Thank you for your interest in the Sophos Account Health Check Webinar! We host these webinars to highlight the importance of the Account Health Check and other endpoint settings to security.
Please find resources, answers to the questions asked, and the link to the webinar recording below.
Webinar Recording
Additional Resources
Account Health Check Resources:
Sophos Resources:
Account Health Check Q&A
How often should I be doing an Account Health Check?
We recommend once a week, twice a week maybe, just to be sure there have been no changes. This will depend on how many people you have in and out of the Sophos Central Console. If you have more people coming in and out, maybe do the check more frequently. The important thing is to make sure you’re reviewing it on a regular basis.
What if we need to disable policies? Can the system still detect security concerns related to the disabled policy?
The Threat Protection policy settings are the only main settings with a default configuration. Under the Threat Protection Policy, the default policy settings follow industry best practices and provide the best protection you can have without complex configuration.
Any changes to the default policy settings could reduce your overall security which is why we recommend only making changes to the policy settings after careful consideration. Other settings, such as Web Control policies, App Control policies, or peripheral control policies do not have a default configuration. It will be up to the Super Admin to determine the best settings for these policies.
How do I find any computer in the corporate network that is not protected?
You can review this directly from Sophos Central. In Sophos Central go to Devices and select the type of device you would like to see. Alternatively, you can select My Products > Endpint > Computers or Server > Servers.
From here you will be able to review your devices and determine if any are not protected.
I received a PUA alert. What’s the best way to solve this?
We recommend following the recommendations outlined in our documentation.
Is 53 a good health score on the Account Health Check Dashboard?
The lower the health score, the more vulnerable you are to cyberthreats. A score of 53 could mean recommended policies are disabled or you have misconfigurations. If you have a score below 70 or 80, we recommend reviewing your policies and configuration as soon as possible.
Where can we quickly check the license count we have?
The license count can be reviewed from reports or in the dashboard. The counting of the licensing depends and changes based on how many days since a user has been active. For example, an inactive user license will not be counted after 30 days have passed.
License Usage and Calculation article
How do I get an Audit trail report?
You can view the Audit logs by going to Sophos Central > settings > reports. There is an Audit logs report you can access from there.
Can we do capping (restriction) for large download by any user?
You can prevent the downloading of large files within Firewall, but not within Endpoint protection. You can prevent the download of large file sizes by adding a web policy.
Sophos Firewall: Blocking download by file size
Can we know the status of a health check without logging into the portal? Could we receive an update via email?
Unfortunately, the only way to know the status of the health check is by looking inside the dashboard. Email alerts are driven only by events where the Health Check score is determined by settings (e.g. not following best practices, poor configurations, etc.)
Sophos intercept is blocking a certain executable whenever user tries to install on the system. How do we resolve this?
You can whitelist applications by adding it as a global exclusion. It is important to ensure any application being added as a global exclusion is a trusted application being used by your organization. Alternatively, you can use policies to set exclusions that target only specific users or devices, rather than using a global exclusion.
How can I get the Account Health check report daily or monthly?
The Account Health Dashboard displays a real-time score which can be accessed at any time instead of displaying it in a report. You can compare your score against the average other Sophos organizations have. You can also see recent increases or decreases underneath the overall score number.
Software package FTS 2024.2.2.8.2-MR1 is now available. I am getting an alert as the admin. Do we need to take action?
You might not need to action this right away. We recommend reviewing the release notes to determine if it will be compatible with your environment.
How does Sophos Central know when you have unprotected machines if the agent is not installed on those machines?
Unmanaged devices are devices that don't have Sophos protection agents installed.
Sophos Central compares devices that have Sophos protection agents installed with devices synchronized from Active Directory.
Go to Devices > Computers (or Servers) > Unmanaged devices to find your unmanaged devices. You can then go to My Products > Installers to download installers to protect them.
What are security settings for preventing a DDOS attack?
A Distributed Denial-of-Service or "DDoS Attack" is when an attacker floods a server with internet traffic to prevent users from accessing connected online services and sites. For these types of attacks, they are coming from the internet to your network. These settings can be configured for Firewall protection, but not for Endpoint protection.
We are using Sophos Firewall and Intercept X. Is it necessary to have both?
Sophos Firewall handles network protection while Intercept X handles endpoint/server protection. If you only have a firewall and malware got through to a device, with no endpoint protection that device, as well as other devices, would be vulnerable. Similarly, even if you have endpoint protection, a device could become affected by malware a firewall could have blocked.
One of the big benefits of leveraging Sophos Firewall with Sophos Intercept X is synchronized security. This feature allows Sophos Firewall and Sophos Intercept X to constantly exchange information between one another. For example, if an endpoint became compromised with malware, Sophos Intercept X will block the malware while Sophos Firewall will block access/communication with other endpoints, but also block access of the infected endpoint to the internet to prevent communication with the hacker's server. Then Intercept X would clean the malware.
How do I install Sophos Endpoint on a Linux server?
You can find instructions on how to install Sophos Endpoint for a Linux server through the link below.
Is there any policy we can enable to alert the IT Admin if there is any unknown activity happening on the network?
There is no policy that can fit that requirement. We suggest looking into getting Sophos MDR, this is a 24/7 service that conducts threat hunting and threat monitoring for your organization. Think of it as an instant Security Operations Center - a team of experts as an extension of your IT team.