How to test that Sophos Endpoint detection features are working

  • Article ID: 10027
  • Rating:
  • 11 customers rated this article 4.2 out of 6
  • Updated: 11 Mar 2015

This article lists different methods you can use to test that your Sophos Endpoint detection features are working correctly. You can test these items from any endpoint computer on your network.

Note: all of the files and links in this article are completely harmless. They are designed to trigger the anti-virus software into recognizing it as if it were a virus, and if successful will indicate a detection.

Applies to the following Sophos product(s) and version(s)

UTM Managed Endpoint (Windows 2000+)
Sophos Endpoint Security and Control
Sophos Cloud Managed Endpoint

What To Do

On-Demand and On-access scanning

Important:The EICAR test string is not a virus, it is an industry standard detection test. Sophos Anti-Virus will report its presence as 'EICAR-AV-Test' virus.

Method 1

SAVTST32.EXE are utilities designed to test the operation of Sophos Anti-Virus by using the EICAR test string which Sophos Anti-Virus recognizes as a virus.

For more information, see the SAVTST32 release notes

Method 2

  • Download the eicar string from 
  • Copy the string into a notepad and save it as eicar.txt
  • To test the On-access scanner capabilities rename the file to and run it.

If the on-access scanner is enabled and functioning correctly you should see a detection.

Web protection/Web control

SophosLabs have provided the webpage which you can use to test the functionality of Sophos Web protection and Web control. Click on the relevant section title to see the Sophos response/description.

  • Click the 'Malware' option on the above page will test whether web protection is operating correctly. This should should display a blocked page and a balloon alert on the system tray.
  • To confirm whether Web control is functioning, click the other options on the page to test the category classification.

Live Protection

SophosLabs have provided a set of sample files for testing the Live Protection functionality. These samples are non-malicious files that trigger a cloud lookup and file submission. Use these files for testing purposes only.

The following four self executable archives are available for download:

For each of these files, click on the file, then select Unzip. When prompted, use the password “liveprotection” (without quote marks).

On extracting, the content of the SFX file will either be detected at the point it’s written to disk (if “on-write” is enabled) or the next time the file is accessed or scanned on demand.

Malicious traffic detection (MTD)

To test the MTD feature do the following:

  1. Copy the following text and paste it into a text document

    set o = createobject("MSXML2.XMLHTTP") "GET", "" & rnd, FALSE

  2. Name the file mtd.vbs
  3. Double-click the file to trigger the detection.

If the MTD feature is active you should receive a 'C2/generic-B' detection on the endpoint.

Note: The Sophos Network Threat Protection feature must be installed for MTD to function. Presently this is only available in Sophos Cloud licenses.


If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent