Sophos Endpoint for Windows

Help
Contents
About Sophos Endpoint for Windows...................................................................................................... 1
Sophos Endpoint...................................................................................................................................... 2
Status........................................................................................................................................................3
Events.......................................................................................................................................................4
Detections.................................................................................................................................................6
Settings.....................................................................................................................................................7
How to .....................................................................................................................................................9
Scan a file..................................................................................................................................... 9
Scan the computer or server........................................................................................................ 9
Clean up a threat.......................................................................................................................... 9
Change security settings............................................................................................................... 9
Update now................................................................................................................................. 10
Troubleshoot................................................................................................................................ 10
Encrypt the computer.................................................................................................................. 10
Send protected files via email.....................................................................................................11
Access the computer if you forget the password........................................................................13
Why is my file transfer blocked?........................................................................................................... 14
Get additional help................................................................................................................................. 15
Legal notices.......................................................................................................................................... 16

(2020/06/01)
 Sophos Endpoint for Windows

1 About Sophos Endpoint for Windows

This Help file provides information about Sophos Endpoint for Windows and explains procedures
step by step.

Copyright © Sophos Limited 1

Sophos Endpoint for Windows

2 Sophos Endpoint
Sophos Endpoint runs on computers and servers to protect them.

Note
You may not have all the features described in this Help. This depends on your license.

Sophos Endpoint is configured and managed centrally from the Sophos Central Admin console.
However, you can do some tasks on the computer or server:
• Check the Status (page 3) of the computer.
• Scan a file (page 9) or Scan the computer or server (page 9) for threats.
• See details of Events (page 4) on the computer or server, such as threats detected.
• Clean up a threat (page 9).
• Change security settings (page 9). For example, you can turn off features so that you can
troubleshoot.
• Update now (page 10).
• Troubleshoot (page 10).

Note
You need to use Admin sign-in and enter the Tamper Protection password to clean up threats or
change settings.

2 Copyright © Sophos Limited

 Sophos Endpoint for Windows

3 Status
Note
You may not have all the features described here. This depends on your license.

The Status page lets you:

• See the security status of the computer or server.
• Scan the computer or server for threats.
• See the installed features and their security status.

Note
The About link in the lower right of the page lets you update your virus definitions or troubleshoot
the product.

Security Status
An icon in the upper part of the page shows the status.

Green. There are no alerts, or only low-priority alerts.

Red. There are high-priority alerts.

Yellow. There are medium-priority alerts.

Gray. The status is unknown.

Below this, all installed features are displayed with their individual security status.

Scan the computer

Click Scan to scan all files on the computer or server for threats.
When the scan is complete, you'll see a summary of the scan results. If threats are detected, you
can go to the Events page to see details.

Copyright © Sophos Limited 3

Sophos Endpoint for Windows

4 Events
Note
You may not have all the features described here. This depends on your license.

The Events page shows events on the computer or server, for example threats detected.
You can filter events, for example to show only events that require you to take action, or search for
specific types of events.

The Events list

The Events list shows:
• The severity. An icon on the far left of the list shows whether the event is high priority, medium
priority, or a notification.
• The source. An icon on the left of the list indicates the Sophos feature that reported the event.
• The date and time when the event occurred.
• A description of the event.
• A link that lets you take action (if any action is needed). This is shown only if you have signed in as
an administrator.
To view details of each event, click the arrow to the right to expand it.
The actions you can take are the same as those available in the Sophos Central Admin console. See
the list on the Alerts page in Sophos Central Help.
You can filter events by the following types:

Malware and PUAs

Malware is a general term for malicious software. It includes viruses, worms, Trojans and spyware.
Potentially unwanted applications (PUAs) are programs that aren't malicious, such as dialers, remote
administration tools and hacking tools, but are generally considered unsuitable for most business
networks.

Web threats
Web threats include malicious websites, uncategorized websites, and risky downloads.
Some websites are also generally considered unsuitable for business networks, for example adult
websites or social media. These can be blocked.

Malicious behavior
Malicious behavior is suspicious behavior detected in software that is already running on the
computer or server.

4 Copyright © Sophos Limited

 Sophos Endpoint for Windows

Ransomware is malicious software that denies you access to your files until you pay a ransom.

Controlled Items
This category includes:
• Applications that are not a security threat, but that you decide are unsuitable for use in the office.
• Peripherals and removable media.
• Risky downloads or websites that are inappropriate for the office.
• Files containing sensitive information (like personal or financial details) that you don't want to leak.

