Sophos Central Endoint

Prévia do material em texto

Hi there, this is a Sophos Certified Engineer course for Sophos Central Endpoint and Server Protection. 
This is module 1 - Overview. 
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection ET15
Overview
July 2020
Version: 2.1
Product version: Sophos Central
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any 
means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this 
document may be the trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or 
representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any 
time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon 
Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Central Engineer v2.1.0 - 1
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection
Overview
Version 2.1
This course is designed for technical professionals who will be demonstrating Sophos Central Endpoint 
and Server protection. It provides an overview of the protection Sophos Central provides to endpoints 
and servers including the major capabilities and core configuration concepts.
This course will take around eight hours to complete.
Sophos Central Engineer v2.1.0 - 3
About This Course
This course is designed for technical professionals who will be demonstrating 
Sophos Central Endpoint and Server Protection. It provides an overview of 
the protection Sophos Central provides to endpoints and servers including 
the major capabilities and core configuration concepts
• This course will take around 8 hours to completeCourse Duration
Prior to taking this training you should have completed and passed the Sophos Central Overview 
Certified Engineer course. 
We recommend students have the following knowledge and experience: 
✓ Experience working with Active Directory
✓ A good understanding of IT security
✓ A good understanding of Windows operating system
Sophos Central Engineer v2.1.0 - 4
Prerequisites
Prior to taking this training you should:
✓ Have completed and passed the Sophos Central Overview - Certified Engineer course
We recommend students have the following knowledge and experience:
✓Experience working with Active Directory
✓A good understanding of IT security
✓A good understanding of Windows operating system
To complete the Sophos Central Engineer certified course, you must complete and pass the online 
assessment that is available in the training portal. 
You will have 2.5 hours to complete the assessment, and can take four attempts to pass the 
assessment. The assessment may include questions on both theory and simulation content.
You must complete and pass the online assessment if you wish to register for the Sophos Central 
Endpoint and Server Certified Architect course.
Sophos Central Engineer v2.1.0 - 5
Certification
To complete the Sophos Central Engineer certified course:
Complete and pass the 
assessment in the training portal
You have 2.5 hours to complete 
the assessment
You have 4 attempts to 
pass the assessment
The assessment may include 
questions on the theory or
simulations
Course Agenda
Server Protection
Threat cases, reports and Troubleshooting
Overview
Getting Started with Sophos Central
Endpoint Protection
1
3
4
5
2
This course is split into five modules with practical simulations interspersed throughout the course to 
allow for application of the content discussed in the previous modules. 
Sophos Central Engineer v2.1.0 - 6
Development
Sophos Central is in constant development
This course contents and labs are accurate at the time of writing
Sophos Central is in constant development. New features and improvements are frequently added 
several times a quarter. 
Depending on when you are studying this course, there may be differences between the content and 
the live version of Sophos Central. You can view a summary of changes via the ‘What’s New’ link within 
the Sophos Central Dashboard. Additionally, we recommend that you take some time to work through 
any Delta modules released subsequently to this course.
Sophos Central Engineer v2.1.0 - 7
Course Objectives
Once you complete this course, you will be able to:
Explain how Sophos Central Endpoint and Server protection helps protect against security threats
Perform an installation of Sophos Central on Windows and Mac endpoints and Windows servers
Customize threat protection and control policies
Demonstrate threat protection and commonly used features
Manage threat cases and view reports
Use the Endpoint Self-Help Tool to identify and resolve issues on Windows endpoints
Once you have completed this course you will be able to explain how Sophos Central Endpoint and 
Server protection helps protect against security threats. How to perform an installation of Sophos 
Central on Windows and Mac endpoints and Windows Servers. 
You will learn to customize threat protection, control policies and demonstrate threat protection along 
with commonly used features. Additionally, this course covers how to manage threats cases, viewing 
reports and how to use the Endpoint Self-Help tool to identify and resolve issues on Windows 
endpoints. 
Sophos Central Engineer v2.1.0 - 8
A glossary of technical terms used throughout the course can be found in knowledgebase article 
118500.
Sophos Central Engineer v2.1.0 - 9
Glossary of Technical Terms
A glossary of technical terms used throughout the course 
can be found in knowledgebase article 118500
https://community.sophos.com/kb/118500
Lab Environment
InternetStudent PC
CLIENTONE.SOPHOS.LOCAL
IP: 172.16.1.30
Windows 10 Client
DC.SOPHOS.LOCAL
IP: 172.16.1.10
Windows Server 2016
AD Domain Controller
CloudShare
DC
CLIENT ONE
CLIENTTWO.SOPHOS.LOCAL
IP: 172.16.1.40
Windows 10 Client
CLIENT TWO
This network diagram shows the environment that is used during the course and the simulations, you 
may find it useful for reference to provide additional context.
This diagram can also be found in the simulation workbook.
Sophos Central Engineer v2.1.0 - 10
Feedback is always welcome
Please email globaltraining@sophos.com
TRAINING FEEDBACK
Feedback on our courses is always welcome.
Please email us at globaltraining@sophos.com with your comments. 
Sophos Central Engineer v2.1.0 - 11
Throughout the rest of this module we will explain what security threats are and which are most 
prevalent. We will discuss how these threats are evolving and most importantly how Sophos Central 
Endpoint and Server Protection can prevent these threats from compromising your business. 
Sophos Central Engineer v2.1.0 - 12
Overview
RegistrationSecurity Threats
Top Security Threats
26%
20%
20%
12%
12%
8%
Advanced 
Malware
Ransomware
Email
Malware
Web
Malware
Generic
Malware
Cryptocurrency
Of organizations hit by 
ransomware
RANSOMWARE
*Source: State of Endpoint Protection Study 2018
54%
ADVANCED MALWARE
Zero-day attacks, Worms, Trojans, File-
less
EXPLOITS
Industrialized attacks, Flash, 
Downloaders, Behavioral
Se
cu
ri
ty
 T
h
re
at
s
Traditionally the primary form of an attack was what we would now call ‘generic malware’. Generic 
malware attacks are protected against using traditional anti-virus solutions, however, these types of 
attacks make up just 12% of security threats, so what makes up the other 88%?
Advanced malware makes up 20% of global security threats, this type of threat includes zero-day multi 
stage attacks. WannaCry and Petya are examples of advanced malware that also have a ransomware 
payload. Ransomware is increasing with 54% of organizations in 2017 being hit by ransomware.Email 
and web threats are also rising making up 32% of security threats against organizations. 
It is important to understand how exploits are becoming more prevalent across many of these 
categories, especially among the top four categories you see on this chart. Exploiting vulnerabilities is 
one of the fastest growing tactics among cybercriminals. To round out the chart, we’re seeing 
cryptocurrency mining now making up 8% of all threats we see. So what does this chart really tell us? 
That security threats are evolving and to protect your business it is essential to be using technology that 
can defend against all security threats. Endpoint and Server Protection from Sophos Central provides 
high level security to your endpoints across your network. To explain how it does this, let’s first look at 
how your network can be attacked.
The white paper for this can be found here: https://www.sophos.com/en-us/medialibrary/Gated-
Assets/white-papers/endpoint-survey-report.pdf 
Sophos Central Engineer v2.1.0 - 15
Drops new ransomware 
that encrypts local files
Anatomy of Attack
Credential Theft
Identify Targets
Move to other devices 
on the network
Gain Access Establish persistence Monetize
Vertical & Lateral
movement
User opens 
phishing email
A malicious script is launched.
It connects to a C&C server
Gains privileged access 
to your systems
Establishes persistence
Se
cu
ri
ty
 T
h
re
at
s
Here we have a ransomware attack example. A user in your organization opens a phishing email which 
has a document attached. 
The user opens the document which has a unique malicious script embedded. Once the document is 
opened the script is launched and breaks out of the programme it was opened in. Part of the script is 
executed to communicate back to a command and control server.
This communication is temporary, as it is only valid whilst the document is open. To establish 
persistence, the attacker compromises another application on the machine that is in constant use. 
Through this application, the attacker is able to access your systems.
Now the attacker has access to your systems, they can steal credentials. They can also scan your 
network to identify targets for movement across your network. 
Using the credentials they can also move to other devices on your network and to further organisations. 
Furthermore, they can drop ransomware onto your network and encrypt your files. Your business is now 
unable to function. 
Let’s review what’s happened here, through the phishing email, the attacker gains access to one 
machine in your network. Using an exploit, the attacker gains privileged access to establish persistence. 
The attacker then moves vertically and laterally through your network with the end goal of extortion.
Sophos Central Engineer v2.1.0 - 16
Intercept X Overview
Sophos Central
XG Firewall
Security Heartbeat
Intercept X
Status Updates
Ransomware
Zero-Day Threats
Se
cu
ri
ty
 T
h
re
at
s
So how does Sophos Central Endpoint and Server Protection stop this type of attack? 
Endpoint and Server protection incorporates Intercept X. This technology protects endpoints against 
malicious threats that bypass traditional anti-virus solutions. Typically, these threats are zero-day and 
ransomware. Intercept X focuses on identifying the technique used to compromise networks and 
devices rather than the threat itself. 
If Sophos XG Firewall is installed, synchronized security enables administrators to block any traffic 
passing through the firewall from a compromised endpoint, protecting the rest of your network from 
attack. 
Intercept X will report any actions back to Sophos Central allowing administrators to remotely control all 
protected endpoints. To learn more about Intercept X please complete the technical training course 
available in the Partner Portal. 
Sophos Central Engineer v2.1.0 - 17
Protection Overview
Control
Pre-Execution
In-Execution
Response
Visibility
Using Web, Application and 
Peripheral controls, restrict the 
transfer of sensitive data 
internally and externally.
Proactive detection features 
that prevent malware from 
executing on your endpoints.
Full visibility of endpoint health 
and attack analysis.
Quarantines, reports and 
cleans up attacks.
Protection features that detect malicious activity 
being performed by running processes.
Se
cu
ri
ty
 T
h
re
at
s
Endpoint Protection is made up of layers of security. These layers provide comprehensive security for 
your network. The layers can be roughly categorized as control, pre-execution and in-execution. 
Endpoint protection responds to an attack and the Sophos Central Admin Console provides full visibility 
of attacks and the health of all protected endpoints. 
Let’s look at each of these categories. By implementing control mechanisms you can reduce your attack 
surface area and protect sensitive data. Pre-execution features consist of proactive detection features 
that prevent malware from executing on your endpoints. In-execution layers provide protection features 
that detect malicious activity being performed by running processes. 
In response to an attack, endpoint protection quarantines, reports and cleans up an attack. It provides 
full visibility of your endpoints’ health status and displays attack analysis. 
Sophos Central Engineer v2.1.0 - 18
Control access to Websites based on their category
Enables administrators to block specific apps from running
Ensures removable media does not put your organization at risk
Monitors and restricts file transfers containing sensitive data
Control
Web Control
Application Control
Peripheral Control
Data Loss Prevention
Se
cu
ri
ty
 T
h
re
at
s
Endpoint protection provides you with the tools to control which websites your users can access, the 
applications they can use and the exchange of data both externally and internally. 
By controlling which websites your employees can access using Web Control, you can make use of the 
web security feature. This uses category based URL blocking to control users access to the internet.
Application control enables administrators to block specific applications from running on corporate 
endpoints. This means that you can control those applications that may be vulnerable to an attack. 
Using peripheral controls ensures removable media cannot put your organization at risk. Data loss 
prevention controls accidental data loss by monitoring and restricting the transfer of files containing 
sensitive data. 
Sophos Central Engineer v2.1.0 - 19
Signature-based & 
Machine Learning
Live lookups to 
Sophos servers
Pre-Execution
File 
Scanning
Live 
Protection
Se
cu
ri
ty
 T
h
re
at
s
As we have mentioned, security threats are evolving therefore having just one layer of protection is not 
going to provide you with complete protection. To prevent an attacker from establishing persistence on 
your network should they get that far, endpoint and server protection uses the following technologies to 
scan, protect and analyse the behaviour of your machines across your network. 
Endpoint protection uses signature based file scanning to scan files before they are opened, this will 
ensure that if an attacker is using a known threat, the anti-malware file scanning will detect and block 
this. Signature based file scanning relies on having seen the type of malware previously and detecting it 
based on specific characteristics of the file. Machine Learning was introduced with Intercept X, it scans 
any file being read, opened or written to. Deep neural networks are able to extract multiple features 
from a file and determine if that file is malicious before the program executes. The Machine Learning 
scan is looking for the techniques used in exploits rather than the specific characteristics of a malicious 
file. 
Additionally, live lookups are used to check the files against Sophos Servers. If a new file with a not yet 
defined signature is being read, endpoint protectionwill check this file against the latest data on the 
Sophos Servers. 
Sophos Central Engineer v2.1.0 - 20
Signature-based & 
Machine Learning
Live lookups to 
Sophos servers
Scans for potentially 
malicious behaviour
File Reputation 
Scanning
Pre-Execution
File 
Scanning
Live 
Protection
Behaviour 
Analysis 
(HIPS)
Download 
ReputationS
ec
u
ri
ty
 T
h
re
at
s
To protect against zero-day malware attacks, endpoint protection uses behaviour analysis (HIPS) to scan 
the behaviour on an endpoint that could be potentially malicious, for example, opening files and making 
copies of the files. 
It also makes use of download reputation which will check the reputation of a file. If a file has a low 
reputation score the file will be blocked. 
Sophos Central Engineer v2.1.0 - 21
Provides disk and boot record protectionWipeGuard
In-Execution
Monitors HTTP traffic to detect communication to known bad 
URLs such as command and control (C2) servers.
Detects and stops over 25 exploit methods used to compromise vulnerable 
applications.
Ransomware file protection
Anti Exploit
Malicious Traffic 
Detection (MTD)
CryptoGuard
Se
cu
ri
ty
 T
h
re
at
s
So what happens if malware gets through the control and pre-execution layers of protection in place? 
Endpoint Protection detects and removes malware. Anti-exploit technology which is part of Intercept X 
will detect and stop over 25 exploit methods used to compromise vulnerable applications. When exploit 
activity is detected, the exploited application will be terminated, the user notified of the detected 
activity and a clean up scan will be triggered. Behaviour monitoring (HIPS) also takes place at this layer 
of protection by monitoring potentially malicious behavior.
Malicious Traffic Detection (MTD) monitors HTTP traffic and is able to recognise communication to 
known bad URLs such as C2 (command and control) servers. MTD only monitors traffic from non-
browser applications because web protection monitors browser traffic. 
WipeGuard provides disk and boot record protection to prevent an attacker being able to infect your 
machines pre-boot. 
CryptoGuard provides ransomware file protection which prevents your files from being encrypted. 
Sophos Central Engineer v2.1.0 - 22
Response
Any malicious files 
detected are 
Quarantined
Sophos Clean 
removes any 
detected files
Synchronized 
Security Heartbeat
allows for the isolation 
of the machineSe
cu
ri
ty
 T
h
re
at
s
Should malware be detected on your network, Endpoint Protection will quarantine the source of the 
infection and Sophos Clean will clean it up. 
Whilst this is happening, the Synchronized Security Heartbeat will send a message to your XG Firewall to 
change its status. In response, the XG Firewall can then isolate the client from accessing the Internet (to 
prevent contact with a command and control server) and other networks protected by the XG Firewall. 
