This article provides an overview of how Sophos Live Protection works. A general overview of what it does and the tasks performed by Live Protection can be found here.
Applies to the following Sophos product(s) and version(s) Sophos Anti-Virus for Windows 2000+Sophos Anti-Virus for Mac OS XSophos Anti-Virus for Linux
Live Protection is a technology that allows live SXL lookups to obtain the latest threat information from SophosLabs without waiting for the product to be updated. It also provides a means to automatically upload samples of files that SophosLabs deem interesting and worth investigating further. Both functionalities can be enabled or disabled depending on the environment and local policies, although sending file samples is available only if the live lookups are enabled.
In some IDEs, SophosLabs include special instructions to trigger a live lookup for more up-to-date threat information. When one of the lookup-enabled identities is triggered, generic information about the threat and the detection is sent to SophosLabs using SXL, a protocol/framework designed and mantained by Sophos that runs over DNS queries. If new information is available the endpoint receives it in the SXL response and adjusts its behavior accordingly. Also if, based on the lookup information, SophosLabs deem the file interesting for further research the endpoint automatically uploads the sample. When a lookup-enabled detection is triggered by the on-access scanner, on-demand scanner, or runtime HIPS, the SAV service performs a specially crafted DNS query that includes generic information about the file and the detection features, to the sophosxl.net name servers. It then takes action(s) based on the response it gets. Currently available actions include:
Given the number of files scanned by Sophos Anti-Virus a look-up can be triggered quite frequently. This is not an event that an end user would see but you may see traffic if monitoring your firewall etc.
To limit the number of look-ups SophosLabs also whitelists common files so they will not be scanned, this includes OS files but also common applications. Due to the nature of malware we attempt to reduce the number of look-ups where possible but do not set an arbitrary limit as we do not want to compromise on the protection we offer customers and the rapid response cloud look-ups.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.