Skip to content

Server Linux Runtime Detection Policy

Linux Runtime Detection (RTD) policies monitor a host's running processes and applications. When configuring an RTD policy for the Sophos Protection for Linux Agent, you can leverage the SophosLabs default detections or use an RTD Profile. RTD Profiles use the SophosLabs default content with the option to turn individual rules on or off and update allow and block lists. See Linux Runtime Detection Profiles.


To use Linux Runtime Detection policies, ensure that Linux runtime detections is turned on in the Server Threat Protection policy. See Runtime Protection.

You must also have one of the following licenses:

  • Intercept X Advanced for Server with XDR
  • Intercept X Advanced for Server with MTR Standard
  • Server E Intercept X Advanced for Server with MTR Advanced

Set up Linux Runtime Detection

Go to Server Protection > Policies to set up Linux Runtime Detection.

To set up a policy, do as follows:

  1. Create a Linux Runtime Detection policy. See Create or Edit a Policy.
  2. Open the policy's Settings tab and configure the following policy settings:

    • Make sure Enable Linux Runtime Detection is turned on.
    • Select whether you want to use Sophos Labs Default Detection or Linux Runtime Detection Profile. If you select Linux Runtime Detection Profile, you must select the Profile and Version you want to use.
  3. Ensure the policy is turned on.

  4. Click Save.