In addition to this, the XG Firewall will share the MAC address of the computer that has a RED health 
status with other computers so that they can isolate themselves from it. Once Sophos Clean has 
successfully cleaned up the threat, the Security Heartbeat will send another message to the XG Firewall 
to say that the threat has been removed and the machine is then able to communicate with your 
network again.
Sophos Central Engineer v2.1.0 - 23
Visibility
Visibility
Dashboard
Alerts
Logs
Reports
Threat 
Cases & 
Searches
Data 
Sharing API
Se
cu
ri
ty
 T
h
re
at
s
The Sophos Central Endpoint and Server Protection provides full visibility of your estate. Through the 
dashboard you can view the health of your machines, along with any alerts which are split by severity, 
this means that you will also see any critical alerts first. 
You can view logs and run reports that can be customized. You can also share your data with 3rd party 
reporting applications should this be required using the Data Sharing API. 
Additionally, you can gather more information by accessing on-demand threat intelligence curated by 
SophosLabs. Threat cases and searches allow you to view security incidents, providing visibility of the 
scope of the attack, how it started, what was impacted and how to respond. The search feature enables 
you to scan all endpoints in your network for the same malicious files allowing you to clean up and block 
that attack. 
Sophos Central Engineer v2.1.0 - 24
Drops new ransomware 
that encrypts local files
Protection Against Attack
Credential Theft
Identify Targets
Move to other devices 
on the network
Gain Access Establish persistence Monetize
Vertical & Lateral
movement
User opens 
phishing email
A malicious script is launched.
It connects to a C&C server
Gains privileged access 
to your systems
Establishes persistence
Se
cu
ri
ty
 T
h
re
at
s
We have seen how an attack can happen and covered the features Endpoint Protection uses to prevent 
the attack at the different levels. 
To prevent an attacker gaining access, endpoint protection controls the applications users are able to 
use, it monitors the behaviour of the file and prevents the communication to the command and control 
server. Using signature-based and machine learning scanning, it detects malicious files. Behaviour 
monitoring and anti-exploit prevents the vertical and lateral movement across your network. 
WipeGuard prevents an attacker compromising your machines boot and disk volumes and CryptoGuard 
prevents ransomware from encrypting your files. 
It is worth noting that some of the features discussed are active across multiple layers of protection. 
Through this course we will look at each feature in more depth and demonstrate how these are 
configured and managed. 
Sophos Central Engineer v2.1.0 - 25
Traditionally, cybersecurity has used endpoint and server protection products to identify malicious files 
and firewalls to stop malicious traffic. These two cybersecurity defences work well in isolation, however, 
are typically disconnected from each other. This disconnected approach means that an IT team will be 
manually correlating data between systems and identifying appropriate actions. This can take some time 
and often attacks are missed, research shows that 74% of data breaches go undiscovered for 6+months. 
Synchronized security takes a ‘full system’ approach to cybersecurity. Security solutions connect with 
each other in real time via a Security Heartbeat, working together to combat advanced threats. There 
are 3 pillars to this system: discover, analyze and respond. 
• Discover unknown threats. Sophos products automatically share information to reveal hidden risks 
and unknown threats. Sophos Central is able to see all network traffic, enabling identification of risky 
apps and malicious traffic. Additionally, it can identify risky users by correlating behaviours across 
multiple activities
• Real-time incident analysis and cross-estate reporting delivers instant insights, allowing you to see 
the full chain of events for an incident. This includes all files touched, and URLs/IPs communicated 
with
• Respond automatically to incidents. Adaptive policies automatically respond to infections and 
incidents. This allows those endpoints affected to be isolated, which stops attacks in real time
Sophos Central Engineer v2.1.0 - 26
• Identify unknown threats
• See ALL network traffic
• Identify risky users, apps 
and malicious traffic
• Real-time incident analysis
• Cross-estate reporting
• See the full chain of events 
for an incident
• Correlate network traffic
• Automatically respond to 
infections and incidents
• Isolate compromised 
endpoints
• Restrict access on trusted 
networks for non-compliant 
devices
• Initiate endpoint scans
Synchronized Security
RespondAnalyzeDiscover
Se
cu
ri
ty
 T
h
re
at
s
Synchronized Security automates detection, isolation, and remediation results, this enables attacks to 
be neutralized in seconds. 
Communication betweenfirewalls and endpoints is facilitated by the Sophos Security Heartbeat that 
creates a secure, two-way channel guided by Sophos Central. 
In addition to the close integration between Sophos XG Firewall and endpoint and server protection, 
Synchronized Security also integrates with other Sophos solutions; Sophos Wireless, Sophos Mobile and 
SafeGuard Encryption. To learn more about these solutions please view our on-demand training courses. 
Sophos Central Engineer v2.1.0 - 27
Synchronized Security Overview
 Security Heartbeat
 Peer isolation
 Synchronized App Control
 Configurable firewall rules
XG Firewall
 Guest Wi-Fi
 Hotspots
 Security Heartbeat
Sophos Wireless
 Control access to corporate 
networks
 Wipe, locate and disinfect 
compromised devices
Sophos Mobile
 Encrypt files
 Remove encryption keys on 
compromised endpoints
SafeGuard Encryption
Se
cu
ri
ty
 T
h
re
at
s
In the Sophos Central Overview course we explained that Sophos Central is supported on all major 
browsers. We recommend that you install or upgrade to a supported version of the listed versions.
Sophos Central Engineer v2.1.0 - 29
System Requirements
Sophos Central
Microsoft Edge
Mozilla FireFox
Apple Safari
Google Chrome
R
eg
is
tr
at
io
n
To get started with Sophos Central, you can sign up for a trial via the Sophos Website, browse to 
sophos.com/central and select Free Trial.
Sophos Central Engineer v2.1.0 - 30
Registration
Sign up for your Sophos Central trial at
sophos.com/central and click Free Trial
R
eg
is
tr
at
io
n
To login to Sophos Central via your browser, navigate to https://central.sophos.com this will take you to 
the login page. Enter your email address and password and select Sign In. 
The dashboard view is the first thing you see when you login to your Sophos Central account. Once you 
have started to use Sophos Central to protect endpoints, the Dashboard will provide an immediate 
overview of the state of your account and will display the devices and users once they have been 
configured. 
Sophos Central Engineer v2.1.0 - 31
Logging In
R
eg
is
tr
at
io
n
https://central.sophos.com 
Complete the following simulation tasks in Module 1:
• Task 1.1: Register for and activate a Sophos Central trial
• Task 1.2: Review a ransomware threat
Sophos Central Engineer v2.1.0 - 32
Module 1: Registration
• Complete the following simulation tasks for Module 1
▪ Task 1.1: Register for and activate a Sophos Central trial
▪ Task 1.2: Review a ransomware threat 
Use the Simulation Workbook to view details of each task and 
access the simulations
On completion of this module, you should now be able to perform the actions shown here. Please take 
a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in this 
module.
Sophos Central Engineer v2.1.0 - 33
Explain how Sophos Central can detect and prevent security threats
Identify common security threats and which threat types are most prevalent
Module Review
• Now that you have completed this module, you should be able to:
Getting Started with Sophos Central
Version 2.1
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection
Hi there, this is Sophos Central Engineer Endpoint and Server Protection. This is module 2: Getting 
Started with Sophos Central. 
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection ET15 – Getting Started with Sophos Central
July 2020
Version: 2.1
Product version: Sophos Central
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any 
means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this 
document may be the trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or 
representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any 
time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon 
Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Central Engineer v2.1.0 - 36
Getting Started with Sophos Central
Protection
• Requirements
• Installation options
• Installation demonstration
User Management
• Adding users
• Active Directory Sync
• Role Based Access
Update & Traffic Management
• Update Cache
• Message Relays
This module will explain how to get started with Sophos Central, reviewing how to add users, Active 
Directory Sync and role based access. It will demonstrate how to protect endpoints and servers, 
discussing the requirements, deployment options and installation. 
Additionally we will discuss the use of Update Caches and Message Relays. 
Sophos Central Engineer v2.1.0 - 37
As we have discussed in the Sophos Central Overview course, users are a key element of management in 
Sophos Central. People can have policies assigned to them, be associated with devices and also be 
assigned administrative roles to manage Central.
To recap, users can be created in Sophos Central in several ways:
• You can create users manually
• Import a set of users using a CSV file
• The currently logged in user on a Windows or Mac computer is added as a new user during the 
installation
• When a new user logs into a managed Endpoint they are added to Sophos Central
• Synchronize users from Active Directory using the AD Sync Utility
Select the options to learn more about each of these methods of adding users.
Sophos Central Engineer v2.1.0 - 40
Add users manually or import users from a CSV file
The current user is added during the Endpoint installation or when a new user logs 
into a managed Endpoint
Synchronize users from Active Directory with the AD Sync Utility
Users
U
se
r 
M
an
ag
em
en
t
When you add a user manually , you provide their first and last name, email address, and optionally 
their login name for Exchange, which can be used to configure email access on mobile devices. The user 
can be assigned to one or more groups. When you click Save, the user is added to the users list. 
When adding users using a CSV file, two download links are provided that give you access to a blank 
template with the correct header information required for the import to be successful. The second 
template is one that has example data. Clicking Browse, you select your CSV file and then click Add. 
Once the details have been added you will see a confirmation box that advises how many users have 
been added, updated or skipped. 
Sophos Central Engineer v2.1.0 - 41
Adding Users Manually and using a CSV
U
se
r 
M
an
ag
em
en
t
Automatically Created from an Endpoint
U
se
r 
M
an
ag
em
en
t
Users are added to Sophos Central when the currently logged in user on a Windows or Mac computer is 
added as a new user during the installation and when a new user logs into a managed Endpoint they are 
added to Sophos Central. 
This short video demonstrates how this happens. 
Sophos Central Engineer v2.1.0 - 42
A convenient way to add large numbers of users into your Central account is to set up a synchronization 
with your Active Directory (AD). This uses a small background service on a computer in your domain to 
perform a regular, one-way sync from your AD to your Central account. 
The AD Sync utility can be downloaded from the Central console in Global Settings > Active Directory 
Sync. Once AD Sync has performed its first synchronization from Active Directory you will be able to 
review the status from the same location you downloaded the tool from.
Please note that other directory services such as OpenLDAP and eDirectory are not currently supported.
Sophos Central Engineer v2.1.0 - 43
AD Sync UtilityDomain Controller
Server with 
AD Sync
Sophos Central
U
se
r 
M
an
ag
em
en
t
We recommend installing and configuring AD Sync before you start deploying Sophos to your clients so 
that you can preconfigure the policies and apply them to users and groups.
AD Sync does not need to be installed on to a Domain Controller. Any computer that can connect to the 
Domain Controller can be used.
The Windows user that you configure in AD Sync to connect to Active Directory to gather the user and 
group information does not need to have administrative rights, any normal domain user that can read 
the directory is sufficient.
Sophos Central Engineer v2.1.0 - 44
AD Sync Utility
Install and configure AD Sync before you start deploying to 
clients
AD Sync Utility does not need to be installed onto a domain 
controller
The Windows user configured for AD Sync Utility does not 
need administrator rights, it can be a normal domain user
U
se
r 
M
an
ag
em
en
t
Once you have added users to Sophos Central, clicking on an individual user in the users list will open up 
the details page for the user, which is divided into four tabs:
• Summary, which contains an overview of the other three tabs
• Devices
• Events
• Policies
The ‘Devices’ tab displays all of the devices the user has associated to them, and allows you to perform 
a number of actions on the devices, depending on whether they’re mobiles or computers.
The ‘Events’ tab displays all of the events for a user, which can be filtered by time range.
The ‘Policies’ tab displays the policies that apply to them.
Sophos Central Engineer v2.1.0 - 45
User Details
U
se
r 
M
an
ag
em
en
t
Groups provide a way of applying policies to users with the same requirements. These groups can be 
manually created in Sophos Central as well as being synchronized from Active Directory. A user can be a 
member of multiple groups.
To add a group navigate to People > Groups > Add Group
Sophos Central Engineer v2.1.0 - 46
Groups
U
se
r 
M
an
ag
em
en
t
You saw that when adding a user they are assigned a role, with User being the default. Sophos Central 
supports role-based access control. This allows users to be given administrative rights to Sophos Central 
by assigning them to one of the pre-defined admin roles.
As well as configuring a user’s role when creating or editing people, Role Management can also be 
configured by navigating to Global Settings > Role Management from the General Settings section. 
Clicking on any of the pre-defined roles will show the privileges they have and the Role Members.
Sophos Central Engineer v2.1.0 - 47
Role-Based Access
U
se
r 
M
an
ag
em
en
t
Role-Based Access
• Full accessSuper Admin
• Partial access
• Unable to manage user roles and role assignments
Admin
• Read-only access
• Can view sensitive logs and reports
• Can receive alerts
Read-only
Help Desk
• Partial access
• Can view sensitive logs and reports
• Receives alerts and can clear them
• Can update Sophos Agent software
• Can scan endpoints
• Read-only access to settings
U
se
r 
M
an
ag
em
en
t
Let’s take a moment to remind ourselves of the pre-defined roles. 
The Super Admin role has access to everything in Sophos Central. This role is unable to be edited or 
deleted. Only those assigned the Super Admin role are able to make changes to Role Management. 
The Admin role has access to almost everything in Sophos Central, apart from the ability to manage 
roles and role assignments. 
The Help Desk role allows read only access for all settings in Sophos Central. In addition, the Help Desk 
role is able to look at sensitive logs and reports, receive and clear alerts, update the Sophos agent 
software on an endpoint and scan endpoints. The Help Desk role does not allow a user to assign policies 
or change settings. Due to these restrictions, a Help Desk user may see that some buttons are not 
displayed in the Sophos Central Admin console. 
The Read-only role has read only access for all settings in Sophos Central, in addition, they can look at 
sensitive logs and reports and receive alerts. Read-only role is unable to manage roles and role 
assignments. They are unable to assign policies, change settings, clear alerts, Update the Sophos Agent 
software on endpoints. Due to these restrictions, all options will be read-only when a user with this role 
logs into Sophos Central Admin console. 
Sophos Central Engineer v2.1.0 - 48
Activity
Select the minimum role that will allow a user to view and clear alerts in 
Sophos Central
Super Admin
Read Only Admin
Help Desk
SUBMIT
U
se
r 
M
an
ag
em
en
t
In this activity please select the minimum role that will allow a user to view and clear alerts in Sophos 
Central. 
Sophos Central Engineer v2.1.0 - 49
Endpoint System Requirements
• Mac OS X 10.11
• MacOS 10.12
• MacOS 10.13
• MacOS 10.14
• 2GB RAM
• 2GB Free Disk Space
• Windows 7, 8, 8.1, 10
• 2GB RAM
• 2GB Free Disk Space
MacWindows
P
ro
te
ct
io
n
https://sophos.com/kb/121027
Before you protect your endpoints, you should ensure that they meet the system requirements. 
The physical system requirements for a Windows Endpoint are that it requires 2GB of memory and free 
disk space. For Mac endpoints, they should have 2GB of memory and 2GB of free disk space. 
