How can we help?
Sophos Central Server: Recommended settings for Threat Protection policy
Intercept X Advanced for Server
Note: If you enable any Intercept X Advanced Security features, servers assigned to this policy will use an Intercept X Advanced for Server license.
Server Protection default settings
Windows | Linux | Virtual | ||
Runtime Protection |
||||
Protect network traffic | ||||
• Detect malicious connections to command and control servers | ||||
• Prevent malicious network traffic with packet inspection (IPS)
This setting applies to servers running the latest version of Core Agent |
||||
Enable Sophos Security Heartbeat | ||||
AMSI Protection (with enhanced scan for script-based threats)
This setting applies to servers running the latest version of Core Agent |
||||
Live Protection |
||||
Use Live Protection to check files against the latest malware information from SophosLabs online.
Note: Also applies to scheduled scans. |
||||
• Use Live Protection during scheduled scans | ||||
• Automatically submit malware samples to SophosLabs
Note: The data may leave your geographic region and be shared with Sophos engineers. |
||||
Real-time scanning – Local files and network shares |
||||
Scan (local or local and remote) | ||||
• On read | ||||
• On write | ||||
Real-time scanning – Internet |
||||
Scan downloads in progress | ||||
Block access to malicious websites | ||||
Detect low-reputation files | ||||
Protect processes | ||||
• ACTION TO TAKE ON LOW-REPUTATION DOWNLOADS (Prompt user or Log only) | ||||
• REPUTATION LEVEL (Recommended or Strict) | ||||
Remediation |
||||
Automatic cleanup of malware
Note: Automatic cleanup is supported on Windows servers and on Guest VMs protected by a Sophos Security VM, but only if you have installed the Sophos Guest VM Agent on them. |
✓ | |||
Real-time scanning – Options |
||||
Automatically exclude activity by known applications | ||||
Detect malicious behavior (HIPS) |
Scheduled scanning
This is turned on by default for Windows, Linux and Virtual servers and allows the Sophos Central administrator to initiate a scan at a time(s) that has been specified.
Notes:
- The scheduled scan time is the time on the server and is not a UTC time
- If deep scanning has been selected, archives are scanned during scheduled scans. This may increase the system load and make scanning significantly slower.
Exclusions
Some applications have their activity automatically excluded from real-time scanning. For more information about this, see the knowledge base article Sophos Central Windows Server Automatic Exclusions. You can also exclude other items or activity by other applications from scanning. You might do this because a database application accesses many files, and so triggers many scans and impacts a server’s performance.
Exploits are still being checked in the list of excluded items. However, checking for an exploit that has already been detected (use a Detected Exploits exclusion) can be stopped. Exclusions set in a policy are only used for the servers the policy applies to.
Notes:
- To set up exclusions for an application, it is more secure to exclude the processes running from that application instead of excluding its related files or folders.
- If exclusions need to be applied to all the users and servers, this can be done in the Global Exclusions page.
- Windows Scanning Exclusions: Wildcards and Variables
- Virtual Server Scanning Exclusions: Wildcards
How to create a scanning exclusion policy
- Go to Server Protection > Settings > Global Exclusions > Add Exclusion.
- Select any for the EXCLUSION TYPE:
-
- File or folder (Windows): On Windows, a drive, folder or file can be excluded by its full path. Wildcards and variables can be used here.
-
- Folder:
C:\programdata\adobe\photoshop\
(add a slash for a folder) - Entire drive:
D:
- File:
C:\program files\program\*.vmg
- Folder:
-
- File or folder (Linux): On Linux, folder or file can be excluded and the wildcards
?
and*
can be used./mnt/hgfs/excluded
- File or folder (Virtual Server): On Windows guest VMs protected by a Sophos security VM, you can exclude a drive, folder or file by full path, just as you can for other Windows computers. You can use the wildcard * but only for file names. By default, exclusions apply to all guest VMs protected by the security VM.
- File or folder (Windows): On Windows, a drive, folder or file can be excluded by its full path. Wildcards and variables can be used here.
-
- Process: Any process can be excluded from a running application. This also excludes files that the process uses (but only when they are accessed by that process). If possible, enter the full path from the application, not just the process name shown in the Task Manager. To see all processes or other items that you need to exclude for an application, see the application vendor’s documentation. Wildcards and variables can be used here.
%PROGRAMFILES%\Microsoft Office\Office 14\Outlook.exe
- Website: Can be specified as IP address, IP address range (in CIDR notation) or domain.
- IP address:
192.168.0.1
- IP address range:
192.168.0.0/24
The appendix/24
symbolizes the number of bits in the prefix common to all IP addresses of this range. Thus/24
equals the netmask11111111.11111111.11111111.00000000
. In our example, the range includes all IP addresses starting with192.168.0
. - Domain:
google.com
- IP address:
- Potentially Unwanted Application (PUA): Applications that are normally detected as spyware can be excluded here. Specify the exclusion using the same name under which it was detected by the system. Find more information about PUAs in the Sophos Threat Center.
- Process: Any process can be excluded from a running application. This also excludes files that the process uses (but only when they are accessed by that process). If possible, enter the full path from the application, not just the process name shown in the Task Manager. To see all processes or other items that you need to exclude for an application, see the application vendor’s documentation. Wildcards and variables can be used here.
-
- Detected Exploits (Windows): Any exploit that has already been detected and has been excluded will no longer trigger a detection and block for that application. This automatically turns off the CryptoGuard ransomware protection for this exploit for the affected application on your Windows servers.
-
- For File or folder (Windows), specify under ACTIVE FOR if the scanning exclusion is to be applied during real-time, scheduled or for both.
- The exclusion will be added once you click the button Add or Add Another.
Desktop Messaging
This feature is turned on by default and allows the Sophos Central administrator to add a customized message in the standard notification message. This specific message will not be displayed for events triggered by CryptoGuard. If you leave the message box empty, only the standard message is shown.