Skip to content

Server: Threat Protection

Threat protection keeps you safe from malware, risky file types and websites, and malicious network traffic.


Some options are only for Windows servers. The columns on the right of the page show you which server type each option is for.

SophosLabs can independently control which files are scanned. They may add or remove scanning of certain file types in order to provide the best protection.

You can either use the recommended settings or change them.

For more information on how we assess threats see Sophos Threat Center.

Intercept X Advanced for Server

If you have this license, your threat protection policy offers protection from ransomware and exploits, signature-free threat detection, and root cause analysis of threat events.

We recommend that you use these settings for maximum protection.

If you enable any of these features, servers assigned to this policy will use an Intercept X Advanced for Server license.

See Server Threat Protection: Intercept X Advanced.

Server Protection default settings

We recommend that you leave these settings turned on. These provide the best protection you can have without complex configuration.

These settings offer:

  • Detection of known malware.
  • In-the-cloud checks to enable detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.
  • Automatic exclusion of activity by known applications from scanning.

See Server Threat Protection: Default settings.

SSL/TLS decryption of HTTPS websites

If you select Decrypt websites using SSL/TLS, we decrypt and check the contents of HTTPS websites for threats.

If we decrypt a website that’s risky, we block it. We show the user a message and give them the option to submit the site to SophosLabs for reassessment.

By default, decryption is off.


If decryption is on in the Threat Protection policy that applies to a device, it's also on for Web Control checks on that device.

If you choose to do this then your customers can't make changes.

Scheduled Scanning

Scheduled scanning performs a scan at a time or times that you specify.

You can select these options:

  • Enable scheduled scan: This lets you define a time and one or more days when scanning should be performed.


    The scheduled scan time is the time on the endpoint computers (not a UTC time).

  • Enable deep scanning: If you select this option, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.


You can exclude files, folders, websites or applications from scanning for threats, as described below.

We'll still check excluded items for exploits. However, you can stop checking for an exploit that has already been detected (use a Detected Exploits exclusion).

Exclusions set in a policy are only used for the users the policy applies to.


If you want to apply exclusions to all your users and servers, set up global exclusions on the Global Settings > Global Exclusions page.

See Automatic Exclusions.

To create a policy scanning exclusion:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website, potentially unwanted application, or device isolation).

  3. Specify the item or items you want to exclude.
  4. For File or folder exclusions only, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or for both.
  5. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings, and click Update.

Exploit Mitigation exclusions

You can exclude applications from protection against security exploits. For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

Adding exclusions reduces your protection.

Adding exploit mitigation exclusions using using the global settings option, in Sophos Central Admin creates exclusions that apply to all users and devices.

We recommend that you use this option and assign the policy containing the exclusion to only those servers where the exclusion is necessary.


You can only create exclusions for Windows applications.

To create a policy exploit mitigation exclusion, do as follows:

  1. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  2. In Exclusion Type, select Exploit Mitigation (Windows).

    A list of the protected applications on your network shows.

  3. Select the application you want to exclude.

  4. If you don't see the application you want, click Application not listed?. You can now exclude your application from protection by entering its file path. Optionally, use any of the variables.
  5. Under Mitigations choose from the following:

    • Turn off Protect Application. Your selected application isn't checked for any exploits.
    • Keep Protect Application turned on and select the exploit types that you do or don’t want to check for.
  6. Click Add or Add Another. The exclusion is added to the list on the Global Exclusions page.

The exclusion only applies to servers that you assign this policy to.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.

Desktop Messaging

You can add a message to the end of the standard notification. If you leave the message box empty only the standard message is shown.

Enable Desktop Messaging for Threat Protection is on by default. If you switch it off you will not see any notification messages related to Threat Protection.

Enter the text you want to add.