Server Threat Protection

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.

SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types in order to provide the best protection.

You can either use the recommended settings or change them.

For more information on how we assess threats see Adware and PUAs.

Intercept X Advanced for Server

If you have this license, your threat protection policy offers protection from ransomware and exploits, signature-free threat detection, and root cause analysis of threat events.

We recommend that you use these settings for maximum protection.

If you enable any of these features, servers assigned to this policy will use an Intercept X Advanced for Server license.

See Intercept X Advanced for Server.

Server Protection default settings

We recommend that you leave these settings turned on. These provide the best protection you can have without complex configuration.

These settings offer:

• Detection of known malware.
• In-the-cloud checks to enable detection of the latest malware known to Sophos.
• Proactive detection of malware that has not been seen before.
• Automatic exclusion of activity by known applications from scanning.

See Server Threat Protection default settings.

Live Protection

Live Protection checks suspicious files against the SophosLabs threat database. This helps detect the latest threats and avoid false positives.

Use Live Protection to check the latest threat information from SophosLabs online: This checks files during real-time scanning.

To see our threat database, go to Adware and PUAs.

Deep Learning

Deep Learning automatically detects threats, particularly new and unknown threats that haven't been seen before. It uses machine learning and does not depend on signatures.

Real-time Scanning - Local Files and Network Shares

Real-time scanning checks files for known malware when they're accessed and updated. It prevents known malicious programs from being run, and infected files from being opened by legitimate applications.

Scan provides real-time scanning of local and remote files (files accessed from the network) by default.

Select Local if you only want to scan files on the device.

• on read: This scans files when you open them.
• on write: This scans files when you save them.

Enable scan for Server Protection for Linux agent: This provides real-time scanning on Linux devices.

Real-time Scanning - Internet

Real-time scanning scans internet resources as users attempt to access them.

Scan downloads in progress

This setting controls whether we scan downloads and page elements before they reach the browser.

• HTTP connections: We scan all elements and downloads.
• HTTPS connections: We don't scan any elements, unless you turn on Decrypt websites using SSL/TLS.

Block access to malicious websites

This setting denies access to websites that are known to host malware.

We do a reputation check to see if the site is known to host malicious content (SXL4 lookup). If you turn off Live Protection, you're also turning off this check.

• HTTP connections: All URLs are checked, including full HTTP GET requests.
• HTTPS connections: Base URLs are checked Server Name Indication (SNI). If you turn on Decrypt websites using SSL/TLS, all URLs are checked, including full HTTP GET requests.

Detect low-reputation downloads

This setting checks download reputation based on the file's source, how often it's downloaded, and more. Use the following options to decide how downloads are handled.

Set Action to take to Prompt User: The end user sees a warning when a low-reputation file is downloaded. They can then trust or delete the file. This is the default setting.

Set Reputation level to one of the following:

• Recommended: Low-reputation files are automatically blocked. This is the default setting.
• Strict: Medium and low-reputation downloads are automatically blocked and reported to Sophos Central.

For more information on reputation levels, see Download Reputation.

Real-time Scanning - Options

Automatically exclude activity by known applications: This setting excludes widely-used applications, as recommended by their vendors.

For more information, see Automatically excluded third-party products.

Remediation

Enable Threat Graph creation: This helps you investigate the chain of events in a malware attack. We suggest you turn it on so that you can analyse attacks we've detected and stopped.

Sophos Central automatically cleans up detected items on Windows computers and Linux devices running Sophos Protection for Linux. Sophos Central removes the file from its current location and quarantines it in SafeStore. Files remain in SafeStore until they're allowed or removed to make room for new detections. You can restore files quarantined in SafeStore by adding them to Allowed applications. See Allowed applications.

SafeStore has the following default limits:

• The single file limit is 100 GB.
• The overall quarantine size limit is 200 GB.
• The maximum number of files stored is 2000.

Runtime Protection

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic.

Protect document files from ransomware (CryptoGuard): This setting protects you against malware that restricts access to your files and then demands a fee to release them. The feature is on by default. We strongly recommend that you leave it on.

You can also use the following options:

• Protect from remotely run ransomware: This ensures protection across your whole network. We recommend that you leave it turned on.
• Protect from Encrypting File System attacks: his protects 64-bit devices from ransomware that encrypts the file system. If ransomware is detected, you can choose which action to take. You can terminate ransomware processes or isolate them to stop them from writing to the filesystem.

Protect from master boot record ransomware: This protects the device from ransomware that encrypts the master boot record (and so prevents startup) and from attacks that wipe the hard disk.

Protect critical functions in web browsers (Safe Browsing): This setting protects your web browsers against exploitation by malware via your web browser.

Mitigate exploits in vulnerable applications: This setting protects applications that are prone to exploitation by malware. You can select which application types to protect.

Protect processes: This helps prevent the hijacking of legitimate applications by malware. You can choose from the following options:

• Prevent process hollowing attacks: Also known as “process replacement” or DLL injection. Attackers commonly use this technique to load malicious code into a legitimate application to try to bypass security software.

