This article provides instructions on how to turn Sophos Live Protection on or off.
Applies to the following Sophos product(s) and version(s)
Enterprise Console 5.0+
About Sophos Live Protection
Sophos Live Protection uses in-the-cloud technology to instantly decide whether a suspicious file is a threat and take action specified in the anti-virus and HIPS policy.
Live Protection improves detection of new malware without the risk of unwanted detections. This is achieved by doing an instant lookup against the very latest known malicious files. When new malware is identified, Sophos can send out updates within seconds.
To take full advantage of Live Protection, you must ensure that the following options are enabled.
Enable Live Protection
If the anti-virus scan on an endpoint computer has identified a file as suspicious, but cannot further identify it as either clean or malicious based on the threat identity (IDE) files stored on the computer, certain file characteristics such as checksum are sent to Sophos to assist with further analysis. The in-the-cloud checking performs an instant lookup of a suspicious file in the SophosLabs database. If the file is identified as clean or malicious, the decision is sent back to the computer and the status of the file is automatically updated.
Automatically send file samples to Sophos
If a file is deemed potentially malicious but cannot be positively identified as malicious based on its characteristics alone, Live Protection allows Sophos to request a sample of the file. If this option is enabled and Sophos does not already hold a sample of the file, the file is submitted automatically.
Submission of such sample files helps Sophos to continuously enhance detection of malware without the risk of false positives.
Note: The maximum sample size is 10 MB. The timeout for sample upload is 30 seconds. It is not recommended to automatically send samples over a slow connection (less than 56 Kbps).
Important: You must ensure that Sophos domain to which the file data is sent is trusted in your web filtering solution. For details, see support knowledgebase article: Whitelisting the Sophos domain to enable automatic sample submission.
If you use a Sophos web filtering solution, for example the WS1000 Web Appliance, you do not need to do anything - Sophos domains are already trusted.
What to do - Turn Sophos Live Protection on or off
By default, Endpoint Security and Control sends file data such as checksums to Sophos, but does not send sample files. To take full advantage of Sophos Live Protection, you must enable both Sophos Live Protection options.
Note: If you use role-based administration* then before you start the procedure described below be aware that:
- You must have the 'Policy setting - Anti-virus and HIPS' right to perform this task.
- You cannot edit a policy if it is applied outside your active sub-estate.
For more information, see Designing sub-estates and role-based administration.
To turn Live Protection on or off:
- Check which Anti-virus and HIPS policy is used by the group or groups of computers you want to configure. To do this, right click on the 'Group' folder you want to check and select 'View/Edit Group Policy Details'.
- You can now see which policy is applied to that 'Group'.
- In the 'Policies' pane expand the 'Anti-virus and HIPS' section.
- Right-click the policy you would like to edit and select 'View/Edit Policy'.
- The Anti-Virus and HIPS policy dialog box is displayed. Click the 'Sophos Live Protection' button.
- Select or deselect 'Enable Live Protection'.
* What is role-based administration? By default the admin who installed SEC (System Administrator role) has all the rights and can perform any task. Role-based administration provides more limited admin access to other users.