Detect malicious traffic

If you use role-based administration:

Malicious traffic detection detects communications between endpoint computers and command and control servers involved in botnet or other malware attacks.

Note: Malicious traffic detection uses the same set of exclusions as the Sophos Anti-Virus on-access scanner (InterCheck ™). For information about configuring on-access scanning exclusions, see Exclude items from on-access scanning.

By default, malicious traffic detection is enabled for new installations of Enterprise Console 5.3 or later. If you upgraded from an earlier version of Enterprise Console, you need to enable malicious traffic detection to benefit from the feature.

To change the settings for detecting malicious traffic:

  1. Check which anti-virus and HIPS policy is used by the group or groups of computers you want to configure.
  2. In the Policies pane, double-click Anti-virus and HIPS.
  3. Double-click the policy you want to change.
    The Anti-Virus and HIPS policy dialog box is displayed.
  4. In the On-access scanning panel, make sure the Enable behavior monitoring check box is selected.
  5. Beside Enable behavior monitoring, click Configure.
  6. In the Configure Behavior Monitoring dialog box, make sure the Detect malicious behavior check box is selected.
  7. To turn malicious traffic detection on or off, select or clear the Detect malicious traffic check box.