A list of all system requirements can be found in knowledge base article: https://sophos.com/kb/121027
Sophos Central Engineer v2.1.0 - 51
• x86_64 bit
• See knowledgebase article 
16819 for supported distributors
Server System Requirements
• Server 2008/R2
• Server 2012/R2
• Server 2016
• Server 2019
• 4GB RAM
• 5GB Free Disk Space
LinuxWindows
P
ro
te
ct
io
n
https://sophos.com/kb/121027
The physical system requirements for your Windows servers are fairly simple, with versions only 
requiring 4GB of memory and free disk space on the Server client. 
For details of which Linux distributors are supported, please see knowledgebase article 
https://sophos.com/kb/16819 on the Sophos website. 
A list of system requirements for all Sophos products can be found in knowledge base article 121027. 
Sophos Central Engineer v2.1.0 - 52
Deployment options
Protect Devices Email Setup Link
Bulk Deployment Migration from SEC
P
ro
te
ct
io
n
There are a number of ways to deploy the Sophos Central Agent onto your endpoints and servers. 
You can protect your endpoints by downloading the installer directly from Sophos Central, Email the 
Setup Link to your users, configure a bulk deployment or migrate your endpoints from Sophos Enterprise 
Console.
Select each of these methods to learn more about them. 
The Certified Architect course explores the bulk deployment options for Windows, Mac and Linux and 
migration from Enterprise Console in more detail. 
Sophos Central Engineer v2.1.0 - 53
Protect Devices
Endpoint Protection
Server Protection
P
ro
te
ct
io
n
The protect devices page is the starting point for deploying the Sophos Central Agent software. In the 
overview section, all devices that you are licensed to protect are listed.
Alternatively, if a product is selected from the MY PRODUCTS menu, Protect Devices is listed in the left-
hand menu for that product.
Sophos Central Engineer v2.1.0 - 54
Endpoint Protection
P
ro
te
ct
io
n
Once downloaded you will see the SophosSetup.exe which 
is then able to be run on the endpoint it has been 
download to
NOTE: Only licensed components will be shown here
Endpoint Protection allows you to download Intercept X and Device Encryption as separate components 
or to install them by downloading the complete installer. Please note that the components listed will 
depend on your licensed products. 
For both Windows and Mac endpoints it is possible to select the components that should be included 
when the installer is downloaded. For example, the customer only wants to install Intercept X but not 
Device Encryption. 
The installers you download are unique to your Sophos Central accountand will configure the endpoint 
to register with your account to be managed. 
For more information about software deployment methods, please see knowledgebase article 119625 
https://sophos.com/kb/119265.aspx 
Sophos Central Engineer v2.1.0 - 55
Demonstration of Mac Endpoint Installation from Sophos Central
P
ro
te
ct
io
n
The installation of the Sophos Agent on a Mac OS endpoint is very similar to a Windows endpoint. This 
quick video demonstrates how a Mac endpoint installation is completed.
Sophos Central Engineer v2.1.0 - 56
Server Protection
Server Protection provides:
• Exclusions for common server roles
• Process exclusions
• Environmental variables
• Server specific policies
P
ro
te
ct
io
n
Once downloaded you will see the SophosSetup.exe which 
is then able to be run on the Server it has been download 
to
Server Protection is designed specifically for servers. Exclusions for common server roles can be 
automatically applied. Process exclusions and environmental variables can be added to server policies 
which provide greater levels of control to linked servers. 
Server Protection is available for Windows and Linux Servers. It also includes Virtual Environment 
Protection for VMWare ESXi and Microsoft Hyper-V, as well as support for servers hosted by Amazon 
Web Services (AWS) and Azure. 
Although listed separately in the Server Protection page, the same Windows installers will automatically 
detect a server class operating system and place the server in the servers list to streamline the 
deployment process. 
For more information see knowledgebase article https://sophos.com/kb/121636. 
Sophos Central Engineer v2.1.0 - 57
Email Setup Link
P
ro
te
ct
io
n
You may wish for users to install protection on their own devices. To achieve this, you can email users a 
setup link. 
To do this, you would navigate to MANAGE PROTECTION > People. Select those users you wish to email 
the setup link to from the user list and select ‘email setup link’. When choosing to email the setup link to 
users, you are unable to select the components that are installed. All licensed components will be 
included by default. 
Within the email setup link window, you can also select to send the self service portal information to the 
user to enable them to manage their endpoint. 
Sophos Central Engineer v2.1.0 - 58
Bulk Deployment
http://sophos.com/kb/120611
Download 
SophosSetup.exe from 
Sophos Central 
Deploy the batch file using an AD script in 
Group Policy
Use SSCM for bulk deployment
P
ro
te
ct
io
n
If you need to deploy the Sophos Central client software to a large number of Windows Computers, you 
can download sophossetup.exe. You can deploy the SophosSetup.exe to your endpoints through one of 
the automated deployment methods. 
You can either deploy this using Active Directory scripts in your Group Policy. Alternatively, you can use 
Microsoft System Center Configuration Manager (SCCM) to distribute and install the Endpoint Agent. 
Please note that you should not deploy a user specific sophosetup.exe as received via email. If you do, 
all devices will be associated to the Sophos Central user that sent the email. 
For more information see knowledgebase article 120611 – Methods for automating the deployment of 
Sophos Central software to Windows computers. For organizations who use virtual machines, it is 
common to install all software on a ‘gold machine’ and then run multiple instances of this. This can 
cause problems for Sophos Central because they all attempt to use the same identity in the Central 
Admin Console. The steps needed to force clients to re-register with Central are described in 
knowledgebase article 120560 – How to install Sophos Central Endpoint on a gold image avoiding 
duplicate identities. 
Sophos Central Engineer v2.1.0 - 59
Migration from Sophos Enterprise Console (SEC)
For more information please see KBA: https://sophos.com/kb/122264
P
ro
te
ct
io
n
Migrate 
computers
6
Set up new 
policies in 
Sophos Central
5
Check which 
computers can 
be migrated
4
Install Sophos 
Central 
Migration Tool
3
Check the 
requirements 
for migration
2
Consider 
possible issues 
with migration
1
Migrate the 
on-premise 
management 
server
7
Another option for deployment is to migrate endpoints that are already protected by on-premise 
Sophos Enterprise Console (SEC), which provides protection for workstations and servers. If you already 
have a SEC installation, with your endpoints and servers protected, you can migrate these to be 
managed by your Central Account. To migrate your computers to Sophos Central, follow these key steps
1. Consider possible issues with migration such as endpoints that are unprotected during migrations, 
changing policy settings and endpoints where updating is configured differently
2. Check the requirements for migration. Please see Knowledgebase article 121751 to view 
unsupported features
3. Install the Sophos Central Migration Tool
4. Check which computers can be migrated. This can be completed using the migration tool
5. Setup new policies. The Migration Tool does not migrate your policy settings
6. Migrate computers. This is completed in the Migration Tool by selecting the required computers and 
clicking Migrate
7. Migrate the on-premise management server
For more information please review Knowledgebase article 122264 which describes how to perform a 
migration in more complex environments.
Sophos Central Engineer v2.1.0 - 60
Update Caches and Message Relays
U
p
d
at
e 
&
 T
ra
ff
ic
 M
an
ag
em
en
t
For more information see the FAQ: 
https://sophos.com/kb/122577
Misconfiguration of Update Caches can cause unintended consequences. We 
recommend completing the Sophos Central Architect course to learn more.
Downloads updates from Sophos Central and stores them in 
a cache that is available on a network
UPDATE CACHE
Enables your devices to communicate all policy and 
reporting data using a dedicated server
MESSAGE RELAY
An Update Cache server downloads updates from Sophos Central, it will then store the updates in a 
cache available on the network. When a device needs to update, it contacts the Update Cache server to 
get the updates from the cache. 
An Update Cache set up as a Message Relay can remove the requirement for direct access to Sophos 
Central all together. A Message Relay enables your devices to communicate all policy and reporting data 
via a dedicated server. 
Some common scenarios where Update Caches and Message Relays are either required, or will be a 
benefit, are:
• Where there are sites that have either low or limited bandwidth
• Networks that have restricted Internet access, or no direct Internet access
For maximum benefit, configure an Update Cache before deploying Endpoint Software. 
We strongly recommend that you take the time to understand what an Update Cache and Message 
Relay will do in your network if configured. Further information is included in the Architect course, 
additionally, please see Sophos Central Update Caches Frequently Asked Questions 
https://sophos.com/kb/122577
Sophos Central Engineer v2.1.0 - 62
The Update Cache software creates a local warehouse on your network for clients to update from. An 
Update Cache will use TCP port 8191 to communicate updates. TCP Port 443 is required to receive 
updates from Sophos Central. 
Message Relays work in a similar way to the Update Caches, but for management traffic rather than 
updates. The Message Relay uses TCP Port 8190 to for traffic management.
Once one or more Update Caches have been deployed and an endpoint updates it will automatically try 
to update from the closest Update Cache. If none of the Update Caches can be reached, the endpoint 
will try to update from Sophos Central directly. 
Endpoints select a Message Relay using the same method as for Update Caches.
Sophos Central Engineer v2.1.0 - 63
Update Cache and Message Relay Overview
Mobile Devices
Roaming Users/
Home Workers
Servers / Virtual Servers
Office-based Users
Management
Sophos Central
Updating
Update Cache
&
Message Relay
TCP:8191
TCP:8190
TCP:8191
TCP:8190
TCP:443 (HTTPS)
U
p
d
at
e 
&
 T
ra
ff
ic
 M
an
ag
em
en
t
Update Caches can be installed onto supported Windows Servers that have 5GB of free disk space, and 
port 8191 available. On Windows Servers the Update Cache installer will open port 8191 in the 
Windows Firewall.
Server Standard Protection license and Server Protection must be installed before an Update Cache can 
be deployed to that server. 
The recommended specifications for Update Cache servers are:
• 2 CPUs and 4GB of RAM to serve up to 2,000 computers
• 4 CPUs and 8GB of RAM to serve up to 5,000 computers
If the server is performing other roles, additional RAM and CPUs will need to be added. Message Relays 
can only be deployed on Update Caches, and in addition to the Update Cache requirements also needs 
port 8190 to be available. There are currently some limitations when using Message Relays, please see 
knowledge base article to see a list of these: https://sophos.com/kb/122577
Sophos Central Engineer v2.1.0 - 64
Update Cache & Message Relay Requirements
 5 GB of free disk space
 Port 8191 available (inbound)
 Uses ports 80 and 443 (outbound)
 Windows 2008/2008 R2/2012/2012 
R2/2016
Sizing
Up to 2,000 computers Up to 5,000 computers
 2 CPUs
 4 GB RAM
 4 CPUs
 8 GB RAM
U
p
d
at
e 
&
 T
ra
ff
ic
 M
an
ag
em
en
t
Pre-Requisites
Update Cache
 Update Cache
 Port 8190 available
 https://sophos.com/kb/122577
Pre-Requisites
Message Relay
Learn More
Update Cache & Message Relay Configuration Demonstration 
U
p
d
at
e 
&
 T
ra
ff
ic
 M
an
ag
em
en
t
This demonstration shows how to configure a server as an Update Cache and a Message Relay. 
You will need to be logged into the Sophos Central Admin Console. From the dashboard, select Global 
Settings from the left-hand menu. Scroll down to the Server Protection section and select Manage 
Update Caches and Message Relays. The drop down menu allows you to filter the list to easily select 
Cache Capable Servers. 
Select the server(s) that you want to setup as the Update Cache and Message Relay and click Set Up 
Cache/Relay. In the Set Up Update Cache and Message Relay window you are able to select to only set 
up an Update Cache, or to also setup a Message Relay. The server requirements are listed here as well 
as the ports that will need to be available. Once you have selected your options, click Setup. 
The update cache configuration will take some time. It will install and download the configuration. Once 
it has completed, the Cache Status will change to ‘Active’. You can view the Update Cache status of a 
server on the SUMMARY tab in the Server Protection view. Once the Update Cache has been 
configured, the server will automatically configure all managed endpoints to update from the cache. 
Sophos Central Engineer v2.1.0 - 65
In Global Settings > Manage Update Caches and Message Relays you can see which endpoints have 
been updating from the Update Cache(s) you have activated. You should do this a few hours after 
deploying the Update Cache to ensure that no endpoints are updating from the cache that should not 
be.
You can also choose to manually assign endpoints to specific Update Caches. To assign computers 
manually, move them from the ‘Available Computers’ on the left, to the ‘Assigned Computers’ on the 
right.
Sophos Central Engineer v2.1.0 - 66
Managing Update Cache & Message Relay Clients
U
p
d
at
e 
&
 T
ra
ff
ic
 M
an
ag
em
en
t
Complete the following simulation tasks in Module 2:
• Task 2.1: Manually add users and groups
• Task 2.2: Install and configure Active Directory Sync
• Task 2.3: Configure role-based access
• Task 2.4: Deploy Sophos Protection to Endpoints
• Task 2.5: Deploy Sophos Protection to a Server
Sophos Central Engineer v2.1.0 - 67
Module 2: User Configuration and Protection
• Complete the following simulation tasks in Module 2
▪ Task 2.1: Manually add users and groups
▪ Task 2.2: Install and configure Active Directory Sync
▪ Task 2.3: Configure role-based access
▪ Task 2.4: Deploy Sophos Protection to Endpoints
▪ Task 2.5: Deploy Sophos Protection to a Server
Use the Simulation Workbook to view details of each task and 
access the simulations
On completion of this module, you should now be able to perform the actions shown here. Please take 
a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in this 
module.
Sophos Central Engineer v2.1.0 - 68
Configure role-based access to provide appropriate permissions to users
Explain the methods for adding users to Sophos Central
Module Review
• Now that you have completed this module, you should be able to:
Identify the deployment options available for Windows endpoints and servers
Install Sophos Central on Windows and Mac endpoints and Windows servers
Hi there, this is the Sophos Certified Engineer course for Sophos Central Endpoint and Server Protection. 
This is module 3: Endpoint Protection.
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection ET15 – Endpoint Protection
July 2020
Version: 2.1
Product version: Sophos Central
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any 
means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this 
document may be the trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or 
representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any 
time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon 
Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Central Engineer v2.1.0 - 71
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection
Endpoint Protection
Version 2.1
In this module we will describe how to manage your protected endpoints in Sophos Central and how to 
configure the policies that will provide them the best protection and control the data your users are able 
to access. We will also describe how to add exclusions, use content control lists and rules and explain 
the use of Tamper Protection.
Additionally, we will demonstrate the best way to remove Endpoint Protection from an endpoint. 
Sophos Central Engineer v2.1.0 - 72
Endpoint Protection
Control
• Exclusions
• Tamper Protection
• Content Control Lists & Rules
Removal
• Removing Endpoint Protection
Management
• Endpoint Management
• Policies
Sophos Central Architecture
Remote Office Main Office Roaming
MCS
Updating
Sophos Central
M
an
ag
em
en
t
A key benefit of Sophos Central is that it does not matter where the endpoints are located. No server 
hardware is required to manage the endpoints as all management takes place in the cloud-based 
management system. 
All endpoints communicate with the Sophos Central Console via Management Communications System 
(MCS) over the Internet using HTTPS. By default all endpoints obtain the latest threat updates directly 
from online Sophos warehouses, however, you can configure a server update cache if needed.
