Skip to content

Server Threat Protection: Default settings

The server threat protection base policy includes these standard options.

We recommend that you leave these settings turned on. These provide the best protection you can have without complex configuration.


Think carefully before you change the recommended settings because doing so may reduce your protection.


You can only use some options on Windows servers.

Runtime Protection

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic.

Protect network traffic

  • Detect malicious connections to command and control servers: This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer (a “command and control” attack).
  • Prevent malicious network traffic with packet inspection (IPS): This scans network communications, identifying and blocking threats before they can harm the operating system or applications.

Enable Sophos Security Heartbeat: This sends server “health” reports to each Sophos Firewall registered with your Sophos Central account. If more than one firewall is registered, reports go to the nearest one available. If a report shows that a server may be compromised, the firewall can restrict its access.

AMSI Protection (with enhanced scan for script-based threats). This protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI). We scan code forwarded by AMSI before it runs, and we notify the applications used to run the code of threats. If a threat is detected, an event is logged. You can prevent the removal of AMSI registration on your servers.

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database.

  • Use Live Protection to check the latest threat information from SophosLabs online: This checks files during real-time scanning.

  • Use Live Protection during scheduled scans

Real-time scanning - Local files and network shares

Real-time scanning scans files as users attempt to access them and allows access if the file is clean.

  • local and remote: If you select local instead, we don't scan files in network shares.
  • on read: This scans files when you open them.
  • on write: This scans files when you save them.

Real-time scanning - Internet

Real-time scanning scans internet resources as users attempt to access them.

Scan downloads in progress.

Block access to malicious websites: This denies access to websites that are known to host malware.

Detect low-reputation files: This warns if a download has a low reputation. The reputation is based on a file's source, how often it is downloaded, and other factors. You can specify:

  • The Action to take on low-reputation downloads: If you select Prompt user, users see a warning when they attempt to download a low-reputation file. This is the default setting.
  • The Reputation level: If you select Strict, medium-reputation, as well as low-reputation files, are detected. The default setting is Recommended.


Automatic cleanup of malware: This attempts to clean up detected threats automatically. This option is supported on Windows servers and on guest VMs protected by a Sophos security VM (but only if you have installed the Sophos Guest VM Agent on them).


We always clean up PE (Portable Executable) files like applications, libraries, and system files, even if you turn off automatic cleanup. PE files are quarantined and can be restored.

Real-time scanning - Options

Automatically exclude activity by known applications: This prevents Sophos Central from scanning files used by certain widely-used applications. For a list of these applications, see Download Reputation. You can manually exclude activity by other applications by using the Exclusions options.

Detect malicious behavior (HIPS): This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious. We're phasing out this option and replacing it with the following one.

Detect malicious behavior: This protects against threats that are not yet known. It does this by detecting and blocking behavior that is known to be malicious or is suspicious.

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.