How can we help?

Sophos Central Server: Recommended settings for Threat Protection policy

You are here:
< All Topics

Intercept X Advanced for Server

Note: If you enable any Intercept X Advanced Security features, servers assigned to this policy will use an Intercept X Advanced for Server license.

 

Feature
Setting
Applies to
Windows Linux Virtual

Runtime Protection

Protect document files from ransomware (CryptoGuard)
On
• Protect from remotely run ransomware
Selected
• Protect from Encrypting File System attacks

This setting applies to servers running the latest version of Sophos Intercept X

Selected
Protect from master boot record ransomware
On
Protect critical functions in web browsers (Safe Browsing)
On
Mitigate exploits in vulnerable applications
On
• Protect web browsers
Selected
• Protect web browser plugins
Selected
• Protect Java applications
Selected
• Protect media applications
Selected
• Protect office applications
Selected
Advanced exploit mitigation settings
• Prevent credential theft
Selected
• Prevent code cave utilisation
Selected
• Prevent APC violation
Selected
• Prevent privilege escalation
Selected
Protect processes
On
• Prevent process hollowing attacks
Selected
• Prevent DLLs loading from untrusted folders
Selected
Enable CPU branch tracing
Off

Deep Learning

Enable deep learning
On

Remediation

Enable Threat Case creation
On
• Enable Snapshot file upload

Note: Snapshot data may leave your geographic regionand will be accessible with controlled access to Sophos engineers for analysis.

Not selected
Allow servers to send data on suspicious files, network events and admin tool activity to Sophos Central
On

Server Protection default settings

 

Feature
Setting
Applies to
Windows Linux Virtual

Runtime Protection

Protect network traffic
On
• Detect malicious connections to command and control servers
Selected
• Prevent malicious network traffic with packet inspection (IPS)

This setting applies to servers running the latest version of Core Agent

Selected
Enable Sophos Security Heartbeat
Off
AMSI Protection (with enhanced scan for script-based threats)

This setting applies to servers running the latest version of Core Agent

On

Live Protection

Use Live Protection to check files against the latest malware information from SophosLabs online.

Note: Also applies to scheduled scans.

On
• Use Live Protection during scheduled scans
Selected
• Automatically submit malware samples to SophosLabs

Note: The data may leave your geographic region and be shared with Sophos engineers.

Selected

Real-time scanning – Local files and network shares

Scan (local or local and remote)
On
• On read
Selected
• On write
Selected

Real-time scanning – Internet

Scan downloads in progress
On
Block access to malicious websites
On
Detect low-reputation files
On
Protect processes
On
• ACTION TO TAKE ON LOW-REPUTATION DOWNLOADS (Prompt user or Log only)
• REPUTATION LEVEL (Recommended or Strict)

Remediation

Automatic cleanup of malware

Note: Automatic cleanup is supported on Windows servers and on Guest VMs protected by a Sophos Security VM, but only if you have installed the Sophos Guest VM Agent on them.

On

Real-time scanning – Options

Automatically exclude activity by known applications
On
Detect malicious behavior (HIPS)
On

Scheduled scanning

This is turned on by default for Windows, Linux and Virtual servers and allows the Sophos Central administrator to initiate a scan at a time(s) that has been specified.

Notes:

  • The scheduled scan time is the time on the server and is not a UTC time
  • If deep scanning has been selected, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.

Exclusions

Some applications have their activity automatically excluded from real-time scanning. For more information about this, see the knowledge base article Sophos Central Windows Server Automatic Exclusions. You can also exclude other items or activity by other applications from scanning. You might do this because a database application accesses many files, and so triggers many scans and impacts a server’s performance.

Exploits are still being checked in the list of excluded items. However, checking for an exploit that has already been detected (use a Detected Exploits exclusion) can be stopped. Exclusions set in a policy are only used for the servers the policy applies to.

Notes:

How to create a scanning exclusion policy

  1. Go to Server Protection > Settings > Global Exclusions > Add Exclusion.
  2. Select any for the EXCLUSION TYPE:
      • File or folder (Windows): On Windows, a drive, folder or file can be excluded by its full path. Wildcards and variables can be used here.
          • Folder: C:\programdata\adobe\photoshop\ (add a slash for a folder)
          • Entire drive: D:
          • File: C:\program files\program\*.vmg
      • File or folder (Linux): On Linux, folder or file can be excluded and the wildcards ? and * can be used.
        • /mnt/hgfs/excluded
      • File or folder (Virtual Server): On Windows guest VMs protected by a Sophos security VM, you can exclude a drive, folder or file by full path, just as you can for other Windows computers. You can use the wildcard * but only for file names. By default, exclusions apply to all guest VMs protected by the security VM.
      • Process: Any process can be excluded from a running application. This also excludes files that the process uses (but only when they are accessed by that process). If possible, enter the full path from the application, not just the process name shown in the Task Manager. To see all processes or other items that you need to exclude for an application, see the application vendor’s documentation. Wildcards and variables can be used here.
        • %PROGRAMFILES%\Microsoft Office\Office 14\Outlook.exe
      • Website: Can be specified as IP address, IP address range (in CIDR notation) or domain.
        • IP address: 192.168.0.1
        • IP address range: 192.168.0.0/24 The appendix /24 symbolizes the number of bits in the prefix common to all IP addresses of this range. Thus /24 equals the netmask 11111111.11111111.11111111.00000000. In our example, the range includes all IP addresses starting with 192.168.0.
        • Domain: google.com
      • Potentially Unwanted Application (PUA): Applications that are normally detected as spyware can be excluded here. Specify the exclusion using the same name under which it was detected by the system. Find more information about PUAs in the Sophos Threat Center.
      • Detected Exploits (Windows): Any exploit that has already been detected and has been excluded will no longer trigger a detection and block for that application. This automatically turns off the CryptoGuard ransomware protection for this exploit for the affected application on your Windows servers.
  3. For File or folder (Windows), specify under ACTIVE FOR if the scanning exclusion is to be applied during real-time, scheduled or for both.
  4. The exclusion will be added once you click the button Add or Add Another.

Desktop Messaging

This feature is turned on by default and allows the Sophos Central administrator to add a customized message in the standard notification message. This specific message will not be displayed for events triggered by CryptoGuard. If you leave the message box empty, only the standard message is shown.

Table of Contents