Skip to content

Endpoint: Threat Protection

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types in order to provide the best protection.


Think carefully before you change the recommended settings because doing so may reduce your protection.

Click Use recommended settings if you want to use the settings Sophos recommends. These provide the best protection you can have without complex configuration.

If we change our recommendations in future, we’ll automatically update your policy with new settings.

The recommended settings offer:

  • Detection of known malware.
  • In-the-cloud checks to enable detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.

For more information on how we assess threats, see Sophos Threat Center.

Set up Threat Protection

This video explains how to set up a Threat Protection policy and includes our recommendations for best practices.

Deep Learning

Deep learning uses advanced machine learning to detect threats. It can identify known and previously unknown malware and potentially unwanted applications without using signatures.

Deep learning is only available with Sophos Intercept X.

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database.

You can select these options:

Use Live Protection to check the latest threat information from SophosLabs online: This checks files during real-time scanning.

Real-time Scanning - Local Files and Network Shares

Real-time scanning scans files as users attempt to access them, and allows access if the file is clean.

Local files are scanned by default. You can also select Remote files to scan files on network shares.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them. You can select these options:

Scan downloads in progress

Block access to malicious websites: This denies access to websites that are known to host malware.

Detect low-reputation files: This warns if a download has a low reputation. The reputation is based on a file's source, how often it is downloaded and other factors.

You can specify:

  • Action to take on low-reputation downloads: If you select Prompt user, users will see a warning when they download a low-reputation file. They can then trust or delete the file. This is the default setting.
  • Reputation level: If you select Strict, medium-reputation as well as low-reputation files will be detected. The default setting is Recommended.

See Download reputation.


Remediation options are:

  • Automatically clean up malware: Sophos Central will try to clean up detected malware automatically.

    If the cleanup succeeds, the malware detected alert is deleted from the alerts list. The detection and cleanup are shown in the events list.


    We always clean up PE (Portable Executable) files like applications, libraries, and system files, even if you turn off automatic cleanup. PE files are quarantined and can be restored.

  • Enable Threat Graph creation: Threat cases let you investigate the chain of events in a malware attack and identify areas where you can improve your security.

Runtime Protection

You must join the Early Access Program to use some options.

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic. You can select:

  • Protect document files from ransomware (CryptoGuard): This protects document files against malware that restricts access to files and then demands a fee to release them. You can also choose to protect 64-bit computers against ransomware run from a remote location.

    • Protect from Encrypting File System attacks: This protects the computer from ransomware that encrypts the file system. Choose which action you want to take if the ransomware is detected. You can terminate ransomware processes or isolate them to stop them writing to the filesystem.
  • Protect from master boot record ransomware: This protects the computer from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.

  • Protect critical functions in web browsers (Safe Browsing): This protects your web browsers against exploitation by malware.
  • Mitigate exploits in vulnerable applications: This protects the applications most prone to exploitation by malware. You can select which application types to protect.
  • Protect processes: This helps prevent the hijacking of legitimate applications by malware.

    You can choose these options:

    • Prevent process hollowing attacks. This protects against process replacement attacks.
    • Prevent DLLs loading from untrusted folders. This protects against loading .DLL files from untrusted folders.
    • Prevent credential theft. This prevents the theft of passwords and hash information from memory, registry, or hard disk.
    • Prevent code cave utilisation. This detects malicious code that's been inserted into another, legitimate application.
    • Prevent APC violation. This prevents attacks from using Application Procedure Calls (APC) to run their code.
    • Prevent privilege escalation. This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.
  • Dynamic shellcode protection. This detects the behavior of covert remote access agents and prevents attackers from gaining control of your networks.

  • Validate CTF Protocol caller. This intercepts and blocks applications that attempt to exploit CTF.

    A vulnerability in a Windows component, only known as “CTF”, present in all versions back to Windows XP, allows a non-administrative, unauthorized attacker to hijack any Windows process, including applications that are running in a sandbox.

  • Prevent side loading of insecure modules. This prevents an application from side-loading a malicious DLL that poses as an ApiSet Stub DLL.

    ApiSet Stub DLLs are DLLs that serve as a proxy to maintain compatibility between older applications and newer operating system versions. Attackers may place malicious ApiSet Stub DLLs to manipulate this functionality, or bypass tamper protection and terminate anti-malware protection.

  • Protect browser cookies used for MFA sign in. This prevents unauthorized applications from decrypting the AES key used to encrypt multi-factor authentication (MFA) cookies.

  • Protect network traffic. You can choose these options:

    • Detect malicious connections to command and control servers. This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
    • Prevent malicious network traffic with packet inspection (IPS). This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications.
  • Detect malicious behavior: This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.

  • AMSI Protection (with enhanced scan for script-based threats): This protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI). Code forwarded using AMSI is scanned before it runs, and Sophos notifies the applications used to run the code of threats. If a threat is detected, an event is logged. You can prevent the removal of AMSI registration on your computers. See Antimalware Scan Interface (AMSI).

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.

Device Isolation

If you select this option, devices will isolate themselves from your network if their health is red. A device's health is red if it has threats detected, has out-of-date software, isn't compliant with policy, or isn't properly protected.

You can still manage isolated devices from Sophos Central. You can also use scanning exclusions or global exclusions to give limited access to them for troubleshooting.

You can't remove these devices from isolation. They will communicate with the network again once their health is green.

Scheduled Scanning

Scheduled scanning performs a scan at a time or times that you specify.

You can select these options:

  • Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.


    The scheduled scan time is the time on the endpoint computers (not a UTC time).

  • Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.


You can exclude files, folders, websites or applications from scanning for threats, as described below.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the users the policy applies to.


If you want to apply exclusions to all your users and servers, set up global exclusions on the Global Settings > Global Exclusions page.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website, potentially unwanted application, or device isolation).

  3. Specify the item or items you want to exclude.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or for both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings, and click Update.

Desktop Messaging

You can add a message to the end of the standard notification. If you leave the message box empty only the standard message is shown.

Enable Desktop Messaging for Threat Protection is on by default. If you switch it off you will not see any notification messages related to threat protection.

Enter the text you want to add.