Malicious Traffic
Malicious traffic is traffic between computers that indicates a possible attempt to take control of the
computer or server (a “command and control” attack).

Exploits
Exploits that Sophos can prevent include application hijacking and exploits that take advantage of
vulnerabilities in browsers, browser plug-ins, Java applications, media applications and Microsoft
Office applications.

Copyright © Sophos Limited 5

Sophos Endpoint for Windows

5 Detections
The Detections page lets you:
• Scan the computer or server for threats.
• See the threats that Sophos has detected and protected against.

Scan the computer

Click Scan to scan all files on the computer or server for threats.
When the scan is complete, you'll see a summary of the scan results. If threats are detected, you
can go to the Events page to see details.

Malware and PUA Event History

Shows the history of detected malware and PUAs. Click the arrow to see details on the Events
page.

Detection History
Shows how many threats of a specific type have been detected. Click on a type to see details of the
detected threats of that type on the Events page.

6 Copyright © Sophos Limited

 Sophos Endpoint for Windows

6 Settings
Note
You may not have all the features described here. This depends on your license.

The Settings page is only available if you use Admin sign-in and enter the Tamper Protection
password (available from the Sophos Central administrator).
You can temporarily change the security settings on this computer or server.
You might need to do this to troubleshoot. For example, you might want to turn off a feature to see if
it is causing problems on the computer.

How to change settings

Check the box marked Override Sophos Central Policy for up to 4 hours to troubleshoot.
You can now make changes on this page. The changes temporarily override the policy that you (or
another administrator) have applied from the Sophos Central Admin console.
After four hours, the settings will automatically change back to the centrally-enforced policy settings.

Note
You can change the settings back sooner if you want to. You can’t use the slider controls to do this
for individual features. Instead, uncheck Override Sophos Central Policy for up to 4 hours to
troubleshoot.

Deep learning
Deep learning uses advanced machine learning to detect threats. It can identify malware and
potentially unwanted applications without using signatures.

Real-time Scanning
Real-time scanning scans items as users attempt to access them, and grants access only if they are
clean. You can select:
• Files: This scans local files and (if this is selected in the policy) network shares.
• Internet: This scans internet resources. It can scan downloads in progress, block access to
malicious websites, and detect low-reputation websites.

Controls on Users
• Peripheral Control lets you control access to peripherals and removable media.
• Application Control lets you detect and block applications that are not a security threat, but that
you decide are unsuitable for use in the office.

Copyright © Sophos Limited 7

Sophos Endpoint for Windows

• Web Control lets you protect against risky downloads, control the sites that users can visit, and
prevent data loss.
• Data Loss Prevention lets you monitor and restrict the transfer of files containing sensitive data.
• Tamper Protection: When this is enabled, a local administrator can only change security settings
or uninstall Sophos Endpoint if they have the necessary password.

Runtime Protection
Runtime protection protects against threats by detecting suspicious or malicious behavior or traffic
on endpoint computers. You can select:
• Ransomware Detection: This protects against malware that restricts access to files, and then
demands a fee to release them.
• Safe Browsing: This protects your web browsers against exploitation by malware.
• Exploit Mitigation: This protects the applications most prone to exploitation by malware, such as
Java applications.
• Network Threat Protection: This detects traffic between an endpoint computer and a server that
indicates a possible attempt to take control of the endpoint computer. It includes packet inspection,
which scans network communications, identifying and blocking threats before they can harm the
operating system or applications.

Note
If you turn off Network Threat Protection, the EDR features, Isolation and Stonewalling, will
also be turned off.

• Malicious Behavior Detection (HIPS): This protects against threats that are not yet known. It
does this by detecting and blocking behavior that is known to be malicious or is suspicious.
• AMSI Protection: This protects against malicous code (for example, PowerShell scripts) using the
Microsoft Antimalware Scan Interface (AMSI). Code forwarded via AMSI is scanned before it runs
and the applications used to run the code are notified of threats by Sophos. If a threat is detected,
an event is logged.

Computer controls
You can monitor Windows Firewall (and other registered firewalls) on your computers and servers.

8 Copyright © Sophos Limited

 Sophos Endpoint for Windows

7 How to ...

7.1 Scan a file

To scan individual files:
In Explorer, right-click on the file and select Scan.

7.2 Scan the computer or server

To scan all files on the computer or server:
1. Go to the Status page or the Detections page.
2. Click Scan.
When the scan is complete, you'll see a summary of the scan results.
3. If threats are detected, you can go to the Events page to see details.

7.3 Clean up a threat

To clean up a threat that has been detected:
1. Click Admin sign-in and enter the Tamper Protection password (available from the Sophos
Central administrator).
2. Go to the Events page to see details of the threat that has been detected.
3. Look for an action link beside the threat details.
The actions you can take are the same as those available in the Sophos Central Admin console. See
the list on the Alerts page in Sophos Central Help.

7.4 Change security settings

To change security settings:
1. Click Admin sign-in in the upper right of the interface.
2. Enter the Tamper Protection password (available from the Sophos Central administrator).
There is now a Settings link in the menu bar.
3. Go to the Settings page.
4. Check the box marked Override Sophos Central Policy for up to 4 hours to troubleshoot.
5. Use the slider controls on the page to turn off security features.
After four hours, the settings will automatically change back to the centrally-enforced policy settings.

Copyright © Sophos Limited 9

Sophos Endpoint for Windows

Note
You can change the settings back sooner if you want to. You can’t use the slider controls to do this
for individual features. Instead, uncheck Override Sophos Central Policy for up to 4 hours to
troubleshoot.

7.5 Update now

To update your virus definitions:
1. Click About in the lower right of the user interface.
2. Click Update Now.

7.6 Troubleshoot
To troubleshoot problems:
1. Click About in the lower right of the user interface.
2. Click Open Endpoint Self Help Tool to gather data on the problem, or follow the link to the
Community Forum.

7.7 Encrypt the computer

Note
Device Encryption is only available on endpoint computers.

The Device Encryption feature encrypts the hard disk of your computer using Windows BitLocker
technology. Your administrator defines whether you need to authenticate each time you access your
computer.
If no authentication is required, the encryption of your hard disk starts automatically as soon as you
restart your computer after you received the Sophos Central policy. There is nothing you need to do
in this case.
If authentication is required, encrypt the computer as follows:
1. When the Sophos Device Encryption dialog is displayed, follow the instructions in the dialog. The
specific instructions depend on your system and the policy settings defined by your administrator.
• If the Device Encryption policy requires a PIN or password for authentication, follow the on-
screen instructions to create a PIN or password.

Note
Be careful when creating a PIN or password. The pre-boot environment only supports the
US-English keyboard layout. If you create a PIN or password now with special characters,
you might have to use different keys when you enter it to sign in later.

10 Copyright © Sophos Limited

 Sophos Endpoint for Windows

•
If the Device Encryption policy requires a USB key for authentication, you need to connect a
USB flash drive to your computer. The USB flash drive must be formatted with NTFS, FAT, or
FAT32.
2. When you click Restart and Encrypt, the computer restarts and encrypts your hard disks. You can
work as usual.

Note
You can select Do this later to close the dialog. However, it will appear again next time you
sign in.

After Sophos Central has encrypted the system volume, the encryption of the data volumes is
started. Removable data volumes such as USB drives are not encrypted.
When you sign in to your computer, you may need a PIN, password, or USB key to unlock your
system volume. Data volumes are unlocked automatically.

7.8 Send protected files via email

Sophos offers an add-in for Microsoft Outlook that makes encrypting email attachments easy.

Note
The add-in is only available in Central Device Encryption 2.0 or later.

Note
If Sophos SafeGuard Enterprise is installed on the computer, its Outlook add-in is used to encrypt
email attachments.

If configured in your policy, you can choose how to send attachments whenever you send an email
with one or more files attached.
• Password protected
Select this option if you are sending sensitive files to recipients outside of your organization.
After you define a password and select Send, your files are encrypted and saved as an HTML
file.
Recipients can open the file with their web browser as soon as you communicate the password
to them. We recommend that you use a strong password and don’t send it in the same email as
the files. For example, you can give the recipients the password by phone.
Recipients can use one of the following browsers to open the password-protected attachment:
— Mozilla Firefox
— Google Chrome
— Microsoft Edge
— Internet Explorer 11
Decryption with other browsers, such as mobile browsers, may work but is not actively
supported.

Copyright © Sophos Limited 11

Sophos Endpoint for Windows

Recipients can edit the file and send it back using the same password or a new password. They
can even protect a new file with a password. They are guided through the procedure by a wizard
in their browser.
• Unprotected
Select this option only if your email attachment does not contain any sensitive data. Any action to
send email attachments unprotected may be logged and monitored by your security officer.
If you are not prompted, you can password protect attachments manually, see Use a password to
protect attachments (page 12).

