Sophos Central Endpoint: Recommended settings for Threat Protection policy
Applies to the following Sophos products and versions
Sophos Central Admin
New: Active Adversary Mitigations
| Feature | Setting |
|---|---|
| Custom or Sophos Managed (off) | Default is Custom |
| Prevent credential theft | Selected |
| Prevent APC violation | Selected |
| Prevent privilege escalation | Selected |
| Prevent code cave utilisation | Selected |
If you turn a mitigation off, it will stay off even after we turn it on for customers generally.
Use recommended settings
Click Use Recommended Settings if you want to use the settings Sophos recommends. These provide the best protection you can have without complex configuration. If Sophos changes recommendations in the future, the threat protection policy will be updated automatically with new settings.
Live Protection
Live Protection checks suspicious files against the latest malware in the SophosLabs database.
| Feature | Setting |
|---|---|
| Use Live Protection to check the latest threat information from SophosLabs online |  Turned on |
| Use Live Protection during scheduled scans | Selected |
| Automatically submit malware samples to SophosLabs | Selected |
Deep Learning
| Feature | Setting |
|---|---|
| Enable deep learning | Turned on |
Real-time Scanning – Local Files and Network Shares
Real-time scanning scans files as users attempt to access them, and denies access unless the file is clean. Local files are scanned by default.
| Feature | Setting |
|---|---|
| Enable real-time scanning | Turned on |
| Remote files | Selected |
Real-time Scanning – Internet
Real-time scanning scans internet resources as users attempt to access them.
| Feature | Setting |
|---|---|
| Scan downloads in progress | Turned on |
| Block access to malicious websites | Turned on |
| Detect low-reputation files | Turned on |
| Action to take on low reputation downloads | Prompt user |
| Reputation level | Recommended |
Remediation
Sophos Central will try to clean up detected malware automatically.
| Feature | Setting |
|---|---|
| Automatically clean up malware | Turned on |
| Enable Threat Case creation | Turned on |
| Enable Snapshot file upload
Note: Snapshot data may leave your geographic region and will be accessible with controlled access to Sophos engineers for analysis. |
Selected |
| Allow computers to send data on suspicious files, network events and admin tool activity to Sophos Central |  Turned on |
Runtime Protection
Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic.
| Feature | Setting |
|---|---|
| Protect document files from ransomware (CryptoGuard) | Turned on |
| Protect from remotely run ransomware (only available on 64-bit systems) | Selected |
| Protect from Encrypting File system attacks | Selected |
| Protect from master boot record ransomware | Turned on |
| Protect critical functions in web browsers (Safe Browsing) | Turned on |
| Mitigate exploits in vulnerable applications | Turned on |
| Protect web browsers | Selected |
| Protect web browser plugins | Selected |
| Protect Java applications | Selected |
| Protect media applications | Selected |
| Protect office applications | Selected |
| Protect processes | Turned on |
| Prevent process hollowing attacks | Selected |
| Prevent DLLs loading from untrusted folders | Selected |
| Enable CPU branch tracing | Turned on |
| Dynamic shellcode protection | Turned on |
| Validate CTF Protocol caller | Turned on |
| Prevent side loading of insecure modules | Turned on |
| Protect network traffic | Turned on |
| Detect malicious connections to command and control servers | Selected |
| Prevent malicious network traffic with packet inspection (IPS) | Selected |
| Detect malicious behavior (HIPS) | Turned on |
| AMSI Protection (with enhanced scan for script-based threats) | Turned on |
Advanced Settings
| Feature | Setting |
|---|---|
| Turn on provisional runtime detections | Selected |
| Turn on all exploit mitigations | Selected |
| Scan trusted installers | Selected |
| Block email attachment file types that are commonly associated with malware | Selected |
| Deep learning detection level | Default |
Device Isolation
| Feature | Setting |
|---|---|
| Allow computers to isolate themselves on red health | This depends on the Central admin’s preference |
Desktop Messaging
| Feature | Setting |
|---|---|
| Enable Desktop Messaging for Threat Protection | Turned on |
| Configure a message to be added to the end of standard notifications | Click in the message box and add a message to the end of the standard notification |
