Clarification on Missing profile-id in Linux Runtime Detection Policy

Question

Hi Sophos Community, 
 While reviewing the Server Linux Runtime Detection policy, I observed that the profile-id field is currently not defined , and only the default profile-version: 1 is set. 
 Based on my understanding, in Sophos XDR , both profile-id and profile-version must be explicitly configured together to activate the behavioral runtime protection engine on Linux servers. If profile-id is left blank, Sophos does not load any detection rules , which effectively disables behavioral runtime monitoring &mdash; even though the Central UI shows the policy as enabled. This seems to create a false sense of protection for Linux endpoints. 
 Could the community please confirm if this understanding is correct? 
 Additionally, I plan to configure the policy with appropriate settings as follows: 
 i) Example profile-id values:

sophos.default.server &rarr; General-purpose Linux servers

sophos.default.webserver &rarr; Web workloads (Apache, NGINX, etc.)

sophos.default.container &rarr; Docker/Kubernetes container environments

ii) Set profile-version to the latest available (e.g., 3 ) that is compatible with the selected profile-id . 
 Please let me know if there are any other best practices or risks I should be aware of when enabling behavioral runtime protection for Linux servers in production. 
 Thanks in advance!

Rutvik Chavda · Answer

Hello Suhas Khade, 
 Thank you for contacting the Sophos Community Forum and for your detailed observations regarding the Server Linux Runtime Detection policy in Sophos XDR. 
 You&rsquo;re correct: the profile-id and profile-version fields must be explicitly configured together for the behavioural runtime protection engine on Linux servers to be active. The system does not load any detection rules if the profile ID is left undefined or blank while the profile version is set. This effectively turns off behavioural runtime monitoring, even though the Central UI may indicate the policy is enabled. This behaviour can indeed create a false sense of security for Linux endpoints. 
 Your proposed configuration aligns with Sophos' best practices:

Use valid profile-id values such as:

sophos.default.server for general-purpose Linux servers

sophos.default.webserver for web workloads (for example, Apache, NGINX)

sophos.default.container for containerised environments, such as Docker or Kubernetes

Set the profile version to the latest supported version compatible with the selected profile ID, so you benefit from updated detection logic and enhanced protection.

Additional recommendations when enabling behavioural runtime protection for Linux servers in production:

Always validate policy configuration on a test or representative system before company-wide deployment.

Regularly update your runtime detection profiles to stay current with the latest SophosLabs content and detection improvements.

Continuously monitor logs and detection events to ensure the runtime engine is functioning as expected.

Please refer to these articles for reference: 
 Server Linux Runtime Detection Policy 
 Advanced Linux Runtime Detection Profile configuration 
 Linux Runtime Detection Profiles 
 Troubleshooting Sophos Protection for Linux 
 Let me know if you need any further help.