The Summary tab in a computer's details page shows you the following information.
Go to Devices and then click Computers and click the computer you want to view details for.
The sections you see depend on your license and the features you've set up.
Security health status
In the left-hand pane, you can see the security health status and take action.
The left-hand pane always shows, even when you click the other tabs on this page.
An icon shows you whether the computer has any security alerts:
|Green checkmark if there are low-priority alerts or no alerts.|
|Orange warning sign if there are medium-priority alerts.|
|Red warning sign if there are high-priority alerts.|
Actions you can take
You can take actions on the computer with the buttons and links in the left-hand pane. Click More actions to show the extended list of actions.
All the actions are described below.
Isolate or remove from isolation
This option is available if you have Intercept X Advanced with XDR.
Isolate isolates the computer from the network. You might want to do this if it has potential threats on it. You can still manage the computer from Sophos Central, and you can remove it from isolation at any time.
When a computer is isolated, you see the following under the computer icon and security status.
- The message Isolated by Admin.
- A link labeled Remove from Isolation. Click it to reconnect the computer to the network.
You don't see the Isolate option if the computer has already isolated itself automatically. See Device Isolation.
Update now updates the computer with the latest Sophos software. See Computer restarts.
Delete deletes the computer from Sophos Central. It also deletes the alerts associated with the computer.
You must uninstall the Sophos software before deleting a computer.
Live Response allows you to connect to the computer to investigate and remediate possible security issues. You can connect to the computer even if it’s isolated.
To use Live Response, you must meet these conditions:
- You must be a Super Admin or have a custom role that includes Start Live Response sessions on computers.
- You must sign in with multi-factor authentication (MFA).
We recommend signing in with a Sophos ID, because other methods, such as a Microsoft federated sign-in with MFA, might not let you access Live Response.
Before you start, ensure Live Response is turned on in Global Settings > Endpoint Protection > Live Response.
To start Live Response, do as follows:
Click Live Response.
In Session purpose, summarize your session.
A connection to the computer opens in another browser tab. The tab shows a terminal window.
If the new tab doesn't open, your browser may have blocked it. Configure your browser to allow it.
At the command prompt, enter commands to perform your investigation or remediation.
Use DOS, UNIX, or Linux commands depending on the computer to which you’ve connected.
When you finish, click End Session.
The connection is closed, although the tab remains open. You can browse elsewhere in Sophos Central from here.
The connection is also closed in the following cases:
- You close the tab.
- You refresh the tab.
- You browse elsewhere in Sophos Central from here.
- There is no activity for 30 minutes.
To see which Live Response sessions have started or ended, view the Sophos Central audit log.
Click More actions to see Change group. This lets you add the computer to a group, move it to a different group, or remove it from its current group.
Click More actions to see Scan Now. This scans the computer for threats.
The scan may take some time. When complete, you can see a "Scan completed" event and any successful cleanup events on the Logs & Reports > Events page. You can see alerts about unsuccessful cleanup on the Alerts page.
If the computer is offline, it's scanned when it is back online. If a computer scan is already running, the new scan request is ignored, and the earlier scan carries on.
Click More actions to see Diagnose. This runs the Sophos Diagnostic Utility, which collects logs and sends them to Sophos support. For more information, see Sophos Diagnostic Utility.
Create forensic snapshot
Click More actions to see Create forensic snapshot. You can create a "forensic snapshot" of data from the device. This gets data from a Sophos log of the device's activity and saves it on that device. For more information on forensic snapshots see Forensic snapshots.
You can also save it in the Amazon Web Services (AWS) S3 bucket you specify. You can then do your analysis.
You'll need a converter (which we provide) to read the data.
You can choose how much data you want in snapshots and where to upload them. To do this, go to Global Settings > Forensic Snapshots. These options may not be available for all customers yet.
To create a snapshot, do as follows:
Go to a threat graph's Analyze tab.
Alternatively, on the details page of the device, open the Status tab.
Click Create forensic snapshot.
