Thank you to everyone that attended!

Below is the link to the on-demand video available on our Sophos Techvids website and also a list of the answers provided by our experts (/) for the questions we received during the live session.

Use the comments section in this blog post to engage with our panel, share feedback, and discuss any topics covered in the presentation.

Please stay tuned for more information on our next episode!

Table of Contents

Q&A

Note: The answers outlined below are subject to be updated as required.

  • We have someone using a USB drive that has a third-party encryption built in on it. The third-party exe on the USB triggers a CryptoGuard alert. How can I allow list this so there are no alerts?

    • If the target of the alert is regarding files on the USB drive itself, a CryptoGuard exclusion can be created in a Threat Protection policy applied only to this user. The detection will generate an event and can be seen if you select the “Detected Exploits (Windows/Mac)” exclusion type.
    • If the alert is triggering to a location on the device itself – there’s something else going on and more investigation should be performed.
  • How can I assign the new policy to a specific computer?

    • When creating a policy in Endpoint Protection > Policies, you’ll have the option to specify whether it’s a User or Device policy. During the creation process, you can drag users/devices into the Assigned Users/Devices section to specify who the policy will go to.
  • Can a computer be part of more than one Group? For example, we have a policy activating Device encryption (managed by a group) and a group of computers using a third-party tool having specific exclusions. What if a computer needs to get both settings?

    • Each device will only take one each of every type of policy, such as one Threat Protection policy, one Encryption policy, one Web Control policy, etc. Third-party tool-specific exclusions are often created in the Threat Protection policy so this won’t affect how your Device Encryption policy applies to machines. If you have two Threat Protection policies, one applied to a device and the other applied to a group the device is in, the first matching policy closest to the top will take effect.
  • How can we allow particular/Specific Bluetooth or USB device?

    • Assuming the device is blocked by Peripheral Control, you’ll need to create an exemption within the Peripheral Control policy. Specify who this policy applies to, then in the settings, there’s a section to add a Peripheral Exemption. From there you can select the peripherals detected in your environment and create the exemption based on the model or the model ID (E.g. All iPhone 11s or this specific iPhone 11)
  • If I set a scheduled scan for after hours, will the computer scan if the machine is locked? And if the device is off, will it scan when the device is next turned on?

    • Scheduled Scans are created on the endpoints using Task Scheduler. So long as the machine is running at the time of a scheduled scan, it will scan. If a device was offline during a scheduled scan time it will not start once it comes online. It will wait until the next scheduled scan time. Also note that if you have devices in different time zones, they will all run at the scheduled time local to the endpoint.
  • Should I be adding all my machines to the EAP for better protection?

    • No, the EAPs are for testing new features. Sophos does not recommend them for production machines. The features/settings will be rolled out for GA once they are recommended.
  • A core application that is used in our network is being detected by Intercept X. How can I easily determine if this detection is legitimate or a false positive?

    • This depends on where this application is coming from. If you trust the source, then you can proceed to exclude it. Such factors as if the software is developed internally to your organization, is it open source, is it business-critical? All these questions should be considered. In essence, you should have a list of trusted applications in your environment and in that list should be a hash to identify the PE – if the offending PE matches a hash of a known and trusted PE it’s something that you could consider allowing.
  • Some features like CPU branch tracing and Safe Browsing are recommended in the Endpoint policy but disabled by default for Servers. Should this feature be on instead for servers?

    • The default settings in both policies are the current suggested mix of performance and protection as per Sophos. So, No. However, if you want to turn them on – go ahead on a test device and monitor the performance impact. If that impact is acceptable for your use case you can turn on the feature if you like.
  • Are all the features discussed [in the webinar] available on Mac machines as well? How about Linux servers?

    • Not all features are available to all OS platforms. In server policies – on the right-hand side – you will see a list of platforms the policy item applies to. For endpoint policies – you have the same policy for all platforms and Mac machines will only render the elements they can use.
  • Are the steps for high CPU usage on Linux web servers also applicable to Windows web servers?

    • Yes, the scenario is generic for performance. We used Linux because those machines tend to be lean specs. Most Windows servers have a lot more resources (they have to run Windows after all which is far more of a load than HTTP scanning) and tend to not encounter this problem as often. However, they can and the solution is the same.
  • Is an Update Cache and Message Relay are required if our endpoints don’t have internet access?

    • A central endpoint needs to be able to reach Sophos Central. If the endpoints do not have direct internet access, they’ll need to be able to get to Sophos Central either using a proxy or with an Update Cache and Message Relay combination.
  • Why is real-time scanning is disabling in my environment?

    • Real-Time Scanning can be disabled for many reasons, the most common reason is the Sophos Anti-virus needs to restart to load any newly published threat definitions. If the restart of this service takes a significant amount of time on slower machines, it may report back to Sophos Central as “Real-time scanning disabled” and reenable itself shortly after. This should not be a concern.

Additional Resources


Attend our new Sophos Community TechTips series to learn more about best practices, configuration, how-to, and troubleshooting directly from the experts at Sophos Support!

Our first episode will cover best practices to follow when configuring your Intercept X Threat Protection policy.

Make sure to check out our Sophos Intercept X: Threat Protection Policy Best Practices video before the event!

Anonymous