7.8.1 Use a password to protect attachments

When sending emails to recipients outside your corporate network, we recommend that you encrypt
your file with a password. This allows the recipients to access encrypted files without having Central
Device Encryption installed.
Do the following:
1. Click Protect Attachments on the Outlook ribbon or right-click the files you want to send in
Windows Explorer and select Create password protected file.

Note
Protect Attachments is only visible if the email is opened in a separate window.

2. Follow the on-screen instructions and create a password. We recommend that you use a strong
password and don’t send it in the same email as the files. For example, you can give the recipients
the password by phone.
Password restrictions:
• The password must be at least 8 characters long.
• The password must not contain more than three characters next to each other in the same
keyboard row.
• The password must not contain three or more consecutive alphanumeric characters.
• The password must have at least 3 different characters.

Note
• You need free disk space for the encryption.
• The maximum supported file size is 50 MB.
• The encrypted HTML file is bigger than the original files.

Your file is encrypted and saved as an HTML file. You can now safely attach the HTML file
to emails. Recipients can use one of the following browsers to open the password-protected
attachment:
• Mozilla Firefox
• Google Chrome
• Microsoft Edge
• Internet Explorer 11

12 Copyright © Sophos Limited

 Sophos Endpoint for Windows

3. Instruct your recipients to double-click the file and follow the on-screen instructions to do one of the
following:
• Enter the password and click Enter to access the file.
The recipients can protect the file with a password when sending it back to you. They may
use the same password or create a new password.
• Click Password protect a new file to protect a different file with a password.

7.9 Access the computer if you forget the password

If you cannot log on to your computer because you have forgotten your PIN, password, or USB key,
you need a recovery key.
If you are using Sophos Device Encryption, the recovery key is stored in Sophos Central. To get
your recovery key, do one of the following:
• Log on to the Sophos Self Service Portal and follow the instructions in the Help.
• Ask your administrator to retrieve the recovery key for you, as described in Use BitLocker recovery
(page 13). Do this if you cannot use the Self Service Portal.

7.9.1 Use BitLocker recovery

1. Restart your computer and press the Esc key in the BitLocker logon screen.
2. In the BitLocker recovery screen, find the Recovery key ID.
The Recovery key ID is displayed for a short time. To display it again, you must restart the
computer.
3. Contact your administrator and give them the Recovery key ID.
Your administrator needs to find the recovery key to your computer in Sophos Central and give you
the key.
4. In the BitLocker recovery screen, enter the recovery key.
You can now start your computer.
5. Follow the on-screen instructions to create a new BitLocker PIN or password when prompted.
On computers running Windows 7, you don't see any instructions. You need to reset your PIN/
password manually.
You can access your computer again.

Note
A recovery key can only be used once. If you need to recover your computer again later, you need
to get a new recovery key.

Copyright © Sophos Limited 13

Sophos Endpoint for Windows

8 Why is my file transfer blocked?

You might see a message telling you that a file transfer (for example, copying, moving or emailing
files) has been blocked.
This happens because your company has set up a policy to ensure that you don't unintentionally
send sensitive information to users who should not have it.
There are two types of message.

Transfer is blocked
If you receive a "file transfer blocked" message, you cannot transfer the files. Your administrator may
have added some advice to this message.

Transfer can be allowed

If you receive a "file transfer request blocked" message, you can decide whether to transfer the files.
Your administrator may have added some advice to this message. Click Allow if you're sure it's safe
to go ahead.

14 Copyright © Sophos Limited

 Sophos Endpoint for Windows

9 Get additional help

You can find technical support as follows:
• Visit the Sophos Community at community.sophos.com/ and search for other users who are
experiencing the same problem.
• Visit the Sophos support knowledgebase at www.sophos.com/en-us/support.aspx.

Copyright © Sophos Limited 15

Sophos Endpoint for Windows

10 Legal notices
Copyright © 2020 Sophos Limited. All rights reserved. No part of this publication may be reproduced,
stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recording or otherwise unless you are either a valid licensee where the documentation
can be reproduced in accordance with the license terms or you otherwise have the prior permission
in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos
Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned
are trademarks or registered trademarks of their respective owners.

16 Copyright © Sophos Limited