To enable Advanced Threat Protection, proceed as follows:
Enable the Advanced Threat Protection system.
Click the toggle switch.
The toggle switch turns amber and the Global Settings area becomes editable.
Make the following settings:
Policy: Select the security policy that the Advanced Threat Protection system should use if a threat has been detected.
Network/host exceptions: Add or select the source networks or hosts that should be exempt from being scanned for threats by Advanced Threat Protection. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Threat exceptions: Add destination IP addresses or domain names that you want to skip from being scanned for threats by Advanced Threat Protection. This is the place where you would add false positives to prevent them from being detected as threat. Examples: 126.96.36.199 or google.com. Add exact strings for ATP to match. Example: example.com will allow example.com while subdomain.example.com will still be blocked.
Caution – Be careful with specifying exceptions. By excluding sources or destinations you may expose your network to severe risks.
Your settings will be saved.
The switch turns green.
If enabled, and a threat is detected, it will be listed on the Network Protection page. A notification will be sent to the administrator if enabled on the Management > Notifications > Notifications page. The notification is set by default for drop and alert.
Cross Reference – Find information about configuring Advanced Threat Protection in the Sophos Knowledge Base.
Note – IPS and Web Proxy threats will not be displayed in the Live Log.