Skip to content

Deal with outbreaks

We report an outbreak if a device experiences 100 detections in 24 hours.

An outbreak includes detections of Portable Executable (PE) files. These detections come from Intercept X and security features like file reputation checks. You’ll still get some detection events reported for the device during an outbreak. These detections are usually for non-PE files, such as documents and scripts.

You must investigate outbreaks. When you've removed the threat (or PUA), you must mark the alert as resolved.


We display an OutBreak Detected alert until you mark it as resolved. The alert turns off detection reporting for the device. You must mark the Outbreak Detected alert as resolved to see all the detections occurring on the device. This doesn't affect protection.

Investigate outbreaks

We recommend that you remove the device from your network while you investigate.

If you have Intercept X, you can use Threat Graphs to investigate the Outbreak Detected alert. See Threat Graphs.

For advice on what to do about threats, see How to deal with threats.

If you believe the detections are incorrect (false positives), see Deal with false positives.

If you’re unsure how to deal with the outbreak, contact Sophos Support.

Resolve Outbreak Detected alerts

To resolve an Outbreak Detected alert, do as follows:

  1. Go to Alerts.
  2. Select the Outbreak Detected alert.

    It's shown as a High alert.

  3. Click Mark As Resolved and click OK.

    This action clears the alert and turns on detection reporting for the device.