  Turning off this setting makes it easier for an attacker to bypass your security software.

• Prevent DLLs loading from untrusted folders: This protects against loading DLL files from untrusted folders.

• Prevent credential theft: This prevents the theft of passwords and hash information from memory, registry, or hard disk.
• Prevent code cave utilisation: This detects malicious code that's been inserted into another, legitimate application.
• Prevent APC violation: This prevents attacks from using Application Procedure Calls (APC) to run their code.
• Prevent privilege escalation: This prevents attacks from escalating a low-privilege process to higher privileges to access your systems.

Dynamic shellcode protection: This setting detects the behaviour of hidden remote command and control agents and prevents attackers from gaining control of your networks.

Validate CTF Protocol caller: This setting blocks applications that attempt to exploit a vulnerability in CTF, a component in all versions of Windows. The vulnerability allows a non-administrator attacker to hijack any Windows process, including applications running in a sandbox. We recommend that you turn Validate CTF Protocol caller on.

Prevent side loading of insecure modules: This setting prevents an application from side-loading a malicious DLL that poses as an ApiSet Stub DLL. ApiSet Stub DLLs serve as a proxy to maintain compatibility between older applications and newer operating system versions. Attackers can use malicious ApiSet Stub DLLs to bypass tamper protection and stop anti-malware protection.

Protect browser cookies used for MFA sign in: This setting prevents unauthorized applications from decrypting the AES key used to encrypt multi-factor authentication (MFA) cookies.

Prevent malicious use of syscall instructions: This setting blocks attempts to evade monitoring through direct calls to system APIs.

Prevent hardware breakpoint abuse: This setting prevents abuse of hardware breakpoints.

Protect network traffic

• Detect malicious connections to command-and-control servers: This detects traffic between an endpoint computer and a server that indicates a possible attempt to take control of the endpoint computer.
• Prevent malicious network traffic with packet inspection (IPS): This scans traffic at the lowest level and blocks threats before they can harm the operating system or applications. This option is turned off by default.

Linux runtime detections: This setting gives you runtime visibility and threat detection for Linux server workloads and containers. You can manage these alerts in the threat analysis center. See Detections.

Prevent malicious beacons connecting to command-and-control servers: This setting identifies and blocks beacons that attempt to evade detection by remaining encrypted.

Monitor use of driver APIs: This setting detects attempted abuse of APIs normally used by legitimate applications, such as printers or virtual network adapters, to interact with kernel-mode code.

Detect malicious behaviour: This setting protects against threats that aren't yet known. It does this by detecting and blocking behaviour that is known to be malicious or is suspicious.

AMSI Protection: This setting protects against malicious code (for example, PowerShell scripts) using the Microsoft Antimalware Scan Interface (AMSI).

Code forwarded using AMSI is scanned before it runs, and the endpoint then notifies the applications used to run the code about threats. If a threat is detected, an event is logged.

Prevent the removal of AMSI registration: This setting ensures that AMSI can't be removed from your computers.

Monitor Domain Controller Events: This setting provides additional visibility into and protection from attacks targeting domain controllers, such as PetitPotam. This setting is turned on by default.

Enable Sophos Security Heartbeat: This setting sends server "health" reports to each Sophos Firewall registered with your Sophos Central account. If more than one firewall is registered, reports go to the nearest one available. If a report shows that a server may be compromised, the firewall can restrict its access.

Adaptive Attack Protection

Turn on extra protections automatically when a device is under attack: This setting enables a more aggressive set of protections when an attack is detected. These extra protections are designed to disrupt the actions of an attacker.

You can also turn on Adaptive Attack Protection features permanently.

• Enable protection in safe mode: This setting enables Sophos protection when devices are running in Safe Mode. Some components and features, such as Message Relay and Update Cache, aren't available in Safe Mode.
• Block safe mode abuse: This setting detects and blocks activities that indicate an attacker is trying to put the device into Safe Mode.

Advanced Settings

These settings are for testing or troubleshooting only. We recommend that you leave them set to the defaults.

Block QUIC browser connections

Select Block QUIC (Quick UDP Internet Connections) browser access to websites to prevent these connections.

QUIC-enabled browsers can bypass our website checking for some sites. Blocking QUIC ensures that we apply SSL/TLS decryption and checking to those sites.

By default, this setting is off.

SSL/TLS decryption of HTTPS websites

If you select Decrypt HTTPS websites using SSL/TLS, we decrypt and check the contents of HTTPS websites for threats.

If we decrypt a website that's risky, we block it. We show the user a message and give them the option to submit the site to SophosLabs for reassessment.

By default, decryption is turned off.

If HTTPS decryption is turned on in the policy that applies to a device, the following applies:

• HTTPS decryption is also on for Web Control checks on that device.
• The protection features in Real-time Scanning - Internet can also access the full site contents, downloads, and page URLs.

HTTPS decryption exclusions

By default, we exclude some site categories, such as banking and webmail, from decryption. That's because sites in these categories contain personal information.

