Sophos Endpoint Agent Technical Details๐
This document describes the technical components and services of Sophos Endpoint Agent. It explains the function and availability of each component for Sophos Agent for Endpoint and Sophos Agent for Server.
Components๐
The following components may be installed on Sophos Agent Windows endpoints and servers.
| Component | Description | Availability |
|---|---|---|
| Sophos AutoUpdate | Keeps endpoint or server components and supplemental data up to date, including itself. | Endpoint, Server |
| Sophos Management Communications System (MCS) | Receives messages from Sophos Central and routes them to other components. Sends device status back to Sophos Central. | Endpoint, Server |
| Sophos Endpoint Firewall / Firewall Management | Monitors and configures connection types on devices using Windows Firewall policy. | Endpoint, Server |
| Sophos Network Threat Protection | Manages malicious behavior detection, web filtering, heartbeat/synchronized Application Control, SATC, and ZTNA. | Endpoint, Server |
| Sophos Endpoint Defense (SED) | Core component that integrates with multiple processes. | Endpoint, Server |
| Sophos HitmanPro Alert | Provides runtime protection, including exploit mitigation and ransomware protection (CryptoGuard). | Endpoint, Server |
| Sophos File Scanner | Scans files and returns information to Sophos System Protection. | Endpoint, Server |
| Sophos Self Help Tool | Reports installation health and helps troubleshoot issues. | Endpoint, Server |
| Sophos Endpoint UI | User interface for the Sophos Agent Agent. | Endpoint, Server |
| Sophos Message Relay | Relays policy and reporting data to Sophos Central via a local server. | Server only Not present from Server Core Agent 2024.2 (now part of Sophos Management Gateway) |
| Sophos Server Lockdown | Allows only approved applications to run on the server, preventing unauthorized modifications. | Server only |
| Sophos Update Cache | Provides updates from a local cache, saving bandwidth. | Server only Not present from Server Core Agent 2024.2 (now part of Sophos Management Gateway) |
| Sophos Health | Monitors the health of the local installation. | Endpoint, Server |
| Sophos File Integrity Monitoring | Monitors system-critical files, folders, and registry keys/values. | Server only |
| Sophos Live Query | Allows administrators to query devices for immediate visibility and investigation. | Endpoint, Server |
| Sophos Live Terminal | Enables remote command line access for further investigation or response. | Endpoint, Server |
| Sophos MDR Endpoint Agent (Managed Detection and Response) |
Used by the Managed Threat Response service for threat hunting and monitoring. | Endpoint, Server Not present from Core Agent 2023.2 |
| Sophos AMSI Protection | Integrates with Windows AMSI for antimalware scanning and protection. | Endpoint, Server |
| Threat Detection Engine | Provides protection against malware and other threats. | Endpoint, Server |
| Sophos Uninstaller | Uninstalls Sophos components. | Endpoint, Server |
| Sophos Diagnostic Utility | Gathers device information and logs for troubleshooting. | Endpoint, Server |
| Machine Learning Engine | Used by Sophos File Scanner during file scanning. | Endpoint, Server |
| Sophos Data Protection Agent | Installed with Device Encryption. | Endpoint only |
| Sophos Clean | Cleans up detected threats. | Endpoint, Server Not present on Windows 10 (x64) and above, or Windows Server 2016 and above |
| Sophos Endpoint Agent | Main reference for all other components. Reports Core Agent version. | Endpoint, Server Not present on Windows 10 (x64) and above, or Windows Server 2016 and above |
| Sophos Management Gateway | Combines Message Relay and Update Cache functionality. | Server only Available from Core Agent 2024.2 |
Services๐
The following services run on Sophos Central-managed Windows endpoints and servers.
