This article lists different methods you can use to test that your Sophos Endpoint detection features are working correctly. You can test these items from any endpoint computer on your network.
Note: all of the files and links in this article are completely harmless. They are designed to trigger the anti-virus software into recognizing it as if it were a virus, and if successful will indicate a detection.
Applies to the following Sophos product(s) and version(s)
UTM Managed Endpoint (Windows 2000+)
Sophos Endpoint Security and Control
Sophos Cloud Managed Endpoint
What To Do
On-Demand and On-access scanning
Important:The EICAR test string is not a virus, it is an industry standard detection test. Sophos Anti-Virus will report its presence as 'EICAR-AV-Test' virus.
SAVTST32.EXE are utilities designed to test the operation of Sophos Anti-Virus by using the EICAR test string which Sophos Anti-Virus recognizes as a virus.
For more information, see the SAVTST32 release notes.
- Download the eicar string from http://www.eicar.org/
- Copy the string into a notepad and save it as eicar.txt
- To test the On-access scanner capabilities rename the file to eicar.com and run it.
If the on-access scanner is enabled and functioning correctly you should see a detection.
Web protection/Web control
SophosLabs have provided the webpage http://sophostest.com/ which you can use to test the functionality of Sophos Web protection and Web control. Click on the relevant section title to see the Sophos response/description.
- Click the 'Malware' option on the above page will test whether web protection is operating correctly. This should should display a blocked page and a balloon alert on the system tray.
- To confirm whether Web control is functioning, click the other options on the page http://sophostest.com/ to test the category classification.
SophosLabs have provided a set of sample files for testing the Live Protection functionality. These samples are non-malicious files that trigger a cloud lookup and file submission. Use these files for testing purposes only.
The following four self executable archives are available for download:
For each of these files, click on the file, then select Unzip. When prompted, use the password “liveprotection” (without quote marks).
On extracting, the content of the SFX file will either be detected at the point it’s written to disk (if “on-write” is enabled) or the next time the file is accessed or scanned on demand.
Malicious traffic detection (MTD)
To test the MTD feature do the following:
- Copy the following text and paste it into a text document
set o = createobject("MSXML2.XMLHTTP")
o.open "GET", "http://sophostest.com/callhome/" & rnd, FALSE
- Name the file mtd.vbs
- Double-click the file to trigger the detection.
If the MTD feature is active you should receive a 'C2/generic-B' detection on the endpoint.
Note: The Sophos Network Threat Protection feature must be installed for MTD to function. This is only available in Sophos Cloud and Sophos Enterprise Console 5.3.0 with managed 10.6.0 computers.