You can change the exclusions in the general settings. Go to My Products > General Settings > General > SSL/TLS decryption of HTTPS websites.

Real-time scanning for Linux

If you select Enable scan for Server Protection for Linux Agent, we scan files as users try to access them. We allow access if the file is clean.

By default, real-time scanning for Linux is off.

Scheduled scanning

Scheduled scanning performs a scan at a time or times that you specify.

Scheduled scanning may not be needed when real-time scanning is turned on. However, it can still be useful for different use cases, including checking older files and helping with security investigations. We recommend running scheduled scans during off-peak hours to minimize potential impacts on system load. We also recommend using real-time scanning, which scans files as they're accessed or modified, rather than relying only on scheduled scan intervals. See Real-time Scanning - Local Files and Network Shares.

You can select the following options:

• Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.

  The scheduled scan time is the time on the endpoint computers (not UTC).

• Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.

Exclusions

You can exclude files, folders, websites or applications from scanning for threats, as described below.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected. Use a Detected Exploits exclusion.

Exclusions set in a policy are only used for the users the policy applies to.

See Automatic Exclusions.

To create a policy scanning exclusion:

1. In Exclusions, click Add Exclusion.

2. On the Add Exclusion dialog, do as follows:

   1. In Exclusion Type, select a type of item to exclude. For example, file or folder, website, potentially unwanted application (PUA), or device isolation.
   2. In Value, specify the item or items you want to exclude. For more information on exclusions, see Using exclusions safely.
   3. For File or folder exclusions only, in Active for, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or for both.
   4. (Optional) Click Add Another to add another exclusion.

3. On the Threat Protection page, click Save.

To edit an exclusion later, click its name in the exclusions list, enter new settings, and click Update.

Scanning exclusions

You can exclude files, folders, websites, or applications from scanning for threats.

Exclusions set in a policy are only used for servers the policy applies to.

For help on using exclusions, see Using exclusions safely.

To create a scanning exclusion, do as follows:

1. In Exclusions, click Add Exclusion.
2. On the Add Exclusion dialog, in Exclusion Type, select a type of item to exclude (file or folder, website, potentially unwanted application, or device isolation).

3. Specify the item or items you want to exclude. The following rules apply:

   • File or folder (Windows): On Windows, you can exclude a drive, folder, or file by its full path. You can use wildcards and variables. See the following examples.

     • Folder: C:\programdata\adobe\photoshop\
     • Entire drive: D:
     • Files: C:\program files\program\*.vmg

   • File or folder (Linux): On Linux, you can exclude a folder or file. You can use the wildcards ? and *. Example: /mnt/hgfs/excluded.

   • Process (Windows): You can exclude any process running from an application. This also excludes files that the process uses (but only when accessed by that process). If possible, enter the full path from the application, not just the process name shown in Task Manager. Example: %PROGRAMFILES%\Microsoft Office\Office 14\Outlook.exe.

     Note

     To see all processes or other items that you need to exclude for an application, see the application vendor's documentation.

   • Website (Windows): You can specify websites as an IP address, IP address range (in CIDR notation), or domain. Examples:

     • IP address: 192.168.0.1
     • IP address range: 192.168.0.0/24 The appendix /24 symbolizes the number of bits in the prefix common to all IP addresses of this range. Thus, /24 equals the netmask 11111111.11111111.11111111.00000000, or 255.255.255.0 in decimal representation. In our example, the range includes all IP addresses from 192.168.0.0 to 192.168.0.255.
     • Domain: google.com

     If you exclude a website, we don't check the category of the website and it's excluded from web control protection. See Server Web Control.

   • Potentially Unwanted Application (Windows/Mac/Linux): You can exclude applications that are normally detected as spyware. Specify the exclusion using the same name under which the system detected it, for example PsExec or Cain n Abel. For more information about PUAs, see Adware and PUAs.

   • Detected Exploits (Windows/Mac). You can exclude detected exploits using a detection ID. You can use this option when you're working with Sophos Support to resolve a false positive detection. Sophos Support can give you a detection ID and you can then exclude the false positive detection. To do this, click Exploit not listed? and enter the ID.

4. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings, and click Update.

Hashing exclusion

Hashing exclusion stops file hashing for the Sophos journals and Data Lake, which can impact performance.

To add a hashing exclusion, do as follows:

1. In Exclusions, click Add Exclusion.

2. On the Add Exclusion dialog, do as follows:

   1. In Exclusion Type, select Hashing exclusion (Windows).
   2. In File/Folder or Process, select a file or folder, or a process.
   3. In Value, enter the exclusion path. You can exclude a drive, folder, or file. You can also use wildcards. See Windows scanning exclusions.
   4. Click Add.

3. On the Threat Protection page, click Save.

Desktop Messaging

You can add a message to the end of the standard notification. If you leave the message box empty only the standard message is shown.

Enable Desktop Messaging for Threat Protection is on by default. If you switch it off you will not see any notification messages related to Threat Protection.

Enter the text you want to add.