¶ Privilege and Service Control
- Run Sophos services with least privilege and remove unused management agents.
- Limit who can modify scanning policies and exclusions.
- Restrict remote management endpoints to approved admin networks.
- Ensure frequent IDE/pattern updates and monitor update status.
- Pin update source to trusted Sophos endpoints or controlled mirrors.
- Block direct internet updates from restricted environments unless approved.
¶ Scan and Quarantine Policy
- Enable on-access scanning on ingress points (mail, upload, shared storage).
- Configure quarantine retention and restoration workflow.
- Review exclusion lists monthly to prevent over-broad trust.
¶ Logging and Compliance
- Centralize antivirus alerts and maintain retention for audits.
- Correlate malware events with host changes and user activity.
- Validate policy with periodic controlled malware simulation tests.