Skip to content

How to find out a file's SHA-256 hash

You may need a file's SHA-256 hash to confirm that the file hasn't changed.

This can be useful when you work with Sophos Support to investigate an infection or potential false positive. It is also an easy way to confirm that a file hasn't been changed or corrupted after sharing it by email, FTP, and so on. Any changes cause the hash to change.

If the file has not been detected by Sophos, you can use the Sophos Endpoint Self Help tool, which is installed on every Sophos Central endpoint. See Sophos Endpoint Self Help: File Info and Threat Graphs.

If the file has been detected by Sophos, use the event details in Sophos Central, as follows:

  1. Go to Devices and select Computers or Servers, depending on where the detection occurred.

  2. Find the device on which the file has been detected and click the device name.

  3. Click Events.

  4. Find the detection event (not the cleanup event).

    • If there is a Details link next to the event, click it to show Event details. Here you can see the SHA-256 hash.

      Screenshot of detection event highlighting the Details link.

    • Otherwise, check if a threat graph has been created for the detection. This shows the SHA-256 hash of any processes involved.

If you cannot find the hash or have any questions, contact Sophos Support.