Skip to content

Server Events

The Events tab in a server's details page lets you see events detected on the server.

Go to Devices > Servers and click on the server you want to view details for. Click Events to view the events detected on the server.

You can see details and, in some cases, take action to prevent unwanted detections.

The list includes:

  • Sev: Hover over an icon to see what it means.
  • Type: An icon shows which Sophos agent reported the event. Hover over it to see what it means.
  • Details: This link (for some events) lets you get further details and take action.

View Events Report: Shows events arranged by type and a graph of events day by day.

You may notice that an event has a later timestamp than the Last active timestamp shown for the server on the Servers page. This is because the Last active timestamps are refreshed only once an hour on average.

Stop detecting an application

If an application is reported as malware but you know it's safe, you can allow it from the events list.

For help with deciding whether an application is safe see How to investigate and resolve a potential False Positive or Incorrect Detection.

Click the Details link beside the event and then allow the application.


This currently applies only to malware events reported by Intercept X.

Stop detecting an exploit

You can exclude an application from exploit detection, either in response to a detection or in advance of any detection.

For help on how to do this see Stop detecting an exploit.

Stop detecting ransomware

If ransomware is detected but you're sure the detection is incorrect, you can stop it happening again.

This will apply to all your users and computers.

  1. On the Events tab, find the detection event and click Details.
  2. In Event details, look for Don't detect this again.

    Select Exclude this Detection ID from checking. This prevents this detection on this app.

  3. Click Exclude.

We'll add your exclusion to the Global Exclusions list.