Sophos Live Protection uses in-the-cloud technology to instantly decide whether a suspicious file is a threat and take action specified in the anti-virus and HIPS policy.
Live Protection improves detection of new malware without the risk of unwanted detection. This is achieved by doing an instant lookup against the very latest known malicious files. When new malware is identified, Sophos can send out updates within seconds.
This article covers the options present in Sophos Live Protection on how to disable and enable them.
The following sections are covered:
Applies to the following Sophos product(s) and version(s) Enterprise Console
To take full advantage of Live Protection, ensure that the following options are enabled.
If the Anti-Virus scan on an endpoint computer has identified a file as suspicious but cannot further identify it as either clean or malicious based on the threat identity (IDE) files stored on the computer, certain file characteristics such as checksum are sent to Sophos to assist with further analysis. The in-the-cloud checking performs an instant lookup of a suspicious file in the SophosLabs database. If the file is identified as clean or malicious, the decision is sent back to the computer and the status of the file is automatically updated.
Select this option if you want on-demand scans to use the same in-the-cloud checking as on-access scanning.
If a file is deemed potentially malicious but cannot be positively identified as malicious based on its characteristics alone, Live Protection allows Sophos to request a sample of the file. If this option is enabled and Sophos does not already hold a sample of the file, the file is submitted automatically.
Submission of such sample files helps Sophos to continuously enhance detection of malware without the risk of false positives.
By default, Endpoint Security and Control sends file data such as checksums to Sophos, but does not send sample files.
If you use role-based administration*, then take note of the following before starting the procedure:
Note: For more information, see Designing sub-estates and role-based administration.
* What is role-based administration? By default the admin who installed SEC (System Administrator role) has all the rights and can perform any task. Role-based administration provides more limited admin access to other users.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.