Configure policies

You configure Sophos for Virtual Environments by using Sophos Central policies.

You can only use the Threat Protection policy type, but you can create multiple policies if you want to.

By default, Sophos Central applies a base Threat Protection policy to all your Security VMs. The settings in the policy are then used for the guest VMs.

These settings offer:

  • Detection of known malware.
  • In-the-cloud checks to enable detection of the latest malware known to Sophos.
  • Proactive detection of malware that has not been seen before.
  • Automatic cleanup of malware.

For full details, see the Sophos Central Help.

You can edit the base policy or create additional policies, which you can use to apply different settings to different Security VMs.

Create or edit a policy

To create or edit a Threat Protection policy:

  1. Open Sophos Central and go to Server Protection > Policies.
  2. Click on a Threat Protection policy or click Add Policy to create a new one.
  3. On the Servers tab, select the Security VMs you want to apply the policy to.
  4. On the Settings tab, enter the settings you want.

    For details of the options that you can use for Security VMs, see the sections below.

Live Protection

Live Protection checks suspicious files against the latest malware information in the SophosLabs database.

Option Supported?
Use Live Protection Yes
Automatically submit malware samples to SophosLabs No

Real-time scanning

The options for Real-time scanning are as follows.

Option Supported?
Enable or disable Yes
Scan local, or scan local and remote Yes
On read No
On write No

Real-time scanning - Internet

The options for Real-time scanning - Internet are as follows:

Option Supported?
Scan downloads in progress No
Block access to malicious websites No
Detect low-reputation files No


The options for Remediation are as follows:

Option Supported?
Automatic cleanup of malware Yes

Real-time scanning - Options

The options for Real-time scanning - Options are as follows:

Option Supported?
Automatically exclude activity by known applications No
Detect malicious behavior (HIPS) No

Scheduled scanning

The options for Scheduled scanning are as follows:

Option Supported?
Enable scheduled scan Yes

Runtime protection

The options for Runtime protection are as follows.

Option Supported?
Detect network traffic to command and control servers No
Protect document files from ransomware (CryptoGuard) No
Enable Sophos Security Heartbeat No

Scanning exclusions

The options for Scanning exclusions are as follows.

Option Supported?
Global scanning exclusions

To edit these, go to Settings > Global scanning exclusions.

Policy scanning exclusions (Windows and Linux) Yes
Policy Heartbeat exclusions (Windows only) No
Exclude DNS server (Windows only) No

Desktop messaging

The options for Desktop messaging are as follows.

Option Supported?
Enable desktop messaging for Threat Protection No