Sophos Central Engineer v2.1.0 - 75
Manage Endpoint Software
Select the components you want to 
install on your endpoints
M
an
ag
em
en
t
All protected endpoints are listed in the Endpoint Protection Computers page, navigate to MANAGE 
PROTECTION > Computers in the left-hand menu. The Computers page lists the name, IP address and 
OS of your protected endpoints. Additionally, it lists the components that are installedon the endpoint 
and the last user that logged in. 
Components can be assigned to or removed from endpoints by selecting the endpoint(s) from the list 
and selecting Manage Endpoint Software. 
For each component you will see a list of eligible and assigned computers based on which endpoints 
have the component assigned and which do not. You can move endpoints from eligible to assigned and 
click Save. 
Sophos Central Engineer v2.1.0 - 76
Computers
Filter your 
endpoints and 
manage your 
endpoint 
software
M
an
ag
em
en
t
In the Computers view in Endpoint Protection, you can filter your endpoints. Here, we have filtered the 
view to only show Windows Computers. 
You can edit an endpoint by selecting the checkbox; once selected the delete option becomes available. 
Sophos Central Engineer v2.1.0 - 77
Computer Groups
Create 
Computer 
Groups
M
an
ag
em
en
t
To manage a large estate of computers, you can create computer groups for your endpoints. Select Add 
Computer Group. 
Give the computer group a name and optionally a group description. You can then move those 
computers you wish to be part of that group into the group and save the changes. 
Once you have saved the changes, you will see the computer group appear in the list of computer 
groups. 
Please note, computers can only be a member of one computer group. 
Sophos Central Engineer v2.1.0 - 78
Endpoint Protection Policies
C
o
n
tr
o
l Policies are applied in the 
order they appear. 
The base policy is always 
applied last
Policies are used in Sophos Central to define the security measures that will be applied to protected 
endpoints. Policies are split into different areas of protection and Sophos Central comes pre-configured 
with base policies. These policies contain Sophos’ recommended settings and are applied to all users. 
To exercise more granular control, you can create additional policies with different settings, and apply 
these to specific users or endpoints. You can clone an existing user policy or create a new policy.
Policy settings can be received from multiple policies. The order that the policies appear in the list in 
Sophos Central dictates which order the settings in the policies are applied, regardless of whether the 
policy type is user or computer. Those at the top of the list have priority and are applied first. We use a 
first match approach, this means that the first policy that matches either the user, user group, computer 
or computer group it was assigned to will be used.
Best practice is therefore to configure your base policies in a way that they cover all standard scenarios 
and then create additional policies for specific computers or users where other settings are needed.
Sophos Central Engineer v2.1.0 - 80
Endpoint protection policies can be applied to users and user groups meaning that they apply regardless 
of the computer being used. 
They can also be applied to computers and computer groups, in which case they ensure consistent 
protection that is not affected by the user that logs in. 
To learn about the policies select the policy name on the left. When you have selected all policies, click 
Finish.
Sophos Central Engineer v2.1.0 - 81
Policies
Peripheral Control
Data Loss Prevention
Update Management
Threat Protection
Application Control
Web Control
C
o
n
tr
o
l Policies are split into different areas of protection.
To learn about each policy select the policy name on the left.
When you have selected all policies, click Finish.
Finish
Windows Firewall
The threat protection policy helps you to keep you users protected against malware, risky file types and 
websites and malicious network traffic. 
To create a threat protection policy navigate to CONFIGURE > Policies > Add Policy. From the drop down 
menu select Threat Protection. Select if the policy will be applied to users or devices.
In the USERS tab you can apply the policy to the required users. Similarly, if you are creating a policy to 
be deployed to multiple users, you can use the GROUPS tab to apply it to specific groups. 
The SETTINGS tab, you will see an Active Adversary Mitigations drop down menu. We recommend that 
you enable these features (until they are automatically released for all users). Select Custom from the 
drop down menu and select all available options here.
The use recommended settings is automatically enabled. The recommended settings provide the best 
protection you can have without complex configuration. Please note that if Sophos changes their 
recommendations in the future, we will automatically update your policy with the new settings. 
Although settings will be enabled for you by default, it is useful to know what they mean. 
Live Protection – Checks suspicious files against the latest information in Sophos Labs. You can select to 
enable live protection during scheduled scans and automatically submit malware samples to Sophos. 
This will send a sample of detected malware to Sophos for analysis. 
Deep Learning – Deep Learning uses advanced machine learning to detect threats. It can identify known 
and previously unknown malware and potentially unwanted applications without using signatures.
Sophos Central Engineer v2.1.0 - 82
Policies
C
o
n
tr
o
l
Peripheral Control
Data Loss Prevention
Update Management
Threat Protection
Application Control
Web Control
Windows Firewall
Real-time scanning – Local Files and Network Shares – Scans files as users attempt to 
access them, denies access unless the file is clean. On Read means that files will be 
scanned when a file is opened. On Write means that files will be scanned when the 
file is saved. 
Real-time scanning – Internet – Scans internet resources as users attempt to access 
them. Detect low-reputation files will warn a user if a download has a low reputation. 
The reputation is based on a file’s source, how often it is downloaded and other 
factors. You can specify the action to take, the user can be given the option to trust or 
delete a file with a low-reputation score. Prompt user is the default setting here. For 
the reputation level, if you select strict, medium-reputation as well as low-reputation 
files will be detected. The default setting is recommended. 
Remediation – Sophos Central will attempt to clean up detected malware 
automatically. If this is successful, the alert in Sophos Central against the 
compromised endpoint is deleted. The detection and clean up are displayed in the 
events list. Threat Cases are created to assist with investigating the malware infection 
allowing you to pinpoint areas to improve your security. Please note that automatic 
clean up is not performed for portable executable (PE) files like applications, libraries 
and system files. PE files are quarantined and can be restored. 
Runtime Protection – Protects against threats by detecting suspicious or malicious 
behaviour or traffic. Here you can protect your files from ransomware (CryptoGuard), 
your master boot record from ransomware and destructive attacks (WipeGuard) and 
your web browsers against exploitation by malware. Additionally, you can select to 
mitigate exploits in vulnerable applications which protects the applications most 
prone to exploitation by malware. You can protect the processes on your endpoints 
which helps prevent the hijacking of legitimate applications by malware.
Runtime protection also detects traffic between an endpoint computer and a server 
that indicates a possible attempt to take control of the endpoint computer (a C2 
server) and detects malicious behaviour (HIPS) which can protect against unknown 
threats by detecting and blocking behaviour that is known to be malicious or is 
suspicious. 
Device Isolation, when enabled, allows computers to isolate themselves if they have a 
red health status. Once isolated, the computer will isolate itself from the network, 
however, it will still communicate with Sophos Central. 
Scheduled scanning, Scanning Exclusionsand Desktop Messaging can be configured in 
the threat protection policy however, we will discuss these later in this module. 
Sophos Central Engineer v2.1.0 - 82
Policies
C
o
n
tr
o
l
Peripheral Control
Data Loss Prevention
Update Management
Threat Protection
Application Control
Web Control
Windows Firewall
To control the data coming into and going out of your business, Sophos Central allows you to control 
peripheral devices being used on protected endpoints. You can restrict access to devices on an endpoint 
such as USB sticks and wireless network cards. Peripheral control policies let you both monitor and 
block the use of removable devices and other peripherals on your Windows and Mac endpoints. 
By setting the access policy to allow or block, you can control access to these peripherals on your users’ 
devices. For storage media, such as USB or optical drives, you can also set them to be read-only, and 
wireless devices can be prevented from being used in bridge mode. 
Any detected peripherals will be recorded and can then be used in the exemptions section to specify an 
explicit rule for a particular peripheral. For example, a detected optical drive may be blocked in the 
overall policy settings, but an exemption can be created for a particular optical drive model. 
Sophos Central Engineer v2.1.0 - 83
Policies
C
o
n
tr
o
l
Peripheral Control
Data Loss Prevention
Update Management
Threat Protection
Application Control
Web Control
Windows Firewall
Application Control in Sophos Central lets you monitor and manage the applications that your users 
have access to. In the policy, you can define all of the applications that you want to control, and whether 
you want them to be detected on user access and/or during scans. 
You can also choose to allow or block the controlled applications, so this feature can be used to track 
and restrict your user’s activities. You will be notified if any detections in the endpoints properties page 
in the Central Console. 
To get started, click on the add/edit list button. You will see a popup containing a comprehensive list of 
applications, organised into categories. This list is populated and maintained by Sophos and contains all 
of the applications that you are likely to want to control. If you have an application that is not in the list, 
just let us know via the link in the bottom of the policy section and we will add it for you. 
You can choose a single application within a category, or select everything currently in that set. You can 
also choose to automatically add any new applications that Sophos adds to the category in the future. 
For example, if you wanted to block all browser toolbars, you’d select everything currently in the toolbar 
category, and check the box shown to automatically add any future toolbars that are added. 
Sophos Central Engineer v2.1.0 - 84
Policies
C
o
n
tr
o
l
Peripheral Control
Data Loss Prevention
Update Management
Threat Protection
Application Control
Web Control
Windows Firewall
Data Loss Prevention (DLP) is part of Endpoint Protection and controls accidental data loss by 
monitoring and restricting the transfer of files containing sensitive data. For example, it can be used to 
prevent a user sending a file containing sensitive data home using web-based email. 
In the SETTINGS tab you will see an option to Use rules for data transfers. Turn this on to create and use 
rules. Turn it off to stop using rules. For example, if you want a policy that you can use to exempt certain 
users. Once switched on you can choose to create a rule from a template based on your region, or 
create a new rule. You can add an existing rule, create a new content rule or create a new file rule. Each 
option will present you with an option to set conditions such as where the file contains, or the 
destination is. Exclusions like where the file name matches or the file type is. Finally you can determine 
the action. The event is always logged, therefore the actions can be to allow the file transfer, allow the 
transfer if the user confirms or block the transfer. 
Data Loss Prevention Policies contain one or more rules. It is possible to add an existing content or file 
rule to a policy or create a new rule. Rules and content control lists that will be used across multiple 
policies can be managed from Global Settings. 
Sophos Central Engineer v2.1.0 - 85
Policies
C
o
n
tr
o
l
Peripheral Control
Data Loss Prevention
Update Management
Threat Protection
Application Control
Web Control
Windows Firewall
Web Control is part of Endpoint Protection and is focused on giving the administrator control over web 
browsing. This complements Web Protection, which is part of the threat protection policy and is 
designed to prevent threats reaching the web browser. For the additional security options section, you 
can choose how risky files, advertisements and uncategorized files are dealt with on the endpoint. You 
can use the Sophos recommended settings or specify yourself how each type of file should be 
processed, based on categories such as ActiveX controls and PDF Files. 
The acceptable web usage section allows you to control which websites your users are allowed to visit. 
There are four pre-set categories, keep it clean, gentle guidance, conserve bandwidth and business only. 
All of which apply different settings to allow, block or warn for various categories and sub-categories of 
websites. Alternatively you can choose to specify your own settings, should you want to have more 
granular control over certain websites or categories. 
You can choose to log all attempts to visit blocked sites, along with instances where users proceed past 
warnings, or choose only to log attempts to visit infected sites. It is possible to change the default 
behaviour of Web Control for specific websites. This can be achieved either by applying tags to them, 
which can then have an action configured for them in the policy, or by overriding the default category 
for the website. Website customization is located in Global Settings, website management. 
Customization can be applied for single URLs, domains, TLDs (top level domains), IP addresses and CIDR 
ranges (subnets). Once configured the websites can be added to the custom sites section of policies and 
then have specific actions defined for them that override the settings elsewhere in the policy.
Sophos Central Engineer v2.1.0 - 86
Policies
C
o
n
tr
o
l
Peripheral Control
Data Loss Prevention
Update Management
Threat Protection
Application Control
Web Control
Windows Firewall
Update Management Policies can be used to specify when product updates become available to 
devices. Different scheduled times can be applied to computer groups. 
This policy only affects product updates, not updates to threat information. 
Sophos Central Engineer v2.1.0 - 87
Firewall Policy
C
o
n
tr
o
l
Peripheral Control
Data Loss Prevention
Update Management
Threat Protection
Application Control
Web Control
Windows Firewall
You can monitor and configure Windows Firewall and monitor other registered firewalls on your 
computers using a Windows Firewall policy. 
Please note that other firewalls or Windows Groups Policy settings may affect how the policy is applied 
in individual endpoints. We advise that you test any firewall rules you create to ensure that 
communication with Sophos is allowed. 
In the monitor type select the level of monitoring you require. 
Monitor Only – This is the default options that enables devices to report their firewall status to Sophos 
Central. 
Monitor and Configure Network Profiles – As well as reporting their firewall status, you can choose 
whether to block or allow inbound connections on Domain, Private and Public networks. You can select 
to Block All, Block with exceptions or Allow all.
Sophos Central Engineer v2.1.0 - 88
Exclusions
C
o
n
tr
o
l
Earlier you saw where to add exclusions in a threat protectionpolicy. It is also possible to configure 
global exclusions for scanning, which might be useful to allow certain files, websites or applications to 
be used even if they are being detected as malware by the scanning engine. 
You can exclude applications from protection against security exploits, for example, you might want to 
exclude an application that is incorrectly detected as a threat or PUA, until the problem has been 
resolved. Additionally, if you have device isolation enabled, you may want to add an exclusion for the 
source IP addresses or range that are allowed to connect to computers using Remote Desktop Protocol 
(RDP). Usually this would be the IT admin machines. 
Global exclusions can be applied by navigating to Sophos Central Admin Console > Global Settings > 
Global Exclusions. To add an exclusion, select the Exclusion Type from the drop-down menu. Once 
selected enter the value of the exclusions, the file path, the website name or the process for example. 
Please note that some third party applications such as SQL Server and Microsoft Exchange have 
recommended exclusions which apply to all anti-virus products. Details of these can be found in 
knowledgebase article 35970. 
Sophos Central Engineer v2.1.0 - 89
Exclusions
C
o
n
tr
o
l
These exclusions apply to just this policy and 
therefore to devices or users depending on 
your policy configuration
These exclusions apply to all users
Let’s see how this looks in a policy. In the exclusions section of the SETTINGS tab you can view all of the 
global exclusions that have been configured. Please note that these exclusions apply to all users and are 
only added, edited or removed via System Settings > Global Exclusions.
You can add policy exclusions within a specific threat protection policy if required. These exclusions will 
apply to just that policy and therefore only to those devices or users that have had the policy assigned. 
Sophos Central Engineer v2.1.0 - 90
Tamper Protection
C
o
n
tr
o
l
Prevents users from 
uninstalling Sophos 
Protection
Prevents users from 
modifying the protection 
settings
Can be disabled however 
this is NOT recommended
Tamper Protection can be used to prevent users from uninstalling the Sophos Endpoint Agent or 
modifying their protection settings. This means that certain parts of the client software are read-only, 
unless the user authenticates themselves with this password. 
Tamper protection is enabled by default, however, it can be disabled using Global Settings. Each 
endpoint is assigned a unique tamper protection password that can be viewed by checking the ‘show 
password’ tick box. You can also generate a new password should this be required by clicking ‘Generate 
New Password’. 
