How to test that Sophos Endpoint detection features are working

  • Article ID: 10027
  • Rating:
  • 13 customers rated this article 3.9 out of 6
  • Updated: 28 Oct 2015

This article lists different methods you can use to test that your Sophos Endpoint detection features are working correctly. You can test these items from any endpoint computer on your network.

Note: all of the files and links in this article are completely harmless. They are designed to trigger the anti-virus software into recognizing it as if it were a virus, and if successful will indicate a detection.

Applies to the following Sophos product(s) and version(s)
UTM Managed Endpoint (Windows 2000+)
Sophos Endpoint Security and Control
Sophos Cloud Managed Endpoint

What To Do

On-Demand and On-access scanning

Important:The EICAR test string is not a virus, it is an industry standard detection test. Sophos Anti-Virus will report its presence as 'EICAR-AV-Test' virus.

Method 1

SAVTST32.EXE are utilities designed to test the operation of Sophos Anti-Virus by using the EICAR test string which Sophos Anti-Virus recognizes as a virus.

For more information, see the SAVTST32 release notes

Method 2

  • Download the eicar string from 
  • Copy the string into a notepad and save it as eicar.txt
  • To test the On-access scanner capabilities rename the file to and run it.

If the on-access scanner is enabled and functioning correctly you should see a detection.

Web protection/We  Could you pleas

SophosLabs have provided the webpage which you can use to test the functionality of Sophos Web protection and Web control. Click on the relevant section title to see the Sophos response/description.

  • Click the 'Malware' option on the above page will test whether web protection is operating correctly. This should should display a blocked page and a balloon alert on the system tray.
  • To confirm whether Web control is functioning, click the other options on the page to test the category classification.

Download reputation

SophosLabs have provided this website to test the functionality of Download reputation. 

Live Protection

SophosLabs have provided a set of sample files for testing the Live Protection functionality. These samples are non-malicious files that trigger a cloud lookup and file submission. 

The following four self executable archives are available for download:

For each of these files, click on the file, then select Unzip. When prompted, use the password “liveprotection” (without quote marks).

On extracting, the content of the SFX file will either be detected at the point it’s written to disk (if “on-write” is enabled) or the next time the file is accessed or scanned on demand.

Malicious traffic detection (MTD)

To test the MTD feature do the following:

  1. Copy the following text and paste it into a text document

    set o = createobject("MSXML2.XMLHTTP") "GET", "" & rnd, FALSE

  2. Name the file mtd.vbs
  3. Double-click the file to trigger the detection.

If the MTD feature is active you should receive a 'C2/generic-B' detection on the endpoint.
The Sophos Network Threat Protection feature must be installed for MTD to function. This is only available in Sophos Cloud and Sophos Enterprise Console 5.3.0 with managed 10.6.0 and above.

Note: All of the files contained in this article should be used for testing purposes only.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent