How to test Sophos Endpoint detection features

  • Article ID: 10027
  • Rating:
  • 13 customers rated this article 3.9 out of 6
  • Updated: 17 Mar 2016


This article lists the different methods you can use to test if your Sophos Endpoint detection features are working correctly. You can test these items from any endpoint computer on your network.

The following sections are covered:

NOTE: All the files and links in this article are completely harmless. They are designed to trigger the anti-virus software into recognizing it as if they were a virus, and if successful, will indicate a detection.

What to do

On-demand and on-access scanning

NOTE:The EICAR test string is not a virus, it is an industry standard detection test. Sophos Anti-Virus will report its presence as EICAR-AV-Test virus.

  • Download the eicar string from 
  • Copy the string into a notepad and save it as eicar.txt
  • To test the on-access scanner capabilities, rename the file to and run it.

If the on-access scanner is enabled and functioning correctly, you should see a detection.

Web protection/web control

Use the Sophos Web Security and Control Test Site by SophosLabs to test the Sophos web protection and web control functionality.

  • Select the Malware option to test if web protection is operating correctly. This will display a blocked page and a balloon alert on the system tray.
  • To confirm whether web control is functioning, click the other options on the page to test the different category classifications.

Download reputation

Use the Sophos Web Security and Control Test Site - Reputation webpage by SophosLab to test the download reputation functionality. 

Host intrusion prevention system (HIPS)

To test the HIPS feature, do the following:

  1. Copy the following text and paste it into a text document:
    Set t = WScript.CreateObject( "WScript.Shell" )
    t.RegWrite "HKCU\SOFTWARE\Sophos\HIPSTest\", ""
    t.RegDelete "HKCU\SOFTWARE\Sophos\HIPSTest\"
    Set t = Nothing

  2. Name the file HIPSTest.vbs

  3. Open a command line window

  4. Call the the HIPSTest.vbs using wscript with the full path
    on 64 bit Systems: C:\Windows\SYSWOW64\wscript HIPSTest.vbs
    on 32 bit Systems: C:\Windows\System32\wscript HIPSTest.vbs

After running the script, the quarantine should show wscript, as well as the suspicious behavior setting in the Sophos Anti-Virus GUI.

Malicious traffic detection (MTD)

To test the MTD feature, do the following:

  1. Copy the following text and paste it into a text document
    set o = createobject("MSXML2.XMLHTTP") "GET", "" & rnd, FALSE

  2. Name the file mtd.vbs

  3. Double-click the file to trigger the detection.

If the MTD feature is active, you will receive a C2/generic-B detection on the endpoint.
The Sophos Network Threat Protection feature must be installed for MTD to function. This is only available in Sophos Cloud and Sophos Enterprise Console 5.3.0 with managed 10.6.0 and above.

NOTE: All of the files contained in this article should be used for testing purposes only.

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent