Version 2025.1
New features
- Performance and resiliency improvements:
- Removed dependency on the audit netlink to improve performance. This also removes the requirement to turn off
auditd
when running the SPL Agent.
- Improvements to limit downtime for the Runtime Detection plugin in the event of content failure. When
a rule fails, the Runtime Detection plugin continues to run and logs the failed rule.
- Configuration updates:
- Added the ability to configure event journal disk size for Linux devices in Sophos Central.
Resolved issues
There are no resolved issues in this release.
Updated components
- Sophos Protection for Linux has been updated to 2025.1.
- SPL-Base-Component has been updated to 1.4.0.
- SPL-Endpoint-Detection-and-Response-Plugin has been updated to 1.1.15.
- SPL-Live-Response-Plugin has been updated to 1.7.7.
- SPL-Anti-Virus-Plugin has been updated to 1.1.7.
- SPL-Event-Journaler-Plugin has been updated to 1.1.2.
- SPL-Runtime-Detection-Plugin has been updated to 5.10.0.
- SPL-Response-Actions-Plugin has been updated to 1.1.2.
- SPL-Device-Isolation-Plugin has been updated to 1.1.0.
Version 2024.3
New features
- On-access file scanning updates:
- The SPL Agent will attempt to end processes associated with an on-access threat detection.
- Added additional detection capabilities when accessing files in
PrivateTmp
.
- Performance and resiliency improvements:
- Added optimizations for memory and CPU resource limits to help minimize the SPL Agent's footprint on the
server.
- Data lake hydration updates:
- Continued updates to reduce the time before an event is accessible within the Threat Analysis Center
and Data Lake in Central.
- Installation updates:
- Updates to the thin installer allow you to override the device name for a host.
Resolved issues
There are no resolved issues in this release.
Updated components
- Sophos Protection for Linux has been updated to 2024.3.
- SPL-Base-Component has been updated to 1.3.0.
- SPL-Endpoint-Detection-and-Response-Plugin has been updated to 1.1.14.
- SPL-Live-Response-Plugin has been updated to 1.7.6.
- SPL-Anti-Virus-Plugin has been updated to 1.1.6.
- SPL-Event-Journaler-Plugin has been updated to 1.1.1.
- SPL-Runtime-Detection-Plugin has been updated to 5.9.3.
- SPL-Response-Actions-Plugin has been updated to 1.1.1.
- SPL-Device-Isolation-Plugin has been updated to 1.0.2.
Version 2024.2.1
New features
There are no new features for this release.
Resolved issues
Resolved an issue affecting SPL package upgrades.
Updated components
- Sophos Protection for Linux has been updated to 2024.2.1.
- SPL-Base-Component has been updated to 1.2.9
Version 2024.2
New features
- Data Lake hydration updates:
- Updates that reduce the amount of time between the SPL Agent recording an event on the Linux device
and sending the event to the Data Lake.
- Data Lake query updates that include the addition of additional enrichment data.
- Performance and resiliency updates:
- Optimizations were made to the SPL Agent to reduce process memory consumption and disk space utilization.
- Improved updating stability when issues are encountered during the initial connection with Sophos Central.
Updated components
- Sophos Protection for Linux has been updated to 2024.2.
- SPL-Base-Component has been updated to 1.2.8
- SPL-Endpoint-Detection-and-Response-Plugin has been updated to 1.1.13
- SPL-Live-Response-Plugin has been updated to 1.7.5
- SPL-Anti-Virus-Plugin has been updated to 1.1.5
- SPL-Event-Journaler-Plugin has been updated to 1.1.0
- SPL-Runtime-Detection-Plugin has been updated to 5.9.1
- SPL-Response-Actions-Plugin has been updated to 1.1.0
- SPL-Device-Isolation-Plugin has been updated to 1.0.1
Version 2024.1
New features
- Device Isolation:
- You can isolate Linux devices from the network.
- You can still manage the device from Sophos Central while in isolation.
- Uses the existing Sophos Central capabilities to isolate, remove from isolation, and apply exclusions.
- Security Health Status updates for Linux agent:
- Allow list by path support for Linux:
- Provides users the option to allow applications by filename or path.
- You can configure it directly from the event details or at General Settings > Allowed Applications.
Updated components
- Sophos Protection for Linux has been updated to 2024.1.
- SPL-Base-Component has been updated to 1.2.7
- SPL-Endpoint-Detection-and-Response-Plugin has been updated to 1.1.12
- SPL-Live-Response-Plugin has been updated to 1.7.4
- SPL-Anti-Virus-Plugin has been updated to 1.1.4
- SPL-Event-Journaler-Plugin has been updated to 1.0.8
- SPL-Runtime-Detection-Plugin has been updated to 5.8.0
- SPL-Response-Actions-Plugin has been updated to 1.0.3
- SPL-Device-Isolation-Plugin has been updated to 1.0.0
Version 2023.4
New features
- ARM64 Support:
- Installation updates:
- Updates to the installer to allow the designation of a custom install location for the SPL Agent.
- Options to run pre-installation checks without installing the SPL Agent.
This can help verify the server and environment and help with troubleshooting.
Updated components
- Sophos Protection for Linux has been updated to 2023.4.
- SPL-Base-Component has been updated to 1.2.6.
- SPL-Endpoint-Detection-and-Response-Plugin has been updated to 1.1.11.
- SPL-Live-Response-Plugin has been updated to 1.7.3.
- SPL-Anti-Virus-Plugin has been updated to 1.1.3.
- SPL-Event-Journaler-Plugin has been updated to 1.0.7.
- SPL-Runtime-Detection-Plugin has been updated to 5.7.0.
- SPL-Response-Actions-Plugin has been updated to 1.0.2.
Version 2023.3
New features
- Enterprise Software Management:
- This release introduces Enterprise Software Management support for the Sophos Protection for Linux Agent. This provides additional flexibility for customers to test and control updates across their estate.
- Enterprise Software Management is replacing Controlled Updates. You can still use Controlled Updates for Linux servers until they're turned off on January 31st, 2024.
- Installation updates:
- You can now configure a Message Relay and Update Cache during installation.
- Updates to capture additional logging details to help troubleshoot installation failures.
- On-access file scanning updates:
- You can now configure on-read or on-write scanning for the on-access scanner.
Updated components
- Sophos Protection for Linux has been updated to 2023.3.
- Sophos Linux Base has been updated to 1.2.5.
- Sophos Live Discover Plugin has been updated to 1.1.10.
- Sophos Linux Live Response has been updated to 1.7.2.
- Server Protection has been updated to 1.1.2.
- Sophos Linux Event Journaler has been updated to 1.0.6.
- Sophos Linux Runtime Detection Plugin has been updated to 5.6.0.
Version 2023.2
New features
- PUA Detections: Provides capability for detection of Potentially Unwanted Applications (PUAs) for Linux. PUA detection requires no additional policy configuration and is automatically enabled as part of on-demand or on-access scanning on the Sophos Linux Agent.
Updated components
- Sophos Linux Base has been updated to 1.2.4.
- Sophos Live Discover Plugin has been updated to 1.1.9.
- Sophos Linux Live Response has been updated to 1.7.1.
- Server Protection has been updated to 1.1.1.
- Sophos Linux Event Journaler has been updated to 1.0.5.
- Sophos Linux Runtime Detection Plugin has been updated to 5.3.0.
Version 2023.1.3
Updated components
- SPL-Runtime-Detection-Plugin has been updated to 5.0.99.
Version 2023.1.2
Updated components
- SPL-Base-Component has been updated to 1.2.3.
- SPL-Runtime-Detection-Plugin has been updated to 4.0.99.
Version 2023.1
New features
- On-Access File Scanning.