The ability to disable tamper protection is included so that the endpoint software can be removed by an 
administrator if required. 
Sophos Central Engineer v2.1.0 - 91
Content Control Lists (CCL) 
Select Content Control Lists 
from the Global Settings menu
C
o
n
tr
o
l
Data Loss Prevention policies use Content Control Lists (CCL) to define a set of conditions that specify 
file content. For example, credit or debit card numbers or bank account details near to other forms of 
personally identifiable information. 
Sophos Central Engineer v2.1.0 - 92
Content Control Lists (CCL) 
C
o
n
tr
o
l
Sophos Labs provide a large number of pre-defined CCLs. To reduce the number of CLLs shown in the 
list, it is possible to filter by region, source and type. 
Each content list description can be viewed by hovering over the information icon. Additionally, you can 
select to export, clone or remove a specific item. You can create your own content control lists if you 
have custom requirements. These are referred to as Custom Content Control Lists. 
Custom CCLs are covered in more depth in the Endpoint and Server Certified Architect course. 
Sophos Central Engineer v2.1.0 - 93
Rules
To create a new rule select 
from Content or File rules
C
o
n
tr
o
l
If data is matched to a CCL, rules are used to define the action taken. 
• To create a new rule based on content, select New Content Rule
• To create a new rule based on a file type, select New File Rule
A content rule is a rule that controls the transfer of certain types of data whereas a file rule controls the 
transfer of certain file types or file names. 
Sophos Central Engineer v2.1.0 - 94
Content Rules
C
o
n
tr
o
l
When creating a new content rule you will enter the name and description of the rule. Please note that 
the description is what will be displayed when you hover over the information icon therefore, the 
description needs to accurately describe what the content rule is for. 
You can then define which exclusion is applied, ‘where the file name matches’ or ‘where the file type is’. 
You also set the action to take here, for example block transfer. Clicking Next Rule Configuration will 
allow you to define the conditions of the content along with the destination. Additionally, you can add 
any exclusions to this content rule and click Finish. 
The new rule will be listed, hovering over the information icon will display the description of the rule. 
Sophos Central Engineer v2.1.0 - 95
Rule Actions
C
o
n
tr
o
l
Creating file content rules follows the same process as content rules.
The actions that can be defined for a rule are: 
• Allow transfer
• Allow transfer if user confirms
• Block transfer
Whichever action is selected will be logged. This allows you to build up a picture of data transfer in your 
network. This information can then be used to guide creation of additional rules. 
Sophos Central Engineer v2.1.0 - 96
Deleting Endpoints
Disable Tamper ProtectionRe
m
o
va
l
If you wish to delete an endpoint, firstly you need to remove the Tamper Protection from the device so 
the endpoint software can be uninstalled. 
The endpoint agent can then be uninstalled by locating and removing the software on the endpoint. 
Once completed, you can delete the endpoint from Sophos Central.
Sophos Central Engineer v2.1.0 - 98
Deleting Endpoints
Remove the Endpoint Agent 
(Windows)
Remove the Endpoint Agent 
(Mac)
R
em
o
va
l
Once Tamper Protection has been disabled, the endpoint agent can be removed from the endpoint. 
The example shows what this looks like on both a Windows and Mac endpoint. For the Mac Endpoint, 
we did NOT disable Tamper Protection in the Central Console. 
Sophos Central Engineer v2.1.0 - 99
Deleting Endpoints
Removal confirmation
(Windows)
Removal confirmation
(Mac)
R
em
o
va
l
Before you remove the endpoint agent, you will see a confirmation message asking if you are sure you 
want to remove the endpoint agent. 
For Mac endpoints you will click Continue. For Windows, you will click Uninstall. 
Sophos Central Engineer v2.1.0 - 100
Deleting Endpoints
Tamper Protection password 
is requested
Mac admin password is 
required
R
em
o
va
l
For the Mac endpoint, we did not disable Tamper Protection through the Central Console. During the 
removal process on the Mac, the user is asked to enter the Tamper Protection password before being 
allowed to remove the Endpoint Agent. 
For Mac devices, the user will also need to confirm their administrator password to allow the helper tool 
to run which aids the removal. 
Sophos Central Engineer v2.1.0 - 101
Deleting Endpoints
Removal Process
(Windows)
Removal Process
(Mac)
R
em
o
va
l
The endpoints will show the status of the removal or uninstall of the endpoint agent. 
Sophos Central Engineer v2.1.0 - 102
Deleting Endpoints
Uninstall Successful
(Windows)
Removal Successful
(Mac)
R
em
o
va
l
Once the Endpoint Agent has been removed/uninstalled successfully a confirmation message will be 
displayed on the endpoint. 
Sophos Central Engineer v2.1.0 - 103
Deleting Endpoints
R
em
o
va
l
A reminder is provided to ensure you have 
removed the Sophos software from the 
endpoint and that tamperprotection has 
been disabled
To remove an endpoint from the Sophos Central Endpoint Protection Console, select it from the list of 
endpoints and then click Delete. 
You will see a confirmation window to ensure that you really mean to delete the endpoint from your 
Central Console. Once you select Delete, the endpoints will be removed from the Sophos Central 
Endpoint Protection Console, however, this deletion process ONLY removes the device from the 
Console, it will not remove the Endpoint Agent from the device itself. 
Sophos Central Engineer v2.1.0 - 104
Recover Tamper Protection Passwords
R
em
o
va
l
Click View details to view the tamper protection 
password for current and deleted endpoints
In the logs & reports section you can use the Recover Tamper Protection passwords report. Using this 
report an administrator can get access to tamper protection passwords from computers that were 
deleted from Sophos Central prior to the deinstallation of the client.
This is especially useful if a client was deleted from Central BEFORE the Endpoint Protection Agent was 
removed on the client. Please note, tamper protection passwords for deleted computers are saved for 
90 days. If you do need to access a deleted device after 90 days please see the instructions in this 
Knowledgebase article: https://sophos.com/kb/124377
Sophos Central Engineer v2.1.0 - 105
Complete the following simulation tasks in Module 3:
• Task 3.1: Test Threat Protection with the Recommended Settings
• Task 3.2: Create and Test a Threat Protection Policy
• Task 3.3: Configure and Test Application Control
• Task 3.4: Configure and Test Web Control
• Task 3.5: Configure and Test Data Loss Prevention
Sophos Central Engineer v2.1.0 - 106
Module 3: Endpoint Protection Policies
• Complete the following simulation tasks in Module 3
▪ Task 3.1: Test Threat Protection with the Recommended Settings
▪ Task 3.2: Create and test a Threat Protection Policy
▪ Task 3.3: Configure and Test Application Control
▪ Task 3.4: Configure and Test Web Control
▪ Task 3.5: Configure and Test Data Loss Prevention
Use the Simulation Workbook to view details of each task and 
access the simulations
Module Review
• Now that you have completed this module, you should be able to:
Customize threat protection and control policies
Demonstrate how to manage protected endpoints in Sophos Central
Uninstall Sophos Central Endpoint Protection from Windows and Mac endpoints
On completion of this module, you should now be able to perform the actions shown here. Please take 
a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in this 
module.
Sophos Central Engineer v2.1.0 - 107
Hi there, this is the Sophos Certified Engineer course for Sophos Central Endpoint and Server Protection. 
This is module 4, Server Protection. 
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection ET15 – Server Protection
July 2020
Version: 2.1
Product version: Sophos Central
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any 
means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this 
document may be the trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or 
representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any 
time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon 
Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Central Engineer v2.1.0 - 110
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection
Server Protection
Version 2.1
This module will cover Server Management, it will explain the server policies and configuration of 
exclusions. We will demonstrate Server Lockdown and explain why this is a useful feature for your 
business. 
We will discuss file integrity monitoring and explain it’s uses and benefits. Additionally, we will explain 
how to protect your Virtual Environments using Server Protection. 
Sophos Central Engineer v2.1.0 - 111
Server Management
File Integrity Monitoring
• Overview
• Policy 
• Management
Server Management
• Policies
• Exclusions
Virtual Environments
• SVM and GVM
• AWS
• Azure
Server Lockdown
• Overview
• Policy
• Management
Servers
All protected 
Servers are listed 
under the Servers 
tab
Se
rv
er
 M
an
ag
em
en
t
Windows and Linux servers appear in the Sophos Central Admin Console in a similar way to endpoints. 
You access the servers view via the dedicated Server Protection menu. Servers are deployed in the same 
way as endpoints and you will see a list of all of the servers that are linked to your account in the Servers 
tab. All Servers are listed with the Name/OS, IP address, when they were last active, the group they are 
associated with, the License they are using and the lockdown status.
Sophos Central Engineer v2.1.0 - 114
Server Details
The Server Protection 
view displays the 
information about 
that server
Se
rv
er
 M
an
ag
em
en
t
Selecting a server from the server list will display the Server details. From this view you can view the 
SUMMARY of the server, the most recent events, the last update on the server, the IP address and 
operating system of the server. 
The EVENTS tab displays all of the events for the server which can be filtered if required. 
The STATUS tab displays the servers’ health. If a server does have an alert or a warning you can 
acknowledge and resolve those in the STATUS tab of a server record. 
The EXCLUSIONS tab allows you to view the exclusions the server has in place. You can search these and 
filter them. 
The APPLICATIONS tab allows you to view a list of applications that are currently installed on the Server. 
The POLICIES tab simply displays the policies applied to the server. 
Sophos Central Engineer v2.1.0 - 115
Exclusions
Up-to-date automatic application 
exclusion list can be found here: 
https://sophos.com/kb/121461
Se
rv
er
 M
an
ag
em
en
t
We mentioned the exclusions tab previously. In this tab, you can see any files or folders that are 
excluded from scanning for threats. A number of applications used on servers, such as Exchange, have 
files which must be excluded from scanning in order to prevent issues. Exclusions can be added using 
global settings or through a specific server policy you configure.
Exclusions for common Windows server applications can be automatically applied. The Real-time 
scanning option to ‘Automatically exclude activity by known applications’ is enabled by default. The 
Server’s Exclusions tab can be used to view the exclusions configured. 
Knowledgebase article 121461, linked from the policy, includes the current known applications for 
automatic exclusions. https://sophos.com/kb/121461
Note: The exclusion information is delivered as a data feed to enable Sophos to add new roles over 
time. As with endpoints, process exclusions, environmental variables and more advanced exclusions can 
be added to server policies. For more information see the 
https://docs.sophos.com/central/Customer/help/en-
us/central/Customer/concepts/ExclusionsVariablesWindows.html
Sophos Central Engineer v2.1.0 - 116
There are two Server Protection licenses, Server Protection and Intercept X Advanced for Servers. 
The Server Protection license includes all of the standard real-time scanning protection, Web Protection, 
detection of command and control traffic and Sophos Security Heartbeat. In addition to these threat 
protection features, it also includes the control policies for peripherals, applications, web, Data Loss 
Prevention, WindowsFirewall and File Integrity Monitoring, as well as Server Lockdown.
All of the functionality is available for Windows Servers. Linux Servers have real-time scanning with Live 
protection, detection of command and control traffic and Sophos Security Heartbeat.
Intercept X Advanced for Servers includes all of the server protection features and adds significant real-
time protection, including machine learning.
Sophos Central Engineer v2.1.0 - 117
Protect from master boot record ransomware
Protect document files from ransomware (CryptoGuard)
Protect critical functions in web browsers (Safe Browsing)
Mitigate exploits in vulnerable applications
Prevent credential theft
Prevent code cave utilization
Prevent APC violation
Prevent application verifier exploits
Prevent privilege escalation
Prevent process hollowing attacks
Prevent DLLs loading from untrusted folders
Machine Learning
Real-time scanning - Local files and network shares *
Live Protection *
Detect malicious behavior (HIPS)
Scan downloads in progress
Block access to malicious websites
Detect low-reputation files
Detect network traffic to command and control servers *
Sophos Security Heartbeat *
Automatic cleanup of malware
Threat Protection Features
Intercept X Advanced for ServersServer Protection
* Supported on Linux Servers
Peripheral Control
Application Control
Web Control
Lockdown
Data Loss Prevention
Windows Firewall
File Integrity Monitoring
Se
rv
er
 M
an
ag
em
en
t
Threat Protection Policies
Se
rv
er
 M
an
ag
em
en
t
Server policies define the security measures that will be used for your servers.
It is important to note that unlike endpoint protection policies, when you add a policy it can only be 
applied to servers or server groups. There is no option to select for the policy to be applied to users. 
Sophos Central Engineer v2.1.0 - 118
It is important to note that not all new features are enabled in the policy by default. This is because 
enabling new functionality without warning may have unexpected consequences.
When you login to Sophos Central you will see notifications when new features are released, and you 
can make the decision when to enable them, and whether to use a pilot group for the new features 
before enabling them for your whole estate.
You can also access the information about new features from the Help menu in Sophos Central.
Sophos Central Engineer v2.1.0 - 119
Not all new features are enabled by default
Enabling New Features
Se
rv
er
 M
an
ag
em
en
t
Server Policies Demonstration
Se
rv
er
 M
an
ag
em
en
t
Policies for servers are configured in the same way as for endpoints. The base policy exists for each 
policy category. We recommend creating new policies to be applied to different servers that use the 
configuration required specifically for your servers. 
The main difference to note is that server policies can only be applied to Servers or Server groups. This 
means that they apply to the server itself, irrespective of the user logged in. This ensures that your 
server will always be protected by the settings you define. 
Policies are available for threat protection, peripheral control, application control, web control, server 
lockdown, data loss prevention and update management. These are similar to the policies provided for 
client computers but have been modified where appropriate for server use.
Sophos Central Engineer v2.1.0 - 120
Server Lockdown
Whitelist
Locked down Server
Known good 
applications are 
whitelisted
Existing Applications are 
trusted
New Applications
New Applications are not able to 
run unless approved by the Sophos 
Central Administrator
Administrator
Se
rv
er
 L
o
ck
d
o
w
n
The server lockdown feature allows you to restrict the applications that can run on your servers, and 
also which of them can interact with each other. 
It uses drivers that reside in the operating system kernel and works by creating an initial whitelist of 
known good applications.
When you enable lockdown, all existing applications that are installed on the server are trusted. The 
difference between trusted and whitelisted applications are that trusted applications can make changes 
to the system which are reflected in whitelist updates. Whereas whitelisted applications are not able to 
make changes to the system and therefore do not change the whitelist. 
Once a server has been locked down, new applications won’t be able to run unless explicitly approved 
by the Sophos Central administrator.
Sophos Central Engineer v2.1.0 - 122
The Server Lockdown settings in a policy can be used to change what is allowed without the need to 
unlock the server. For example, you might want to add and run new software. It may also be beneficial 
to configure the policy before choosing to Lockdown the server because the specified files/folder will 
not be scanned and added to the whitelist. This decreases the overall time taken to generate the 
whitelist. The Lockdown process itself scans all local drives, so any policies will need to cover all local 
drives.
Allowed files/folders permits new software to run. It also allows existing software (for example, 
installers or updaters) to run and modify other applications. An example may be a folder used to store 
trusted installers.