| Service Name | Process | Description | Availability |
|---|---|---|---|
| Sophos AutoUpdate Service | ALSvc.exe |
Updates Sophos components. | Endpoint, Server Not present on Windows 10 (x64) and above, or Windows Server 2016 and above from Core Agent 2022.3 |
| Sophos Clean | SophosClean.exe |
On-demand malware scanner and cleaner. Set to Automatic but no longer used on newer systems. |
Endpoint, Server Not present on Windows 10 (x64) and above, or Windows Server 2016 and above |
| Sophos Endpoint Defense Service | SEDService.exe |
Core service for endpoints and servers. | Endpoint, Server |
| Sophos File Scanner Service | SophosFS.exe |
Launches worker processes for data scanning. | Endpoint, Server |
| Sophos Live Query | SophosLiveQueryService.exe |
Manages live and scheduled queries. | Endpoint, Server |
| Sophos Health Service | SophosHealth.exe |
Reports the health status of the endpoint. | Endpoint, Server |
| Sophos MCS Agent | mcsagent.exe |
Management Communications Agent. | Endpoint, Server |
| Sophos MCS Client | mcsclient.exe |
Management Communications Client. | Endpoint, Server |
| Sophos Network Threat Protection | SntpService.exe |
Manages malicious behavior detection, web filtering, heartbeat, SATC, and ZTNA. | Endpoint, Server |
| Sophos SafeStore | SophosSafestore64.exe |
Encrypted quarantine store. Automatic startup but no longer used on newer systems. |
Endpoint, Server Not present on Windows 10 (x64) and above, or Windows Server 2016 and above |
| Sophos System Protection Service | SSPService.exe |
Collects and uses information from Sophos components to detect threats. | Endpoint, Server |
| HitmanPro.Alert Service | hmpalert.exe |
Provides exploit mitigation and browser intrusion detection. | Endpoint, Server |
| Sophos File Integrity Monitoring | SophosFIMService.exe |
Monitors file integrity. | Server only |
| Sophos Managed Threat Response | SophosMTR.exe |
Manages osquery operations on the device. No longer present from Core Agent 2023.2. |
Endpoint, Server |
| Sophos Lockdown Service | SLDService.exe |
Enforces Server Lockdown. | Server only |
| Sophos Message Relay Service | httpd.exe -k runservice |
Relays communication between local computers and Sophos Central. From Server Core Agent 2023.2, present on all servers with Update Cache installed. If not enabled, the service is set to Disabled. From Server Core Agent 2024.2, functionality is managed by the Update Cache service. |
Server only |
| Sophos Update Cache | UpdateCacheService.exe |
Downloads and serves Sophos updates to the local network. From Server Core Agent 2024.2, manages Message Relay functionality. |
Server only |
| Sophos Device Encryption Service | Sophos.Encryption.BitLockerService.exe |
Manages BitLocker disk encryption. | Endpoint only |
Component and Service Availability๐
| Feature | Endpoint | Server |
|---|---|---|
| Sophos AutoUpdate | โ | โ |
| Sophos Management Communications System | โ | โ |
| Sophos Endpoint Firewall | โ | โ |
| Sophos Network Threat Protection | โ | โ |
| Sophos Endpoint Defense | โ | โ |
| Sophos HitmanPro Alert | โ | โ |
| Sophos File Scanner | โ | โ |
| Sophos Self Help Tool | โ | โ |
| Sophos Endpoint UI | โ | โ |
| Sophos Message Relay | โ (servers only; see notes above) | |
| Sophos Server Lockdown | โ (servers only) | |
| Sophos Update Cache | โ (servers only; see notes above) | |
| Sophos Health | โ | โ |
| Sophos File Integrity Monitoring | โ (servers only) | |
| Sophos Live Query | โ | โ |
| Sophos Live Terminal | โ | โ |
| Sophos MDR Endpoint Agent | โ (not present from Core Agent 2023.2) | โ (not present from Core Agent 2023.2) |
| Sophos AMSI Protection | โ | โ |
| Threat Detection Engine | โ | โ |
| Sophos Uninstaller | โ | โ |
| Sophos Diagnostic Utility | โ | โ |
| Machine Learning Engine | โ | โ |
| Sophos Data Protection Agent | โ (endpoints only) | |
| Sophos Clean | โ (legacy only) | โ (legacy only) |
| Sophos Endpoint Agent | โ (legacy only) | โ (legacy only) |
| Sophos Management Gateway | โ (from Core Agent 2024.2) |