Navigating Sophos antivirus for Windows

This tutorial applies to the following operating system(s):

 Windows

Overview:

Sophos Cloud endpoint antivirus provides protection to your device against malware and other online threats. The client provides an interface to view recent events and manage settings.

 

Open the Client

To open the Sophos Cloud client, double click the blue Sophos icon in the task bar.

Screenshot of Sophos in the task bar

 

Home Screen

After opening the client the home screen defaults to the Status tab. The Status tab displays an overview of security events on the device, if any have been found. You can click Scan to initiate a malware scan of the device.

Screenshot of Sophos Central client home

 

Events

The Events tab contains a log of security events and detections on the device. You can filter the events by priority by clicking on the All Events drop down menu. The All Sources drop down menu allows you to filter by threat type like Malware, Web Threats, etc.

Screenshot of the events tab

 

Detections

The Detections tab contains information for any threats detected on the device. You can click "Scan" from this screen to initiate a malware scan of the device.

Detections tab screenshot

 

Settings

The Settings tab lists available client settings. Click the "Override Sophos Central Policy for up to 4 hours to troubleshoot" checkbox towards the top of the window to enable modification of the settings. Once checked you can turn different components on or off such as real time scanning, website blocking, or exploit detection.

Changes last for 4 hours and persist between reboots.

Screenshot of settings tab

 

Advanced Options

Clicking "About" in the lower right hand corner at any time brings up advanced options and information. The About screen displays the version number of any Sophos Cloud components installed on the device. Note, the value for "Device Encryption" will appear as "Not Installed" even if your device is encrypted with Sophos Safeguard. The value can be ignored.

Clicking "Update Now" updates the detection database and synchronizes policy with Sophos Central management console.

You can view the health of Sophos services running on the client by clicking "Run Diagnostic Tool". This opens a new window with more options.

Screenshot of about page

 

Endpoint Self Help

Within the Endpoint Self Help window, clicking an entry on the left hand column displays relevant information in the right hand pane. A summary of these options is:

System Displays the computer name, currently logged in user, and last 10 Windows updates.
Installed Components Displays the Sophos Cloud components installed on the device and the version numbers.
Services Lists the running status of Sophos related services.
Management Communication Displays the last communication time with Sophos Central management console and the specific cloud server the client is connected to.
Update Displays the last update time and update method.
Policy Lists the policies present and the last time a policy was received.

Sophos diagnostics window

 

Diagnostics Tools

Within the Endpoint Self Help window, click the "Tools" tab at the top for additional actions. Here you can scan a file and also get the file's SHA256 hash. The Launch SDU option in the lower left provides a convenient shortcut to launch the Sophos Diagnostic Utility.

Diagnostics window, tools tab displayed

 

Sophos Diagnostic Utility

The Sophos Diagnostic Utility (SDU) is a Sophos program that collects information about Sophos products installed on the system or those that have attempted recent installation. The collected information can be used to debug any issues with Sophos related products.

The SDU is a standalone program and can be found in your device's list of software. Alternately, you can start the SDU by opening Sophos Cloud and navigating to About -> Run Diagnostic Tool -> Launch SDU.

The SDU prompts to begin the data collection process. Click Continue.

 

The SDU then collects both Sophos and system logs. This process may take a few minutes to complete.

 

Once the logs have been collected, click "Archive logs and send to Sophos".

 

If you are working on an active case with Sophos and have been instructed to run the SDU, you can fill out the appropriate information and click "Send mail to Sophos". This opens the default mail app on the device with a pre-drafted email with the archive file attached. However, in general you'll be reviewing the logs yourself or be sending them to the security office for review. To retrieve the log archive, click "locate archive".  A Windows Explorer window will automatically open to the location of the .zip files, which can now be copied, emailed, uploaded, or otherwise manipulated as necessary.