CAUTION: This option “trusts” the software, so that any files it creates or changes are also allowed. This 
is different from the process when you lock down a server, which only allows the software itself to run.
Blocked files/folders can be used to block software that is currently allowed to run or to block a specific 
folder for applications, such as installers, that you want to make available to other users on the network, 
but don’t want to run on your server. An example may be a share or filer location.
Note: if you have installers in a share they can be executed on a remote computer without it being in 
the allowed files and folders, this is only required to allow local execution on the server. In the same 
way, you cannot prevent a shared installer from being run on a remote computer by adding it to the 
blocked files and folders.
Sophos Central Engineer v2.1.0 - 123
Server Lockdown Policy
Se
rv
er
 L
o
ck
d
o
w
n
The process for adding and updating applications is to manually download the installer, add the installer 
filename to the 'Allow software to run and to modify other files' lockdown policy, and to run the installer 
manually. Once the software has been installed or updated, the installer filename can be removed from 
the policy. This process adds the installed application files to the local whitelist so that the application 
can be executed.
Adding applications to the ‘Allow software to run and modify other files’ in the lockdown policy can have 
unwanted effects and can reduce the security of a server. Please note that adding applications such as 
firefox.exe or filezilla.exe will mean that every file they download becomes trusted to execute on that 
server. If these applications have been installed using the process shown above this does not happen.
For more information and other applications that should be manually configured see knowledgebase 
article 122263. https://sophos.com/kb/122263
Sophos Central Engineer v2.1.0 - 124
Adding and Updating Applications
Manually download the installer
Allow the installer filename in the 
policy 
Run the installer manually
Remove the installer filename from 
the policy
Avoid allowing applications such as FireFox.exe and FileZilla.exe in the Lockdown policy
Files downloaded by the allowed applications would then be allowed
Other examples can be found in: https://sophos.com/kb/122263 
Se
rv
er
 L
o
ck
d
o
w
n
Adding Applications to a locked down server
Se
rv
er
 L
o
ck
d
o
w
n
Let’s take a look at this in action. 
Firstly we run the Firefox installer.exe which fails as the server lockdown prevents the installer from 
running. So we login to Sophos Central and browseto the Server Policies. 
We edit the Server Lockdown policy and add the file path of Firefox Installer.exe as an allowed file. We 
save the changes. 
Once the policy has updated on the server, we run the installer again, this then successfully installs 
Firefox onto the server. We then return to the Server Lockdown Policy in Central, edit it again and 
remove the file path from the allowed list. We save the changes and wait for the server to be updated. 
Now when running Firefox from the desktop shortcut it opens without issue. 
Sophos Central Engineer v2.1.0 - 125
Managing a Locked Down Server
LOCKDOWN EVENTS tab displays all 
events from the lockdown server
Click Request Report/Update Report 
to view the latest details
Se
rv
er
 L
o
ck
d
o
w
n
The LOCKDOWN EVENTS tab will appear in the server properties page once lockdown has been applied. 
This tab will display any triggered warnings or events relating to the Lockdown status of the server. 
Please note that following the Lockdown you will need to click Request Report to view the reports, and 
then Update Report to view any updated lockdown events. 
Sophos Central Engineer v2.1.0 - 126
Unlocking a Locked Down Server
To unlock a server select Unlock and 
then confirm that you want to 
unlock the server
Se
rv
er
 L
o
ck
d
o
w
n
To unlock a locked down server, you simply browse to the locked down server in the servers list and 
select Unlock. 
Please note that by unlocking a server unauthorized activities on that server will no longer be 
prevented. A confirmation message will be displayed for you to confirm that you do wish to unlock the 
server. 
Once unlocked, the server will return to it’s unlocked state and the execution of all files will be allowed 
without them having to be on a whitelist. 
Sophos Central Engineer v2.1.0 - 127
File Integrity Monitoring
Why monitor? What is monitored? Find out more…
Files
Registry Entries
Additional
Security
Compliance https://sophos.com/kb/132846
https://sophos.com/kb/132146
Default Monitoring Locations
FAQ
Fi
le
 In
te
gr
it
y 
M
o
n
it
o
ri
n
g
Sophos File Integrity Monitoring can assist you, either monitoring critical systems for additional security, 
or to meet PCI:DSS compliance. It can monitor files and registry keys and values, and comes 
preconfigured with default rules as well as providing the ability to add additional monitoring locations 
and exclusions via policy.
The default monitoring locations are documented in knowledgebase article 132146: 
https://sophos.com/kb/132146 and Frequently asked questions can be found in knowledgebase article 
132846: https://sophos.com/kb/132846
Please note, if you select a folder, we monitor the folder by default but not the files in it. To monitor the 
files, you must fill out ‘Monitor these file types’. To stop monitoring the folder, deselect Monitor changes 
to the folder as well as the files. If you select a Registry Key, we monitor the key but not the values in it. 
You must use the location type Registry Value to monitor values.
Sophos Central Engineer v2.1.0 - 129
Sophos File Integrity Monitoring is installed by default, but it is only enabled when the Use File Integrity 
Monitoring setting is turned on in the Policy.
There are two configurable Policies for File Integrity Monitoring as shown here:
• Custom monitoring lets you add files, folders, registry keys or registry values to the list of monitored 
items. This is in addition to the critical Windows system files that are monitored by default
• Monitoring exclusions lets you exclude files, folders, registry keys or registry values to the list of 
monitored items. For example, you may decide to exclude a critical Windows system file that is 
monitored by default
Rules are evaluated with the following order of preference:
1. Custom monitoring exclusions
2. Custom monitoring inclusions
3. Default Sophos exclusions
4. Default Sophos inclusions
Sophos Central Engineer v2.1.0 - 130
File Integrity Monitoring
Fi
le
 In
te
gr
it
y 
M
o
n
it
o
ri
n
g
File Integrity Monitoring events are logged to databatch.xml files in ProgramData\Sophos\File Integrity 
Monitoring\Export\. These files are written every 15 minutes and each file may contain multiple events.
The data files in the default Export location are purged when they become older than 90 days, so we 
recommended storing your own copy of the data to prevent deletion of any data you may require.
Sophos Central Engineer v2.1.0 - 131
File Integrity Monitoring
Fi
le
 In
te
gr
it
y 
M
o
n
it
o
ri
n
g
Files written every 15 minutes
Each file may contain multiple events
Files older than 90 days are deleted
Many servers are not on physical platforms but are hosted in virtual environments such as VMWare and 
Hyper-V. 
Sophos offers two approaches to protecting virtual machines. The first option is to deploy the full server 
or endpoint agent on each guest virtual machine. It provides enhanced protection features including 
Server Lockdown, MTD and CryptoGuard, higher resource overheads relative to a virtualization-specific 
solution. An example of use for deploying the full server or endpoint agent is when endpoints have high-
value data, are subject to multiple attack vectors and persistent virtual servers.This is the only option 
available for servers hosted by Amazon Web Services or Azure.
The alternative, for servers hosted using VMware or Hyper-V is to install the ultra-thin guest agent 
provided by Sophos for Virtual Environments and deploy Sophos Security Virtual Machines (SVMs) to 
provide centralized threat protection. These provide anti-malware including live protection lookups and 
automated clean-up, lower resource overheads which enables higher VM density relief from scan 
storms and update storms. An example of use is for non-persistent virtual endpoints with restricted 
access to lower value data and exposed to fewer attack vectors.
The approach to select depends on the requirements and the role of the virtual machines and the slide 
shows key factors that would influence the choice. Regardless of the approach taken, managing 
protection of virtual machines requires special consideration. Please note that both options are included 
in all Sophos Server Protection licenses.
Sophos Central Engineer v2.1.0 - 133
Two Approaches to Protecting Virtual Machines
Enhanced protection features including Server 
Lockdown, MTD, CryptoGuard
Higher resource overheads relative to 
virtualization-specific solution
Example use: Endpoints with high-value data 
and exposure to multiple attack vectors
Anti-malware including Live Protection lookups, with 
automated threat clean-up
Lower resource overheads; enables higher VM density 
Relief from scan storms and update storms
Example use: Endpoints with restricted access to lower 
value data and exposure to fewer attack vectors
SOPHOS FOR VIRTUAL ENVIRONMENTS
Full Server/Endpoint agent 
deployed on each guest VM
Ultra-thin guest agent with 
centralized threat protection
V
ir
tu
al
 E
n
vi
ro
n
m
en
ts
HOST
HOST
Sophos for Virtual Environments
Sophos Central
• Policy Status
• Update status 
• Threats
Encrypted Traffic; Scan results, Action 
Centre Control and Product Updates
Encrypted Traffic: On access scan requests, 
Partial file information and Clean up results
Guest VM Migration
Guest VMs may connect to another 
SVM
GVM Thin AgentSVM
SVM GVM Thin Agent
V
ir
tu
al
 E
n
vi
ro
n
m
en
ts
Sophos for Virtual Environments comprises of two components. The security virtual machine (SVM) and 
a thin agent on the guest virtual machine (GVM). You must install a Sophos security VM (SVM) on each 
virtualization host to provide central anti-virus scanning for all the guest VMs on that host. When the 
SVM is installed, it will appear in Sophos Central in the Servers section and receive the settings in the 
base policy by default. 
Guest VMs do not have the full endpoint client installed. Instead they requirethe GVM Agent installed 
for the SVM to be able to protect them. Traffic between the Guest VMs and the SVM is encrypted using 
AES 128. A significant enhancement introduced in SVE v1.2 is the ability for Guest VMs to migrate 
between SVMs. When multiple SVMs are deployed on the same network, the Guest VMs can 
automatically move from their existing SVM and connect to another in order to load balance.
Sophos Central Engineer v2.1.0 - 134
The key steps required to deploy Sophos for Virtual Environments are shown in the slide. 
1. Check the system requirements
2. Uninstall other anti-virus products
3. Install the Sophos Security VM and apply policies
4. Install the Sophos Guest VM Agent on guest VMs
5. Check that Guest VMs are protected
For further information please see the frequently asked questions knowledge base article: 
https://sophos.com/kb125679. Additionally, the Certified Architect course further explores protecting 
virtual environments.
Sophos Central Engineer v2.1.0 - 135
Deploy Sophos for Virtual Environments
Check the system requirements
Uninstall other anti-virus products
Install the Sophos Security VM and 
apply policies
Install the Sophos Guest VM Agent on 
guest VMs
Check that Guest VMs are protected
V
ir
tu
al
 E
n
vi
ro
n
m
en
ts
https://sophos.com/kb/125679
The installer for the Security VM is downloaded from Sophos Central. Unlike the client installers, this is 
not linked to the Central account. The installer prompts for entry of the Central Administrator email and 
password to determine the account.
Sophos Central Engineer v2.1.0 - 136
Security VM Installer
Download the installer
V
ir
tu
al
 E
n
vi
ro
n
m
en
ts
Downloaded installer
Once protected, your virtual servers can be viewed from Sophos Central. 
This includes Sophos Security VMs, although the Guest VMs protected by them are not shown at this 
level.
Sophos Central Engineer v2.1.0 - 137
Viewing and Managing Servers
V
ir
tu
al
 E
n
vi
ro
n
m
en
ts
Virtual servers are displayed in the 
Servers list
It is also common for servers to be hosted on cloud virtualized platforms such as Amazon Web Services 
(AWS) and Microsoft Azure. We will look at these now. 
Integration with AWS improves the management of Sophos Server Protection on EC2 instances in AWS. 
It will:
• Enable Terminated EC2 instances to be removed automatically from Sophos Central (for example, if 
using AWS Auto-Scaling)
• Enable Server policy to be applied to AWS Auto Scaling Groups in Sophos Central
• Display useful EC2 instance information for each server in Sophos Central (for example, instance 
Lifecycle state, Amazon Machine Image (AMI) ID, Region, etc.)
• Display details of all EC2 instances in your AWS environment, and show whether the Sophos Server 
Protection Agent is installed on each instance.
Windows and Linux servers can be protected and the supported versions are the same as those for 
Central Server Protection.
For more information on AWS see the FAQ on Amazon Web Services integration with Sophos Central, 
knowledgebase article 122510 https://sophos.com/kb/125510.
Sophos Central Engineer v2.1.0 - 138
Amazon Web Services (AWS) Integration
Automatically remove 
terminated EC2 instances
Display EC2 instance 
information in Sophos Central
Show if the Sophos Server 
Protection Agent is installed
Apply Server policies AWS 
Auto Scaling Groups
V
ir
tu
al
 E
n
vi
ro
n
m
en
ts
Integration with AWS requires the connection of the AWS account with Sophos Central.
The process of connecting an AWS account to Sophos Central has three stages. Firstly, create an Identity 
and Access Management (IAM)policy. Secondly, create an IAM role for Sophos Central and then add the 
AWS account to Sophos Central. Sophos provides the script required for this. 
On completion the AWS account will have the specific read-only permissions required by Sophos. The 
next task is to deploy server protection to the AWS instances. 
Sophos Server Protection can be installed onto AWS EC2 instances using:
• Manual installation
• Ready-made scripts provided by Sophos. Embed the link to the installer from the Protect Devices area 
of Sophos Central Admin console into a deployment script
• Create an Amazon Machine Image (AMI) with Sophos Server Protection installed. When new AWS 
instances are launched with the Sophos agent installed, the agent will register with Sophos Central 
console and apply the policy automatically. 
Follow the instructions in knowledgebase article 120560 to install Sophos on gold image to avoid 
duplicate identities’ https://sophos.com/kb/120560
For more information about creating an IAM role in Sophos Central please see knowledgebase article 
126082. https://sophos.com/kb/126082.
Sophos Central Engineer v2.1.0 - 139
Deploy server protection to 
AWS instances
Connect AWS Account to 
Sophos Central
Connecting an AWS Instance
Create a managed policy
Add the AWS Account to Sophos Central
Create an IAM Role for Sophos Central
Manual installation
Shell scripts on instance launch
Amazon Machine Image (AMI) with 
Server Protection installed. Follow 
process to install Sophos on a Gold Image
1 2
V
ir
tu
al
 E
n
vi
ro
n
m
en
ts
The integration with Azure improves the management of Sophos Server Protection on VMs in Azure. It 
will:
• Enable deleted VMs to be removed automatically from Sophos Central
• Display useful VM information for each server in Sophos Central (for example, running state, Azure 
VM ID, Resource Group Name, VM location, etc.)
• Display details of all VMs in your Azure environment and show whether the Sophos Server Protection 
Agent is installed on each VM
Windows and Linux servers can be protected and the supported versions are the same as those for 
Central Server Protection.
For more information see Sophos Central: FAQ on Microsoft Azure integration with Sophos Central 
https://sophos.com/kb/126215.
Sophos Central Engineer v2.1.0 - 140
Microsoft Azure Integration
Automatically remove deleted VMs
Show if the Sophos Server 
Protection Agent is installed
Display useful VM information in 
Sophos Central 
V
ir
tu
al
 E
n
vi
ro
n
m
en
ts
Integration with Microsoft Azure requires the connection of an Azure domain with Sophos Central. 
Connecting Azure to Sophos Central requires the creation of an application in the Azure Active Directory 
which has the necessary permissions. This can be done manually or through a script. 
Once the Application registration is complete and the recommended permissions have been given, the 
Azure Active Directory can be added to the Sophos Central account. The next task is deploy server 
protection to the Azure virtual machines. 
