Sophos Intercept X: Threat Protection Policy Best Practices


Intercept X is a powerful product. It’s got multiple layers of Protection to protect against lots of different threat vectors and doesn’t rely on one specific form of scanning. As we all know, however, great power comes with great responsibility. That responsibility, in our case, comes in the form of Policy configuration.

Misconfigured policies leads to critical pieces of that threat protection fortress of defence being inactive when the bad guy’s attack and put you in a position you do NOT want to be in as the IT guy. We know there’s a ton of configuration options available, and it can be a bit daunting at first.

Let’s break down the threat protection policy so you can configure your policy as securely as possible.

Endpoint Threat Protection Policy

  • To get to the Threat Protection Policy navigate to Endpoint>Policies> and either select an existing policy or create a new policy. Click the settings tab once you’re in a policy to view the configuration settings.

Recommended Settings

  • We recommend leaving this turned on. As long as you’ve installed Intercept X on the devices in your environment, they’ll get a policy that we deem secure today, and we’ll update it accordingly when we add new features in the future. 
  • Now there’s more to the policy like Scheduled system scans, device isolation, and exclusions, but we’ll talk about those in a minute. 

Initial Scan Settings

  • Live Protection allows the Antivirus to look up the latest threat information from Sophos Labs online on items that are being scanned.
  • Deep Learning is Machine learning or AI that can detect threats without the use of traditional signatures.
    • It scans Portable executable files, or PEs, before execution and provides a confidence score on if the PE is malicious or not
    • This scan is fast and is always done on a PE – even if you’ve excluded it, but if you excluded a PE it will disregard the result of the scan and allow the PE through. Since it doesn’t need a signature it has the ability to detect poly-morphic malware or even malware that has never been seen before – 0-day threats.
    • We test the detection models extensively before release to reduce the number of false-positives but there’s a small chance they can still happen.
  • Real-time Scanning is your protection on the device
  • It determines if the endpoint will scan PEs at execution. This includes (in order):
    • The Reputation scan
    • The Deep Learning scanner
    • The traditional signature-based scan
    • The Application Control scan 
    • If you turn real-time scanning off – all those other elements won’t work. 
  • Options
    • Scan downloads in progress
    • Block access to malicious websites: This denies access to websites that are known to host malware.
    • Detect low-reputation files: This warns if a download has a low reputation. The reputation is based on a file’s source, how often it is downloaded, and other factors. You can specify:
    • Action to take on low-reputation downloads: If you select Prompt user, users will see a warning when they download a low-reputation file. They can then trust or delete the file. This is the default setting.
    • Reputation level: If you select Strict, medium-reputation, as well as low-reputation files, are detected. The default setting is Recommended.
  • Remediation – Remediation is what actions to take once a threat is actually detected. We can see the “Enable Threat Case creation” slider on, which means when a threat is detected is will generate a threat case in the Threat Analysis Center. Threat cases are incredibly beneficial when investigating what happened when dealing with an infection, so you’ll want to keep that turned on.

Runtime Protection

  • Cryptoguard is your main ransomware protection for document files, which are commonly targeted.
  • It looks at specific file extensions and is triggered if a PE or process changes more than a threshold number of files in a specific time period. That change results in a suspicious alteration to the file, like the file is deleted or the extension is changed. This means that some archiving software can trigger CryptoGuard but we have exclusions to prevent this 
  • Protect from master boot record ransomware protects devices from Ransomware that encrypts the MBR, which may prevent startup, and from attacks that wipe the hard disk.  
  • Protect critical functions in web browsers (Safe Browsing) protects web browsers from being exploited.
  • This is looking for things like Javascript injections, SQL Cross site scripting, and other exploits that the website can force your web browser to action on your device.
  • Mitigate exploits in vulnerable applications and Protect process protects applications and processes that are most prone to exploitation.
  • We have options for which types to protect, but we recommend turning on all of them. These are common exploitation vectors like JAVA, Office Docs, and so on. These applications aren’t malicious, it’s the data being fed into them, making them do something malicious 
  • CPU branch tracing is specific to Intel processors and allows for tracing of processor activity for detections. 

EAP/New Features section:

Advanced Settings

Device Isolation

  • Device isolation is designed to prevent lateral movement of malware, such as worms, onto critical infrastructure. It injects a block into the network stack of the device when a red health status is detected.

Scheduled Scans

  • Because of real-time scanning and the background scanner that is always running, there’s not much need for full system scans. If you’re using scheduled scans, keep in mind that scanning archive files will significantly slow it down, so its best to leave that off. Remember that a malicious PE can’t execute from inside an archive. When the archive is extracted, we then scan the contents, and we’ll catch it then. It’s also important to note that if a scan is triggered before a full system scan is complete, it’ll end the first scan. So account for how long it takes to scan your devices. Consider the amount of data on the devices. File servers with hundreds of gigabytes are gonna take longer than your Windows 10 laptop. One scan a week, outside of working hours will generally be enough.


  • Now to the danger zone, we go with exclusions.  In some situations, exclusions may be unavoidable. Try to use a scalpel when making exclusions, not a hammer. What we mean is to try to be as exact and precise as possible. Don’t exclude entire drives. Exclude specific files or detections instead of entire folders.  We do health checks on customers and sometimes see things like the “D” through “H” drives excluded which is very risky.
  • Remember, any PE that falls under an exclusion will have no restrictions on running. It will be able to do whatever malicious action it wants.  
  • Before making exclusions, read through our documentation on scanning exclusions, and while making exclusions, read the exclusion description that’s displayed to make sure you’re using the right type of exclusion. 
  • Trying to make a file or folder exclusion for that detection won’t work because that applies to the real-time scanning, not active exploit mitigation 

Server Threat Protection policy

  • Switching over to the server-side of things, while all the settings are pretty much the same, they’re ordered a little different.  All the intercept X advanced features live at the top, and the Standard protection is underneath. If you have the Intercept X advanced license then enable all the advanced features for full protection.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.