This article provides a high level overview of what Sophos Live Protection is. More details on how it works can be found here.
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+
Sophos Anti-Virus for Mac OS X
Sophos Anti-Virus for Linux
Sophos Live Protection - overview
Sophos Live Protection decides whether a suspicious file is a threat and, if required will trigger immediate action as specified in the Sophos Anti-Virus cleanup configuration.
Sophos Live Protection improves detection of new malware without the risk of unwanted detections. This is achieved by doing an instant lookup against rules stored in the cloud. When new malware is identified, Sophos can send out updates within seconds to this central repository ensuring that clients using Live Protection have the very latest protection.
Sophos Live Protection can perform the following tasks:
- Perform cloud look-ups against individual files to determine if safe/malicious
If the anti-virus scan on an endpoint computer has identified a file as suspicious, but cannot further identify it as either clean or malicious based on the threat identity (IDE) files stored on the computer, certain file data (such as its checksum and other attributes) is sent to Sophos to assist with further analysis.
This is known as 'in-the-cloud' checking: it performs an instant lookup of a suspicious file in the SophosLabs database. If the file is identified as clean or malicious, the decision is sent back to the computer and the status of the file is automatically updated.
- Automatically send sample files to Sophos
If a file is considered suspicious, but cannot be positively identified as malicious based on the file data alone, you can allow Sophos to request a sample of the file. If this option is enabled, and Sophos does not already hold a sample of the file, the file will be submitted automatically.
Submitting sample files helps Sophos to continuously enhance detection of malware without the risk of false positives.