Follow the steps in Upload a forensic snapshot to an AWS S3 bucket.
You can find the snapshots you generated in
%PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\.
Snapshots generated from detections are in
%PROGRAMDATA%\Sophos\Endpoint Defense\Data\Saved Data\.
You need to be an administrator with access to the tamper protection password and run a command prompt as an administrator to access the saved snapshots.
Reset health status
This option is not available for macOS.
Click More actions to see Reset health status. This resets the health status to "Healthy".
A reset doesn't clean up threats or fix software, but does clear alerts in Sophos Central and on the computer.
Do a reset if you want to clear old issues and focus on current or future ones. A computer that's issue-free stays “Healthy” after the reset, so any current or future protection or malware issues will be more obvious.
A reset doesn't affect protection. If the computer has issues that need action, it'll return to bad health status.
This lists recent events on the computer. For a full list, click the Events tab.
The icons indicate which Sophos agent reported each event. Hover over an icon to see what it means.
The Endpoint Agent provides threat protection and other features like peripheral control, application control, and web control.
The summary shows the following details. It also includes links to update the computer, install products, or change the group the computer's in, as needed.
- Last Activity: Shows when the last activity occurred.
- Last Agent Update: Shows whether the computer is up to date.
- Assigned Products: Shows the Sophos products installed (for example, Intercept X or Device Encryption). Shows the license and the version number for each installed product. The version information is only available for Windows computers.
- Installed component versions: Click this to see a full list of the Sophos components and their version numbers. This is only available for Windows computers.
- Group: Shows which group the computer is in (if any).
Device Encryption allows you to manage BitLocker Drive Encryption on Windows computers and FileVault encryption on Macs.
This summary shows:
- All volumes of the computer.
- The volume ID for each volume.
- The encryption status.
- The authentication type.
- The encryption method.
For Windows computers, you can see Encrypted since. The information shown depends on the device.
- For computers already encrypted with Sophos Central Device Encryption, it shows the date and time the computer upgraded to Sophos Central Device Encryption version 2.1.
- For computers encrypted using another encryption product, it shows the date and time Sophos Central Device Encryption was installed.
- For new computers encrypted with Sophos Central Encryption 2.1 (or later), it shows the date and time of encryption.
You can encrypt volumes with software-based or hardware-based encryption. Device Encryption always uses software-based encryption for new volumes, even if the drive supports hardware-based encryption.
If a drive is encrypted with hardware-based encryption, it isn't changed.
If a BitLocker group policy setting requires hardware-based encryption, it is used.
Retrieve Recovery Key
You can also get a recovery key here. You can use this to unlock the computer if users forget their login credentials. See Encryption Recovery Key Search.
Trigger change of password/PIN
This requires users to change their BitLocker password or PIN immediately. A message is displayed when the request is sent successfully.
On the endpoint, users are asked to set a new BitLocker password or PIN. If users close the dialog without entering a new password or PIN, the dialog is shown again after 30 seconds. This stops when they enter a new password or PIN. After users have closed the dialog five times without changing the password or PIN, an alert is logged.
This shows whether tamper protection is turned on or not.
When tamper protection is on, a local administrator can't make any of the following changes on their computer. They need the necessary password:
- Change settings for on-access scanning, suspicious behavior detection (HIPS), web protection, or Sophos Live Protection.
- Disable tamper protection.
- Uninstall the Sophos agent software.
Click Disable Tamper Protection to manage the tamper protection password for the computer. If tamper protection is off, we recommend you turn it on.
You can recover tamper protection passwords for deleted computers. See Recover deleted devices.
Update Cache and Message Relay
Sophos Update Cache enables your computers to get their Sophos Central updates from a cache on a server on your network, rather than directly from Sophos. You can also designate servers to communicate with Sophos Central as message relays.
This shows that a cache has been set up for the computer. It shows which server is being used.
Windows Firewall is active and managed on the computer. It also shows:
- Whether Windows Group Policy is used.
- The active network profiles.
- If other registered firewalls are installed and active.