Add an exception for "Network Threat Protection"

It is worth mention, the NTP component has a few features.

• IPS
• Web Protection and Control (in the new endpoint version, i.e. the one without SAVService.exe which is part of SAV)
• Heartbeat
• C2 connection.

If you make a real-time scanning exclusion for say "C:\test\test.exe" in the Threat protection policy (or global exclusions), then this will be picked up by NTP. This process will not be checked for connections to command and control servers. You will see the entry in "C:\ProgramData\Sophos\Sophos Network Threat Protection\Config\Policy.xml" at the client. Does that help?

Yes that helps! Thanks a lot! :-)

Hi again, I have a follow up question. How can we completely disbale NTP? I already tried to disable several functions in central but NTP keeps running. Which policy/ setting do I need to change to switch it off?

Thanks in advance!

As per Sophos' recommended configuration, NTP should be enabled by default. Turning off either one of the components beats the purpose of having endpoint protection in your system. However, you can turn off the said components by toggling to the Endpoint UI and turning off the NTP manually. Note that Sophos may not take responsibility for any issues after performing the said action especially when you got hit by any attack

From a new architecture perspective - Service and Support (sophos.com), as I mentioned, NTP provides many different layers of protection.

The service "SophosNTPService.exe", launches the child processes responsible for IPS and Web Protection and Control.

IPS is defined in the Threat Protection policy:

So if this policy option is disabled, the SophosIPS.exe process will not run.

SophosNetFilter.exe implements web protection and control, this is split between 2 of the policies:

• Threat Protection
  • 
  • Downloads in progress is scanning the content before it hits the browser and malicious website blocking is making a SXL4 lookup to the cloud to check the site is "OK".  SSPService.exe maintains the connection to the SXL4 servers for these lookups.
• Web Control
  • 
  • This is more of a control than protection feature.

So if you disable these 3 options in the 2 policies, then the SophosNetFilter.exe process will not start.

There is also the download rep feature, as defined in the Threat Protection policy near to web protection:

This is the browser process (those that support iOfficeAntiVirus) loading the DLL:

• 64-bit browser process: "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x64\sophosofficeav.dll"
• 32-bit browser process: "C:\Program Files\Sophos\Sophos Network Threat Protection\IOAV\x86\sophosofficeav.dll"

This can show the user that the file isn't commonly downloaded/seen, hence the reputation. This isn't really an "active" component but the DLL is used on demand when the browser's download manager requests the scan.

As the top screenshot shows, the NTP service, also performs the heartbeat functionality.

NTP is also responsible for reporting network events into the behavioural engine

If I suspected an issue with NTP, I would start by disabling IPS and Web Protection and Control to end the SophosIPS.exe and SophosNetFIlter.exe processes and go from there.

Excellent answer! Thanks a lot!! :-)

Excellent answer! Thanks a lot!! :-)