normally used by legitimate applications such as printers or virtual network adapters to interact with kernel-mode code.

Prevent malicious use of syscall instructions: This setting blocks attempts to evade monitoring through direct calls to system APIs.

Prevent hardware breakpoint abuse: This setting prevents abuse of hardware breakpoints.

Protect network traffic

  • Detect malicious connections to command and control servers. This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
  • Prevent malicious network traffic with packet inspection (IPS). This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications.

Detect malicious behavior: This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.

AMSI Protection (with enhanced scan for script-based threats): This protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI). Code forwarded using AMSI is scanned before it runs, and Sophos notifies the applications used to run the code of threats. If a threat is detected, an event is logged. You can prevent the removal of AMSI registration on your computers. See Antimalware Scan Interface (AMSI).

Prevent the removal of AMSI registration: This setting ensures that AMSI can't be removed from your computers.

Adaptive Attack Protection

Turn on extra protections automatically when a device is under attack: This enforces a more aggressive set of protections when an attack is detected. These extra protections are designed to disrupt the actions of an attacker.

You can also turn on Adaptive Attack Protection features permanently.

  • Enable protection in safe mode: This setting enables Sophos protection when devices are running in Safe Mode. Some components and features, such as Message Relay and Update Cache, aren’t available in Safe Mode.

  • Block safe mode abuse: This setting detects and blocks activities that indicate an attacker is trying to put the device into Safe Mode.

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.

Block QUIC browser connections

For Macs, you can only use this feature if you've joined the Early Access Program.

Select Block QUIC (Quick UDP Internet Connections) browser access to websites to prevent these connections.

QUIC enabled browsers can bypass our website checking for some sites. Blocking QUIC ensures that we apply SSL/TLS decryption and checking to those sites.

By default, this setting is off.

SSL/TLS decryption of HTTPS websites

For Macs, you can only use this feature if you've joined the Early Access Program.

If you select Decrypt websites using SSL/TLS, we decrypt and check the contents of HTTPS websites for threats on your customers' computers.

If we decrypt a website that’s risky, we block it. We show the user a message and give them the option to submit the site to SophosLabs for reassessment.

By default, decryption is off.

Note

If decryption is on in the Threat Protection policy that applies to a device, it's also on for Web Control checks on that device.

If you turn this setting on, your customers can't make changes.

Note

If your customers are participating in the "New Endpoint Protection Features" EAP, they can turn decryption on or off for HTTPS websites. They can make changes to the settings you choose.

Device Isolation

If you select this option, devices will isolate themselves from your network if their health is red. A device's health is "red" if it has threats detected, has out-of-date software, isn't compliant with policy, or isn't properly protected.

Note

Sophos Central uses a wider range of factors to determine health. This can mean it reports a different health status for a device, from the device itself. This doesn't affect isolation. We only use a red health status given by a device to isolate it.

You can still manage isolated devices from Sophos Central. You can also use scanning exclusions or global exclusions to give limited access to them for troubleshooting.

You can't remove these devices from isolation. They will communicate with the network again once their health is "green".

We recommend that you assess the impact of this option on your network before applying it. To do this, turn it on in a policy, and apply the policy to a representative sample of devices.

Note

When your users' devices go into isolation, they may seemingly still be able to access their network files. This is due to the "Always available offline" Windows feature, which creates local copies of mapped network drives users can access while disconnected. This behavior doesn't affect the device isolation.

Scheduled Scanning

Scheduled scanning performs a scan at a time or times that you specify.

Scheduled scanning is a legacy technique to detect malware. It's rarely needed now that we have background scanning. It can increase system load and slow down scanning significantly. We recommend you don't use scheduled scans unless necessary.

You can select these options:

  • Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.

    Note

    The scheduled scan time is the time on the endpoint computers (not a UTC time).

  • Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.

Scheduled scanning only happens when the computer is online. If the computer is offline during the scheduled scan time, the scan won't run. The system will start a scan during the next scheduled time, provided the computer is online.

Exclusions

You can exclude files, folders, websites or applications from scanning for threats, as described below.

Restriction

You can't create an "Exploit Mitigation and Activity Monitoring (Windows)" exclusion on the Global Templates page.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected. Use a Detected Exploits exclusion.

Exclusions set in a policy are only used for the users the policy applies to.

Note

If you want to apply exclusions to all your users and servers, you can set up global exclusions. In Sophos Central Admin, go to My Products > General Settings > Global Exclusions.

To create a policy scanning exclusion, do as follows:

  1. In Policy Exclusions, click Add Exclusion.

  2. In Add Exclusion, do as follows:

    1. In Exclusion Type, select a type of item to exclude. For example, file or folder, website, potentially unwanted application, or device isolation.

    2. In Value, specify the item or items you want to exclude. For more information on exclusions, see Using exclusions safely.

      You're required to enter additional details depending on your exlusion type.

    3. Click Add. The exclusion is added to the scanning exclusions list.

    4. (Optional) Click Add Another to add another exclusion.

To edit an exclusion later, click its name in the exclusions list, enter new settings, and click Update.

Desktop Messaging

Desktop messaging sends you notifications about threat protection events. It's on by default.

You can enter your own message to add to the end of standard notifications.