You can now configure on-access scanning for the Sophos Linux Agent on your Linux devices. You can turn on on-access scanning for the Sophos Linux Agent in your server threat protection policies in Sophos Central. On-access scanning is turned off by default. See Server Threat Protection Policy.
- Malware Quarantine.
We've introduced quarantine for the Sophos Linux Agent. This applies to both on-access and on-demand scanning. This gives your Linux devices additional protection by automatically quarantining suspicious files. Quarantine is based on a signature match.
Updated components
- SPL-Base-Component has been updated to 1.2.2.
- SPL-Anti-Virus-Plugin (Server Protection) has been updated to 1.1.0.
- SPL-Endpoint-Detection-and-Response-Plugin has been updated to 1.1.8.
- SPL-Live-Response-Plugin has been updated to 1.7.0.
- SPL-Event-Journaler-Plugin has been updated to 1.0.4.
- SPL-Runtime-Detection-Plugin has been updated to 5.4.0.
Version 2022.4
Updated components
- SPL-Base-Component (Sophos Linux Base) has been updated to 1.2.1.
- SPL-Anti-Virus-Plugin (Server Protection) has been updated to 1.0.8.
Version 1.2.0
Updated components
We've updated the names of our components.
Sophos Linux Base is now called SPL-Base-Component.
Server Protection is now called SPL-Anti-Virus-Plugin.
Sophos Live Discover plugin is now called SPL-Endpoint-Detection-and-Response-Plugin.
Sophos Linux Event Journaler is now called SPL-Event-Journaler-Plugin.
Sophos Linux Live Response is now called SPL-Live-Response-Plugin.
Sophos Linux Runtime Detection plugin is now called SPL-Runtime-Detection-Plugin.
- SPL-Base-Component (Sophos Linux Base) has been updated to 1.2.0.
- SPL-Endpoint-Detection-and-Response-Plugin (Sophos Live Discover plugin) has been updated to 1.1.7.
- SPL-Live-Response-Plugin (Sophos Linux Live Response) has been updated to 1.6.1.
- SPL-Anti-Virus-Plugin (Server Protection) has been updated to 1.0.7.
- SPL-Event-Journaler-Plugin (Sophos Linux Event Journaler) has been updated to 1.0.3.
- SPL-Runtime-Detection-Plugin (Sophos Linux Runtime Detection Plugin) has been updated to 5.1.0.
Version 1.1.10
New features
We now support Amazon Linux 2022, Ubuntu 22.04 (LTS), Oracle 8, Miracle Linux,
Debian 10 and Debian 11. Earlier versions of Sophos Protection for Linux don't support these
platforms.
Updated components
- Sophos Linux Base has been updated to 1.1.10.
- Sophos Live Discover plugin has been updated to 1.1.6.
- Sophos Linux Live Response has been updated to 1.5.2.
- Server Protection has been updated to 1.0.6.
- Sophos Linux Event Journaler has been updated to 1.0.2.
- Sophos Linux Runtime Detection Plugin has been updated to 5.0.0.
Version 1.1.9.1
Updated components
- Sophos Linux Runtime Detection Plugin has been updated to 4.10.1.
Version 1.1.9
New features
- Event Journals now record runtime detections to make them available in Live Discover.
- Sophos Protection for Linux now reports endpoint health in Sophos Central.
Updated components
- Sophos Linux Base has been updated to 1.1.9.
- Sophos Live Discover Plugin has been updated to 1.1.5.
- Sophos Linux Live Response has been updated to 1.5.1.
- Server Protection has been updated to 1.0.5.
- Sophos Linux Event Journaler has been updated to 1.0.1.
- Sophos Linux Runtime Detection Plugin has been updated to 4.10.0.
Version 1.1.8
New features
- We've added Event Journals to record AV detections to make them available in Live Discover
and Sophos XDR.
New components
- Sophos Linux Event Journaler is version 1.0.0.
- Sophos Linux Runtime Detection Plugin is version 4.9.0.
Updated components
- Sophos Linux Base has been updated to 1.1.8.
