Skip to content

Malware and PUA events types

These are the malware and PUA event types you can see in Sophos Central.

Depending on the features included in your license, you may see all or some of the following event types.

See Malicious behavior types and ML/PE-A detection explained.

Runtime Detections

Event type Severity Action required? Description
Running malware detected Medium No A program that was running on a computer and exhibited malicious or suspicious behavior has been detected. Sophos Central attempts to remove the threat. If it succeeds, no alerts are shown on the Alerts page, and a Running malware cleaned up event is added to the events list.
Running malware not cleaned up High Yes

A program that was running on a computer and exhibited malicious or suspicious behavior could not be cleaned up. The following events may be displayed for this event type:

  • Running malware requires manual cleanup.
  • Computer scan required to complete running malware cleanup.
  • Reboot required to complete running malware cleanup.
  • Running malware not cleaned up.
Running malware cleaned up Low No
Malicious activity detected High Yes Malicious network traffic, possibly headed to a command-and-control server involved in a botnet or other malware attack, has been detected.
Running malware locally cleared Low No A running malware alert has been cleared from the alerts list on an endpoint computer.
Ransomware detected High No An unauthorized program attempted to encrypt a protected application.
Ransomware attack resolved Low No
Remotely-run ransomware detected Medium Yes An unauthorized program attempted to remotely encrypt a protected application.
Remotely-run ransomware attack resolved Low No
Ransomware attacking a remote machine detected High Yes This computer has been detected attempting to remotely encrypt applications on another computer.
Safe Browsing detected compromised browser High Yes An attempt to exploit a vulnerability in an internet browser has been blocked.
Exploit prevented Low No An attempt to exploit a vulnerability in an application, on an endpoint computer, has been blocked.
Application hijacking prevented Low No Application hijacking was prevented on an endpoint computer.
Behavioral Low Yes

This application has been detected behaving suspiciously.

In some instances a reboot is required to complete the cleanup process. A reboot event is shown if this happens.

This type of detection is only available if you are signed up to the Early Access Program.

AMSI protection blocked a threat Low No We blocked a threat detected by AMSI protection.
AMSI protection could not clean up a threat High Yes An AMSI detection could not be cleaned up. You need to clean this up.
AMSI protection cleaned up a threat Low

Application Control

Event type Severity Action required? Description
Application blocked Medium No
Application allowed Low No A controlled application has been detected and then allowed.

Malware

If you have deep learning enabled, you may see malware detections shown as ML/PE-A.

Event type Severity Action required? Description
Malware detected Medium No Malware has been detected on a device monitored by Sophos Central. Sophos Central will attempt to remove the threat. If successful, no alerts will be displayed on the Alerts page, and a "Malware cleaned up" event will appear on the events list.
Malware not cleaned up High Yes

The following events may be displayed for this event type:

  • Manual cleanup required.
  • Computer scan required to complete cleanup.
  • Reboot required to complete cleanup.
  • Malware not cleaned up.
Malware cleaned up Low No
Recurring infection High Yes A computer has become reinfected after Sophos Central attempted to remove the threat. It may be because the threat has hidden components that haven't been detected.
Threat removed Low No
Malware locally cleared Low No A malware alert has been cleared from the alerts list on an endpoint computer.

Potentially Unwanted Application (PUA)

Event type Severity Action required? Description
Potentially Unwanted Application (PUA) blocked Medium Yes A potentially unwanted application has been detected and blocked.
Potentially Unwanted Application (PUA) not cleaned up Medium Yes

The following events may be displayed for this event type:

  • Manual PUA cleanup required.
  • Computer scan required to complete PUA cleanup.
  • Reboot required to complete PUA cleanup.
  • PUA not cleaned up.
Potentially Unwanted Application (PUA) cleaned up Low No
Potentially Unwanted Application (PUA) locally cleared Low No A potentially unwanted application alert has been cleared from the alerts list on an endpoint computer.