Sophos Server Protection can be installed onto Azure virtual machines using:
• Manual installation
• Ready-made scripts provided by Sophos. Embed the link to the installer from the Protect Devices area 
of Sophos Central Admin console into a deployment script
• Create an image and a template from a VM with the Sophos endpoint installed
For more information see knowledgebase articles 126218 and 126217:
Microsoft Azure - Example workflows for creating/configuring images for Windows servers -
https://sophos.com/kb/126218
Microsoft Azure - Example workflows for creating/configuring images for Linux servers -
https://sophos.com/kb/126217
Sophos Central Engineer v2.1.0 - 141
Deploy server protection to 
Azure virtual machines
Create an application in Azure 
Active Directory
Azure Registration, Settings and Deployment
Manual installation
Ready-made scripts provided by Sophos
Create an image and a template from a 
VM with Sophos endpoint installed
1 3
Add Azure Account to Sophos 
Central2
Manually
Using a script
V
ir
tu
al
 E
n
vi
ro
n
m
en
ts
Complete the following simulation tasks in Module 4:
• Task 4.1: Create a Server Group
• Task 4.2: Manage Server Policies
• Task 4.3: Enable and Configure File Integrity Monitoring
• Task 4.4: Configure and apply Server Lockdown
SophosCentral Engineer v2.1.0 - 142
Module 4: Server Management
• Complete the following simulation tasks in Module 4
▪ Task 4.1: Create a Server Group
▪ Task 4.2: Manage Server Policies
▪ Task 4.3: Enable and Configure File Integrity Monitoring
▪ Task 4.4: Configure and apply Server Lockdown
Use the Simulation Workbook to view details of each task and 
access the simulations
143
On completion of this module, you should now be able to perform the actions shown here. Please take 
a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in this 
module.
Sophos Central Engineer v2.1.0 - 143
Module Review
• Now that you have completed this module, you should be able to:
Demonstrate Server Lockdown
Configure Server Protection policies for Server Lockdown and File Integrity Monitoring
Explain how to protect virtual environments
Hi there, this is the Sophos Engineer Certified Central Endpoint and Server Protection Course. This is 
module 5: Threat Cases, Reports and Troubleshooting. 
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection ET15 – Threat Cases, Reports and Troubleshooting
July 2020
Version: 2.1
Product version: Sophos Central
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any 
means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this 
document may be the trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or 
representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any 
time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon 
Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Central Engineer v2.1.0 - 146
Sophos Certified Engineer
Sophos Central Endpoint and Server Protection
Threat Cases, Reports and Troubleshooting
Version 2.1
In this module, you will learn about the types of detections and how endpoints can become infected. 
We will introduce Endpoint Detection and Response (EDR) and discuss the use of threat cases, searches 
and forensic snapshots. 
You will learn how malware is cleaned up on infected endpoints along with isolation options. We will 
discuss the logs and reports available in Sophos Central. 
We will explain the first steps in troubleshooting any issues with a protected endpoint, including how to 
generate log files. Additionally we will discuss how to find information using the Sophos support site and 
SophosLabs.
Sophos Central Engineer v2.1.0 - 147
Clean Up Logs & Reports
Managing Detections
Troubleshooting & Support
Threat Cases, Reports and Troubleshooting
Threat Cases
Types of Detection
Troj/, Mal/ etc
SUS/, HIPS/, C2/
HPmal/ HPsus/
CXmail, CXmal and CXweb
Adware or PUA – detected pre-execution 
Controlled application – blocked by policy
Malicious threat detections
Suspicious file, malicious behaviour & 
network activity detections
Unknown threat detections that match 
specific profiles in-execution
Adware, PUA & controlled application 
detections
New threats, file and variant detections
M
an
ag
in
g 
D
et
ec
ti
o
n
s
Endpoint and Server Protection will detect a number of threats in your environment, these will be 
recorded as events and will be listed with a detection type. It is useful to know the types of threat 
detections that you may see in order to understand the best way to clean up these threats. 
Let’s take a quick look at the main types of threat detections you may see: 
1. Malicious threats that are detected pre-execution. These will typically be detected by the on-access 
file scanner using definitions. 
2. Suspicious file, malicious behaviour and malicious network activity detections. SUS detections are 
based on properties of the file which make it likely that it is malware, however, there is less certainty 
because it does not match the definition of a known piece of malware. HIPS detections are triggered 
when an application performs actions that are classed as malicious. C2 detections are triggered by 
malicious network activity contacting command and control servers, where malware calls home for 
instructions or to download additional software.
3. Unknown threats and suspicious file detections that match specific combinations of behaviours when 
running for example HPmal and HPsus. 
4. CXmail are email-born threats, and are detected pre-execution, CXweb are malicious files detected 
before the download take place and CXmal detections are in-execution. 
5. Adware or PUA are applications that may be legitimate but can post a risk to your network. Controlled 
application detections are legitimate applications that are being blocked pre-execution by the 
application control policy. 
Sophos Central Engineer v2.1.0 - 150
Types of Detection
Pre-Execution
Detection that takes 
place before the 
program runs
Post-Execution
Detection that takes 
place while the 
program is running
Intercept X
• Anti-Exploit
• CryptoGuard
• Application Lockdown
• Safe Browsing
• Malicious PE detection
• ML/PE-A
• Potentially Unwanted 
Application
• ML/PUA
Machine Learning
M
an
ag
in
g 
D
et
ec
ti
o
n
s
The detections mentioned previously take place pre-execution or post-execution. In module one you 
learned about pre and post-execution. To recap, Pre-execution means that the detection takes place 
before the program has run. This means that no malicious activity has taken place. Post-execution 
means that the detection takes place while the program is running, because it has to be caught in the 
act. In this case we have detected some activity or behaviour that we have categorized as malicious. As 
the program is running some activity may have taken place. 
The tools that Endpoint and Server Protection use to protect your environment from security threats 
were covered in the first module of this course, to reiterate, Intercept X targets the techniques used by 
attackers. The types of detections you may see are for: 
• Anti-exploit
• CryptoGuard
• Application Lockdown
• Safe Browsing
Intercept X’s machine learning (ML) engine (also referred to as deep learning) detects malicious portable 
executable (PE) files which will generate a ML/PE-A or a ML/PUA detection. PE is a file format used on 
Windows 32 and 64 bit computers, and is a structure used by Windows to manage the executable code. 
Examples of PE files can include .exe, .sys, .dll and .scr among many others. 
Sophos Central Engineer v2.1.0 - 151
Now we have seen the types of detections, let’s have a look at how an endpoint in your environment 
could get infected. 
One attack vector are unprotected computers on the network, and by unprotected we could consider 
several states:
• A computer that has no anti-malware software installed. 
• An unprotected and compromised computer can provide a point of access for an attacker to 
gain access to your network and move through it until they have what they wanted. 
• Computers that are running out of date anti-malware software
• Computers are not protected against the latest threats and are vulnerable to attack
• Computers that have up-to-date anti-malware software, but do not have all of the protection features 
enabled
• It is important to enable all protection features, without these, the computer is vulnerable to 
attack
• Computers that are missing application and operating system updates and patches
• Out of date and unpatched applications and operating systems make devices more vulnerable 
to attack as known weaknesses in the software are left open
Inappropriate exclusions can leave your network open to attack. Malware will also tryto leverage 
legitimate apps and processes as much as possible to evade detection. Excluding those tools that you 
find useful or necessary can create an opportunity for the system to be exploited. 
Sophos Central includes various techniques to detect and block zero-day threats, however, attackers do 
not generally release malware that they know is going to be detected and blocked. They will release 
malware they believe will bypass anti-malware software and are therefore constantly developing new 
techniques that a detection has not been created for. 
Sophos Central Engineer v2.1.0 - 152
Why Might a Computer get Infected?
Inappropriate exclusions
Zero-day threat
• Computers with no anti-malware software installed
• Computers that are out of date
• Computers with disabled protection
• Computers missing application and OS updates and patches
• For example: Allow PSExec on all computers
• Malware can use PSExec to spread across the network
• Attackers are constantly developing new techniques that 
have not been seen before
Unprotected computer(s) on the network
M
an
ag
in
g 
D
et
ec
ti
o
n
s
Endpoint Detection and Response (EDR)
EndpointE
DetectionD
ResponseR
&
Visibility of data and activities on protected 
endpoints
Compliance mandate
Remediation techniques
Additional scrutiny of high value assets
M
an
ag
in
g 
D
et
ec
ti
o
n
s
Endpoint Detection and Response (EDR) provides greater visibility of data that is relevant for detecting, 
investigating and mitigating advanced threats and suspicious activities. 
So why would you want to use this? The best endpoint technologies will protect organizations against 
the majority of malware and threats impacting their organization. But as the threat landscape evolves 
and cybercriminals continue to find new security holes, the unknown minority becomes important. 
EDR provides access and visibility of activities happening on your endpoints, there may be a compliance 
mandate that requires additional data which EDR can provide. Additionally, it provides remediation 
techniques and allows a more in depth look at high value assets in your environment. 
Sophos Central Engineer v2.1.0 - 153
EDR provides the following information:
• Event and incident detection
• Incident response
• Threat hunting
• Forensic investigation
Here we will look at the first two of these. 
Event and incident detection provides visibility to changes on the endpoint, this can either be:
• Event detection: An observable change to the normal behavior of a system, environment, process, 
workflow or person
• Incident detection: An event detection attributable to a human. Within each detection we must 
determine not only a priority but whether it is malicious
Incident response is the process of determining if an incident is malicious, how it occurred and how to 
respond.
Sophos Central Engineer v2.1.0 - 154
Endpoint Detection and Response (EDR)
• Visibility of changes on endpoints
Event detection
• A change to normal behaviour
Incident detection
• An event detection caused by a 
human
Event and Incident Detection
• Determine if an incident is malicious
• How the incident occurred
• How to respond
Incident Response
M
an
ag
in
g 
D
et
ec
ti
o
n
s
Now let’s look at the threat hunting and forensic investigation. 
Threat hunting is a proactive exercise that seeks to determine the presence of an ongoing or persistent 
intrusion or attack. What most commonly distinguishes threat hunting from event and incident 
detection and incident response is that the hunter begins their process without the benefit of a beacon. 
A beacon is typically where a threat originated from. Without a beacon, a few common starting points 
for a hunt are:
• Analytics-based such as machine learning
• Situational analysis (crown jewels, assessments, trending data)
• Intelligence (Reports, feeds, vulnerability scans)
• Hunting involves varying degrees of automation based on the maturity of the organization
Forensic investigation is an evidentiary process that seeks to re-create as much relevant data associated 
with a security incident as possible. Forensics largely focuses on the preservation of data, particularly 
when said data is to be utilized for legal proceedings.
Sophos Central Engineer v2.1.0 - 155
Endpoint Detection and Response (EDR)
• Proactively seek the presence of an 
intrusion or attack
• Analytics-based
• Situational analysis/intelligence
Threat Hunting
• Evidentiary process
• Re-create relevant data associated
with a security incident
Forensic Investigation
M
an
ag
in
g 
D
et
ec
ti
o
n
s
We use a combination of automated machine learning and data analyses from SophosLabs to provide 
one-click access to threat intelligence in the product that can be used to track and stop attacks that are 
underway.
Sophos Intercept X Advanced with EDR provides data that anyone can use to make informed decisions, 
and guided investigation and response processes. You will see how EDR is used when we discuss threat 
cases in this module. 
Sophos Central Engineer v2.1.0 - 156
Sophos’ Intelligent EDR
Provides useable data and guided
investigation and response
One-click access to deep learning and 
SophosLabs threat intelligence
Built on top of leading Endpoint 
Protection
M
an
ag
in
g 
D
et
ec
ti
o
n
s
Threat cases in Sophos Central help you achieve these goals by providing a framework of guided 
investigation and response. Intercept X with EDR further augments the information available with 
machine learning threat data from SophosLabs to help you make informed decisions. From within the 
threat case you can take direct action, isolating computers while you complete the investigation, and 
then cleaning and blocking undesirable PEs across your whole estate.
Threat cases are created when suspicious activity is detected on an endpoint, and generally take around 
2-3 minutes to be created, depending on the speed of the endpoint.
Sophos Central Engineer v2.1.0 - 158
Threat Cases Overview
Th
re
at
 C
as
es
Guided investigation and response
Augmented with machine learning threat data from SophosLabs
Incident response actions
Let’s take a brief tour of what is included in a threat case.
From the Dashboard in Central you view the most recent threat cases in the threat analysis center. 
Clicking on the name of the threat will direct you to that specific threat case. It starts with a summary of 
the threat case, including what was detected, where and under which user, and most importantly, if any 
data may have been involved in the incident.
Alongside the summary there are suggested next steps. There are links to isolate the computer while 
you investigate and to start a scan on the computer.
Sophos Central Engineer v2.1.0 - 159
Threat Cases
Th
re
at
 C
as
es
Further down the page is a graphical representation of what happened, with filters to show and hide 
different types of element to help make seeing what is going on clearer.
The graph uses simple, clear iconography to help distinguish between the types of component, and 
coloured markers to denote the root cause, beacon event, allowed apps, and items with an uncertain 
reputation.
By selecting a component you can get additional information on a flyout from the right. Here we can see 
the flyout for the process explorer.exe. This first process details section is available with Intercept X. 
Intercept X with EDR also shows the reputation at the time of the detection. With EDR, from here you 
can request the latest intelligence from Sophos. This can take around 4 – 6 minutes depending on the 
sample size, and performs a deep analysis of the sample comparing code capabilities, structure and 
characteristics against known good and bad files.
Sophos Central Engineer v2.1.0 - 160
Threat Cases
Th
re
at
 C
as
es
In the report summary you can see the current global reputation. You can see when Sophos first saw this 
file and also how recently we have seen it. Generallyspeaking, if it’s a brand new file or a rare file, then 
it likely wont have a high reputation and is more suspicious. It also gives a summarized version of 
machine learning analysis.
This is a more detailed view of the machine learning analysis, made up of 3 sections: Attributes, Code 
Similarity and File/path. In the Attributes section the analysis compares the 5 most relevant attributes of 
the sample against known good and bad samples and plots the similarity. The Code similarity indicates 
which files in the Sophos Labs sample collection it is most similar with, how similar it is with them, and 
whether those files are known good or known bad. File path suspiciousness is also given, and compared 
to file paths of components that are suspicious, and also found in similar spots. All of this information is 
to provide a usable analysis to try and determine whether the sample is something you want on your 
network.
When reviewing the general properties of the file it is important to remember that these can be spoofed 
in an unsigned file, so check that on the File breakdown tab. When a file has a copyright, company 
name, version, signer, and a compile time that is consistent with the first seen time, then the file is more 
likely to be legitimate.
The last section is the File breakdown, and this is more advanced than the other analysis, but there are 
some things you can look out for. If the file is signed you can review the certificate details, this can be 
very useful when investigating the legitimacy of a file. The File breakdown shows the PE sections, as well 
as the imported functions that the PE calls, and where it calls them from.
If something in the properties column is RWX (read, write and execute) that can be red flag, because 
unless it is a Java runtime or is just in time compiled, it will likely map an external resource, such as a 
Sophos Central Engineer v2.1.0 - 161
Threat Cases
Th
re
at
 C
as
es
DLL or script, and run it, rather than having it locally.
All of this information can help you determine if it is something you want on your 
network or not. One use case would be validating, or invalidating, a detection as a 
false positive.
Sophos Central Engineer v2.1.0 - 161
Back to the main threat case, and at the bottom you can see all of the files and processes that have 
been affected. These can be searched and filtered or exported to a CSV file. You can also create a 
forensic snapshot on the endpoint to aid further investigation.
The last piece is the Case record, which logs comments when actions are taken, for example isolating an 
endpoint, and can also be used to record findings during the investigation.
Sophos Central Engineer v2.1.0 - 162
Threat Cases
Th
re
at
 C
as
es
Case Record
View 
artefacts 
involved
The threat searches are for active threat hunting, looking for indicators of compromise (IoC) across your 
estate.
You can search across your estate for SHA256 file hashes, file names, domains and IP addresses. The 
results will include portable executables with an unknown or low reputation and the network activity 
associated with those files.
Data is trickle fed into Central in 5 minute chunks, so you would expect it to be searchable within 10 - 15 
minutes.
The amount of data that will be uploaded to Sophos Central will depend on the number of PE files 
identified that have a low or uncertain reputation and network connectivity associated to those 
files. Changes to these files, including execution, location, name and reputation are uploaded via the 
trickle feed. In the majority of business environments the amount of data is expected to be low, maybe 
around a few kilobytes per upload.
You can also save searches so they can be run again without having to re-enter the search criteria.
Sophos Central Engineer v2.1.0 - 163
Threat Searches Overview
Search for IoC using SHA256 file hashes, file names, domains and IPs
Data trickle fed to Central in 5 minute chunks
Searches can be saved
Portable Executables with unknown or low reputation and associated network 
activity
Th
re
at
 C
as
es
Here we can see the threat searches section where you can enter the search criteria, or select a saved 
search to run. To navigate to threat searches select Threat Analysis Center > Threat Searches in the left-
hand menu.
You can enter multiple search criteria, one per line.
Sophos Central Engineer v2.1.0 - 164
Performing Threat Searches
Th
re
at
 C
as
es
Run a previously saved search
Enter filenames, SHA256 file hashes, 
domains and IP addresses to search for
On the results screen, you can filter the computers that are returned, review the search criteria or save 
the search so you can easily run it again. Saving a search is as simple as giving it a name, be sure to use 
something descriptive!
Sophos Central Engineer v2.1.0 - 165
Threat Searches Results
Th
re
at
 C
as
es
Save the Search
Filter computers
Review the items being searched for
Switch between file and network results
Here we can see the file result details for a computer, this shows you all of the reads, writes, executes, 
renames and reputation changes for the search criteria that have been found.
From here you can:
• Isolate the computer
• Clean and block a file based in the SHA 256 file hash
• Generate a threat case for a file
To return to the results use the link in the breadcrumbs at the top of the page.
Sophos Central Engineer v2.1.0 - 166
Threat Searches Results
Th
re
at
 C
as
es
• Clean and block based on file hash
• Generate a threat case
Isolate the computer
Automatic Clean up
C
le
an
 U
p
For a lot of malware detections Sophos is able to perform an automatic clean up process to remove it, 
however, there are some scenarios where the clean up may fail, or it may require manual clean up. 
Sophos Central Engineer v2.1.0 - 168
Command line tool included in Sophos Central installation
Separate download that detects and removes malware
Bootable AV scanner and removal tool
Identifies where malicious files are written from
Clean Up Tools
C
le
an
 U
p
SAV32CLI
Virus Removal Tool
Bootable AV
Source of Infection 
Tool
For more information see KB: 
https://sophos.com/kb/116418
Sophos provides a number of tools to assist in recovering from an infection. 
The main tools available are: 
• SAV32CLI. This is a command line tool included as part of the Sophos Central installation
• Virus Removal Tool. This is a separate download to detect and remove malware
• Bootable AV. This is usually used as a last resort and is a bootable virus scanner and removal tool
• Source of Infection Tool. This is used to assist in the identification of where malicious files are being 
written from
Most of the tools described here are included in our Sophos Malware Remediation Toolkit (SMaRT) 
please view knowledge base article 116418 to learn more. 
Sophos Central Engineer v2.1.0 - 169
Logs & Reports
Lo
gs
 &
 R
ep
o
rt
s
Sophos Central provides a huge range of Logs and Reports. In the Sophos Central Admin console, select 
Logs & Reports from the left-hand menu. The page is split into Logs and Reports. 
Within each section is then split into sub categories. For Logs, this split is into General Logs which 
provides the logs for events and audits. Endpoint and Server Protection Logs which lists the Data Loss 
Prevention log and the Email Security Logs which provides message history logs (if you have an Email 
Gateway license applied). 
For Reports, these are split into Users, Endpoint and Server Protection, Unified Endpoint Management & 
Mobile Security, Endpoint and Server Web Control and Email Security. 
We will take a look at those logs and reports that are generated for Endpoint and Server Protection. 
Sophos Central Engineer v2.1.0 - 171
Events Report
Lo
gs
 &
 R
ep
o
rt
s
The general reports are useful when looking at your Endpoints and Servers. The Events report allows you 
to see all of the events that have been generated inyour Central account by your users and devices. You 
can search for events and also filter the date range. 
It’s also possible to select the event types that are included via the panel to the left of the graph. This 
filter would be useful if you just wanted to see all policy violations, or malware detections, for example.
These filters can be further expanded for each event type so that you can report on the specific actions 
taken for that event type. For example, malware that has been detected, cleaned up, not cleaned up, or 
locally cleared.
Sophos Central Engineer v2.1.0 - 172
Events Report Export
Select the report 
type you want to 
export
View the report
Lo
gs
 &
 R
ep
o
rt
s
You can export this and other reports in Sophos Central to CSV or PDF using the Export button at the 
right of the report, which will assist with offline manipulation or presentation of the data outside of the 
Central console.
Sophos Central Engineer v2.1.0 - 173
Custom Events Report
Lo
gs
 &
 R
ep
o
rt
s
You can save a report as a custom report. Give the report a name and confirm the filters for the report. 
In the email options you can select the send a secure link to the report via email, alternatively, you can 
select to attach the report to an email. Please note that this method is not recommended if you are 
including personally identifiable information in the report. 
You can send a custom report as a CSV or a PDF file and can determine when the report is sent, monthly 
or weekly. Please note that scheduled emailing of reports will stop after 6 months. 
Sophos Central Engineer v2.1.0 - 174
Audit Logs
Lo
gs
 &
 R
ep
o
rt
s
You can view and export a record of all activities that are monitored by Sophos Central using the audit 
log report. All activities for the past 7 days are shown in the Audit Log by default. You can view all 
activities for up to 90 days and export that same report. 
For accurate audit logging it is recommended that all users with administrative rights have unique login 
names. 
Sophos Central Engineer v2.1.0 - 175
Endpoint and Server Reports
Endpoint
Server
Lo
gs
 &
 R
ep
o
rt
s
Navigate to Endpoint Protection > Logs & Reports or Server Protection > Logs & Reports to view only 
those reports that are available for that product. 
The top menu will show where you are in the Sophos Central Console. The reports are split into 
sections, logs and then reports. 
Sophos Central Engineer v2.1.0 - 176
Endpoint and Server Reports
Reports for Users, Endpoints and Servers use the same 
format
Lo
gs
 &
 R
ep
o
rt
s
The reports for Users, Endpoints and Servers, all look similar, with a summary view at the top. Clicking 
on the numbers in the summary view will apply a filter to the report for the relevant category.
The detailed information varies depending on the particular report, but it will show details like 
associated devices, the scanning status, the OS and the last active and updated times. You can use all of 
this information to monitor the objects linked to your account and spot any inconsistencies, or hone in 
on a particular user or device to get more information. 
Sophos Central Engineer v2.1.0 - 177
The installation of the Sophos Endpoint starts with the extraction of the thin installer SophosSetup.exe, 
to the user's temporary directory, also referred to as %temp% and creates the installation logs on this 
location: %ProgramData%\Sophos\CloudInstaller\Logs\
For a Mac installation the default level of logging for the installer is written to the file ‘install.log’. This 
file can be found in the following location by default: /private/var/log/install.log
One way to easily find the log is using ‘Console’ app and locate install.log under the ‘var/log/’ section on 
the left hand tree menu.
Sophos Central Engineer v2.1.0 - 179
Windows Installation Logs
Log file Description
SophosCloudInstaller_<date>_<time>.log The thin installer SophosSetup.exe creates the installation logs
Avremove.log The Log of the third-party security detection and removal tool 
(extracted to %temp%\crt\) 
For more information about installation logs please see Knowledgebase article:
https://sophos.com/kb/119621 
Tr
o
u
b
le
sh
o
o
ti
n
g 
&
 S
u
p
p
o
rt
We’ll now look at some of the places you can go to find out information. The Labs section of the Sophos 
web site shows the latest information about security threats.
The SophosLabs section of the Sophos web site can be directly accessed at www.sophos.com/labs 
Sophos Central Engineer v2.1.0 - 180
Sophos Labs
Sophos Labs can be accessed here: sophos.com/labs
Provides the latest 
information about 
security threats
Tr
o
u
b
le
sh
o
o
ti
n
g 
&
 S
u
p
p
o
rt
The Sophos Support site provides a wide range of information and resources. It is the place to go to for 
product documentation, knowledgebase articles and downloads. It can be accessed directly using 
www.sophos.com/support or by using the Support link from www.sophos.com.
Sophos Central Engineer v2.1.0 - 181
Support
sophos.com/support
Tr
o
u
b
le
sh
o
o
ti
n
g 
&
 S
u
p
p
o
rt
To make it easy for you to communicate with the team at SophosLabs, we encourage the sending of 
samples of suspicious files, emails, web addresses and applications for investigation. 
• A knowledgebase article provides instructions on how to do this safely: 
http://www.sophos.com/kb/17327
• Submitting samples of suspicious files: https://www.sophos.com/kb/11490
• How to submit spam, and false-positive spam samples to SophosLabs: 
https://www.sophos.com/kb/23113
• Application Control Request: https://secure2.sophos.com/en-us/support/contact-
support/application-control-request.aspx
Sophos Central Engineer v2.1.0 - 182
Sample Submission
https://secure2.sophos.com/en-us/support/submit-a-sample.aspx
Tr
o
u
b
le
sh
o
o
ti
n
g 
&
 S
u
p
p
o
rt
Sophos Community https://community.sophos.com/ offers a wide range of forums covering each of the 
products.
Sophos Central Engineer v2.1.0 - 183
Community
https://community.sophos.com/
Community forums covering all 
products
Tr
o
u
b
le
sh
o
o
ti
n
g 
&
 S
u
p
p
o
rt
The Community page also provides access to the Knowledgebase. As you will have seen throughout this 
course, the Sophos knowledgebase provides a large number of articles written by Sophos technical 
support to help administrators with:
• Rollout and configuration best practice
• Advanced configuration
• Disaster recovery planning
• Significant files and registry keys
• Troubleshooting on all supported platforms
Sophos Central Engineer v2.1.0 - 184
Knowledgebase
https://community.sophos.com/kb
Tr
o
u
b
le
sh
o
o
ti
n
g 
&
 S
u
p
p
o
rt
Complete the following simulation tasks in Module 5:
• Task 5.1: Use reports in Sophos Central
• Task 5.2: Create a device isolation exclusion
• Task 5.3: Access ESH and generate an SDU
• Task 5.4: Investigate a detection using a threat case
• Task 5.5: Troubleshoot an updating issue using Endpoint Self Help (ESH)
Sophos Central Engineer v2.1.0 - 185
Module 5: Threat Cases, Reports and Troubleshooting
• Complete the following simulation tasks in Module 5
▪ Task 5.1: Use reports in Sophos Central
▪ Task 5.2: Create a device isolation exclusion
▪ Task 5.3: Access ESH and generate an SDU
▪ Task 5.4: Investigate a detection using a threat case
▪ Task 5.5: Troubleshoot an updating issue using Endpoint Self Help (ESH)
Use the Simulation Workbook to view details of each task and 
access the simulations
On completion of this module, you should now be able to perform the actions shown here. Please take 
a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in this 
module
Sophos Central Engineer v2.1.0 - 186
Module Review
• Now that you have completed this module, you should be able to:
Demonstrate the use of threat cases
Generate logs and reports relating to protected users, endpointsand servers
Explain how to find information using the Sophos Knowledgebase and SophosLabs
Demonstrate how to use the Endpoint Self-Help Tool and generate an SDU log
On completion of this course, you should now be able to perform the actions shown here. Please take a 
moment to review these.
If you are not confident that you have met these objectives, please review the material covered in this 
course.
Sophos Central Engineer v2.1.0 - 187
Course Review
• Now that you have completed this course, you should be able to:
Explain how Sophos Central Endpoint and Server protection helps protect against security threats
Perform an installation of Sophos Central on Windows and Mac endpoints and Windows servers
Customize threat protection and control policies
Demonstrate threat protection and commonly used features
Manage threat cases and view reports
Use the Endpoint Self-Help Tool to identify and resolve issues on Windows endpoints
Feedback on our courses is always welcome.
Please email us at globaltraining@sophos.com with your comments.
Sophos Central Engineer v2.1.0 - 188
Feedback is always welcome
Please email globaltraining@sophos.com
TRAINING FEEDBACK
Now that you have completed this course, you should complete the assessment in the training portal.
You will have 2.5 hours to complete the assessment from when you launch it, and you have 4 attempts 
to pass the assessment.
The assessment may include questions on the theory and simulation content. 
Sophos Central Engineer v2.1.0 - 189
Next Steps
Now that you have completed this course, you should:
Complete the assessment
in the training portal
You have 2.5 hours to complete 
the assessment
You have 4 attempts to 
pass the assessment
The assessment may include 
questions on the theory or
simulations
You have now completed the Engineer Certified course for Sophos Central Endpoint and Server 
Protection. 
To continue your training, you can choose to complete either the Sophos Central Endpoint and Server 
Certified Architect course. This course is designed for technical professionals who will be planning, 
installing, configuring and supporting deployments in production environments. 
Or you can select to complete the Sophos Central Technician course, which is designed to provide the 
knowledge and skills required to perform troubleshooting procedures for common issues. 
You can also choose to complete both of these courses if required. 
Sophos Central Engineer v2.1.0 - 190
Provides the knowledge and skills to 
perform troubleshooting procedures for 
common issues
Planning, installing, configuring and 
supporting deployments in production 
environments
Sophos Central TechnicianSophos Central Architect
Next Steps
✓ Design an installation considering all variables
✓ Undertake a multi-site installation appropriate for a 
customer environment
✓ Explain the function of core components, how they 
work and how to configure them
✓ Track the source of infection and clean up infected 
devices
✓ Perform preliminary troubleshooting and basic support 
for customer environments
✓ Understand the support tools required to investigate 
common issues
✓ Identify common issues when reported
✓ Perform appropriate troubleshooting steps
✓ Gather information to allow further troubleshooting if 
required
End.
Sophos Central Engineer v2.1.0 - 191