- Sophos Live Discover Plugin has been updated to 1.1.4.
- Sophos Linux Live Response has been updated to 1.5.0.
- Server Protection has been updated to 1.0.4.
Version 1.1.7.1
Updated components
- Server Protection has been updated to 1.0.3.
Version 1.1.7
New features
We've added Server Protection, an on-demand antivirus scanner. This uses a threat
detection engine, including machine learning models, alongside signature-based protection.
Version 1.1.6
New features
You can assign products using the command line at install time if you use thin
installer version 1.1.1 and later versions.
Version 1.1.5
New features
This version of Sophos Protection for Linux supports the XDR Data Lake capabilities
in Sophos Central. Additionally, this version supports installing directly to a Sophos Central
Group if you use thin installer version 1.0.8 and later versions.
Updated components
- Sophos Linux Base has been updated to 1.1.5.
- Sophos Live Discover plugin has been been updated to 1.1.1.
- Sophos Linux Live Response has been updated to 1.2.2.
Version 1.1.4
Updated components
- Sophos Linux Base has been updated to 1.1.4.
- Sophos Live Discover plugin has been been updated to 1.1.0.
- Sophos Linux Live Response has been updated to 1.2.1.
Version 1.1.3
New features
This version of Sophos Protection for Linux supports the EDR 3 capabilities in
Sophos Central. Live Response allows admins to remotely connect to devices and get access to a
command-line interface. This allows them to perform detailed
investigations or to take prompt action to contain or remediate a threat.
Version 1.1.1
New features
This version of Sophos Protection for Linux supports the EDR 3 capabilities in
Sophos Central. Live Discover allows admins to use osquery to search the device data across
their estate to answer almost any question they can think of.
System requirements
- Free disk space: 2.5 GB
- Memory: 2 GB
- System type: x86_64 and ARM64
- Systemd supported and running
- Bash is installed
- glibc 2.17 or later
- ARM64:
- glibc 2.18 or later
- Minimum kernel of 5.3
Note
We test the latest point release for platforms listed here.
Supported platforms
Tested platforms
Minimum kernel versions for x86_64 systems are noted where applicable.
- Amazon Linux 2
- Amazon Linux 2023
- CentOS Stream
- Debian 11
- Debian 12
- Debian 13
- Oracle 8
- Oracle 9
- Oracle 10
- RHEL 8
- RHEL 9
- RHEL 10
- SUSE Linux Enterprise Server 15
- Ubuntu 20.04 (LTS)
- Ubuntu 22.04 (LTS)
- Ubuntu 24.04 (LTS)
Legacy platforms
The following legacy platforms include versions of platforms that have recently
reached their end of mainstream
support as published by the distribution vendor. For additional details on extended support for
legacy versions, see Sophos Central: Extended support. For additional
details on support for legacy versions, see Legacy versions.
Minimum kernel versions for x86_64 systems are noted where applicable.
- CentOS 7 (3.10.0-1062 or later)
- Debian 10
- Oracle 7 (UEK 4.14 or later, RHCK 3.10.0-1062 or later)
- RHEL 7 (3.10.0-1062 or later)
- SUSE Linux Enterprise Server 12
- Ubuntu 18.04 (LTS) (4.15 or later)
Unlisted platforms
Sophos will investigate any issues by attempting to replicate them on a corresponding testing distribution. For more
information related to platforms and versions not listed here, including platforms that have reached their end of mainstream
support as published by the distribution vendor, such as downstream and upstream distributions and legacy platforms,
see Sophos Protection for Linux distribution and kernel support.
To gather more information on installation errors, see the following pages:
Support
You can find technical support for Sophos products in any of these ways:
Legal notices
Copyright © 2023 Sophos Limited. All rights reserved. No part of this publication
may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, photocopying, recording or otherwise unless you are either a valid
licensee where the documentation can be reproduced in accordance with the license terms or you
otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited and Sophos
Group. All other product and company names mentioned are trademarks or registered trademarks of
their respective owners.