Sophos Endpoint Agent Overview

Sophos delivers powerful attack surface reduction, threat prevention, and detection and response capabilities while maintaining an agent footprint lighter than many common business applications. Many competitor solutions lack the same depth and breadth, prioritizing agent size over strength of protection.

Can you afford to be without these superior protections?

Threat Surface Reduction

Stopping attacks early is less resource-intensive than monitoring and remediating them later in the attack chain. Intercepting network traffic on the endpoint provides powerful protection benefits for users both on and off the company network. Solutions that lack this full range of threat surface reduction capabilities have less opportunity to block attacks before they penetrate your systems.

Web Protection

Web Protection intercepts outbound browser connections and blocks traffic destined for malicious or suspicious websites. It stops threats at the delivery stage by preventing users from being diverted to malware delivery or phishing websites.


Web Control

Web Control uses the same traffic interception technology, enabling you to block access to undesirable or inappropriate content, such as adult and gambling websites.


Download Reputation

Download Reputation analyzes files as they’re downloaded and uses SophosLabs global threat intelligence to provide a verdict based on prevalence, age, and source, prompting users to block files with low or unknown reputation.


Application Control

Application Control enables you to block applications that may be vulnerable, unsuitable for your environment, or that could be used for nefarious purposes. Sophos provides pre-defined categories to block or monitor apps, removing the burden of blocking individual applications by hash.


Peripheral (Device) Control

Peripheral (Device) Control enables you to monitor and block access to removable media, Bluetooth, and mobiles to prevent certain devices from connecting to your network.


Data Loss Prevention (DLP)

Data Loss Prevention (DLP) monitors and restricts the transfer of files containing sensitive data. For example, prevent employees from sending confidential files home using web-based email.


Server Lockdown

Server Lockdown allows only trusted applications and their associated files to run and change other files. Sophos records installed software, checks it is safe, and only allows those applications to run while the server is locked.



Threat Prevention

Stopping more threats early in the attack chain enables you to focus on investigating fewer incidents. Some detection and response solutions focus on collecting telemetry for investigation at the expense of providing comprehensive prevention, to maintain a reduced agent footprint. Sophos delivers broader threat prevention capabilities, with efficacy validated through consistent top scores in independent tests.

Airtight Ransomware Protection (CryptoGuard)

Watch Video

Sophos’ CryptoGuard technology monitors file contents for malicious encryption, blocking the offending process in real-time whether it’s running on the victim's computer, or on a compromised network-connected device. This universal approach protects your data from both local and remote attacks, including new ransomware variants. Our proprietary auto-rollback mechanism reverts encrypted files to their original state without relying on the Volume Shadow Copy Service (VSS), which attackers frequently target.

Sophos Endpoint is the most robust zero-touch endpoint defense against remote ransomware.


Adaptive Attack Protection

Watch Video

Adaptive Attack Protection automatically enables more aggressive protection on an endpoint when a ‘hands-on-keyboard’ attack is detected, blocking actions commonly performed by adversaries, such as attempts to run remote admin tools or low reputation executables.

No other vendor offers comparable adaptive protection against active adversaries.


Deep Learning (AI-powered) malware prevention

Deep Learning (AI-powered) malware prevention analyzes binaries to make decisions based on file attributes and predictive reasoning. Deep learning is an advanced form of machine learning that detects and blocks malware, including new and previously unseen threats.


Live Protection

Live Protection extends Sophos’ comprehensive on-device protection with real-time lookups to SophosLabs' latest global threat intelligence for additional file context, decision verification, false positive suppression, and file reputation. Our Tier 1 threat research provides additional live intelligence from Sophos’ expansive product portfolio and global customer base.

Some vendors including Carbon Black, CrowdStrike and SentinelOne rely solely on pre-trained machine learning models.


Behavior Analysis

Behavior Analysis monitors process, file, and registry events over time to detect and stop malicious behaviors and processes. It also performs memory scanning, inspects running processes to detect malicious code only revealed during process execution, and detects attackers implanting malicious code in the memory of a running process to evade detection.



Anti-Exploitation guards process integrity by hardening application memory and applying runtime code execution guardrails. Over sixty anti-exploitation techniques in Sophos Endpoint are enabled by default, require no training nor tuning, and extend far beyond the protections provided by the native Windows OS or most other endpoint security solutions.

Some vendors including Carbon Black, SentinelOne and Microsoft lack extensive exploit mitigations or require significant manual tuning.


Application Lockdown

Application Lockdown prevents browser and application misuse by blocking actions not commonly associated with those processes. For example, a web browser or Office application attempting to launch PowerShell.


Antimalware Scan Interface (AMSI)

Antimalware Scan Interface (AMSI) determines whether scripts (e.g., PowerShell or Office Macros) are safe, including if they are obfuscated or generated at runtime, blocking fileless attacks where malware is loaded directly from memory. Sophos also has a proprietary mitigation against malware that attempts to evade AMSI detection.


Malicious Traffic Detection

Malicious Traffic Detection detects a device attempting to communicate with a command and control (C2) server by intercepting traffic from non-browser processes and analyzing whether it is destined for a malicious address.


File Integrity Monitoring (FIM)

File Integrity Monitoring (FIM) identifies changes to system-critical files on Windows servers. You can also define locations and exclusions to identify changes to specific files, folders, registry keys, or registry values.



Detection, Investigation, and Response

The more you see, the faster you can respond. Sophos gives you the breadth and depth of data needed to investigate and respond to suspicious activities in your environment effectively. Comprehensive logging of device activity has a small impact on agent footprint but a high impact on response efficacy. If needed, you can limit the disk space used for this on the device and the time for which data is collected.

Sophos Data Lake

The Sophos data lake integrates comprehensive telemetry from an expansive portfolio of Sophos and third-party (non-Sophos) solutions, including endpoint, mobile, firewall, network, email, and cloud technologies. It enables you to access critical data and AI-prioritized threat detections across multiple attack surfaces.


Live Discover

Live Discover enables you to query devices to investigate activity. It uses osquery technology to monitor and record device status and attributes in Event Journals and employs guardrails to limit the impact of queries on the device. You can query information in the Sophos data lake for multiple devices including those offline.


Live Response

Live Response provides a secure terminal in your Sophos Central console, enabling you to connect to devices to investigate and remediate possible security issues. Run commands to stop suspicious processes, restart devices with pending updates, delete files, and more, with full, secure, audited shell access.

Some vendors provide only a limited set of commands through their consoles.


Forensic Snapshots

Forensic snapshots. When a threat detection occurs, a snapshot file of current activity is created on the device’s disk. You can remotely retrieve these forensic snapshots to perform additional analysis.


Device Isolation

Device isolation enables you to isolate an endpoint from your network to contain a threat or during an investigation. The isolation blocks TCP and UDP traffic and prevents the device from establishing network connections.


Third-party Compatibility

Sophos' unified endpoint agent includes our full suite of protection, detection, and response capabilities out of the box. Organizations can also benefit from Sophos’ detection and response capabilities with non-Sophos endpoint protection using a lightweight ‘XDR Sensor’ option and a range of turnkey third-party solution integrations.

Some vendors including CrowdStrike and Microsoft do not support the use of third-party endpoint technology.


Sophos EDR/XDR

Sophos provides a unified security operations platform and tools that enable you to detect, investigate, and respond to threats across all key attack vectors in the shortest time. Learn more about Sophos' full suite of powerful Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) capabilities.



Sophos provides the strongest protections while maintaining a performant solution and optimized agent footprint.

Selecting an endpoint security solution based on agent size alone could expose you to cyberthreats – why take the risk?