How can we help?

Sophos Central Endpoint: Recommended settings for Threat Protection policy

You are here:
< All Topics

Applies to the following Sophos products and versions
Sophos Central Admin

New: Active Adversary Mitigations

Feature Setting
Custom or Sophos Managed (off) Default is Custom
Prevent credential theft Selected
Prevent APC violation Selected
Prevent privilege escalation Selected
Prevent code cave utilisation Selected

If you turn a mitigation off, it will stay off even after we turn it on for customers generally.

Use recommended settings

Click Use Recommended Settings if you want to use the settings Sophos recommends. These provide the best protection you can have without complex configuration. If Sophos changes recommendations in the future, the threat protection policy will be updated automatically with new settings.

Live Protection

Live Protection checks suspicious files against the latest malware in the SophosLabs database.

Feature Setting
Use Live Protection to check the latest threat information from SophosLabs online Turned on
Use Live Protection during scheduled scans Selected
Automatically submit malware samples to SophosLabs Selected

Deep Learning


Feature Setting
Enable deep learning Turned on

Real-time Scanning – Local Files and Network Shares

Real-time scanning scans files as users attempt to access them, and denies access unless the file is clean. Local files are scanned by default.

Feature Setting
Enable real-time scanning Turned on
Remote files Selected

Real-time Scanning – Internet

Real-time scanning scans internet resources as users attempt to access them.

Feature Setting
Scan downloads in progress Turned on
Block access to malicious websites Turned on
Detect low-reputation files Turned on
Action to take on low reputation downloads Prompt user
Reputation level Recommended


Sophos Central will try to clean up detected malware automatically.

Feature Setting
Automatically clean up malware Turned on
Enable Threat Case creation Turned on
Enable Snapshot file upload

Note: Snapshot data may leave your geographic region and will be accessible with controlled access to Sophos engineers for analysis.

Allow computers to send data on suspicious files, network events and admin tool activity to Sophos Central Turned on

Runtime Protection

Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic.

Feature Setting
Protect document files from ransomware (CryptoGuard) Turned on
Protect from remotely run ransomware (only available on 64-bit systems) Selected
Protect from Encrypting File system attacks Selected
Protect from master boot record ransomware Turned on
Protect critical functions in web browsers (Safe Browsing) Turned on
Mitigate exploits in vulnerable applications Turned on
Protect web browsers Selected
Protect web browser plugins Selected
Protect Java applications Selected
Protect media applications Selected
Protect office applications Selected
Protect processes Turned on
Prevent process hollowing attacks Selected
Prevent DLLs loading from untrusted folders Selected
Enable CPU branch tracing Turned on
Dynamic shellcode protection Turned on
Validate CTF Protocol caller Turned on
Prevent side loading of insecure modules Turned on
Protect network traffic Turned on
Detect malicious connections to command and control servers Selected
Prevent malicious network traffic with packet inspection (IPS) Selected
Detect malicious behavior (HIPS) Turned on
AMSI Protection (with enhanced scan for script-based threats) Turned on

Advanced Settings

Feature Setting
Turn on provisional runtime detections Selected
Turn on all exploit mitigations Selected
Scan trusted installers Selected
Block email attachment file types that are commonly associated with malware Selected
Deep learning detection level Default

Device Isolation

Feature Setting
Allow computers to isolate themselves on red health This depends on the Central admin’s preference

Desktop Messaging

Feature Setting
Enable Desktop Messaging for Threat Protection Turned on
Configure a message to be added to the end of standard notifications Click in the message box and add a message to the end of the standard notification
Table of Contents