The Summary tab in a server's details page lets you see server details.
Go to Devices > Servers and click on the server you want to view details for.
You can manage the server from here.
The sections you see depend on your license and the features you've set up.
Security health status
In the left-hand pane, you can see the security health status and take actions.
The left-hand pane always shows, even when you click the other tabs on this page.
An icon shows you whether the server has any security alerts:
|Green checkmark if there are low-priority alerts or no alerts.|
|Orange warning sign if there are medium-priority alerts.|
|Red warning sign if there are high-priority alerts.|
If you see "Sophos Security VM" under the server name, the server is a host with a Sophos security VM installed. You'll also see additional information in the "Device Status" summary.
Actions you can take
You can take actions on the server with the buttons and links in the left-hand pane. All the actions are described below.
Some actions are only available for Windows servers.
Isolate or remove from isolation
You can only use this action if you have Intercept X Advanced for Server with XDR.
This action is only available for Windows servers.
Isolate isolates the server from the network. You might want to do this if it has potential threats on it. You can still manage the server from Sophos Central, and you can remove it from isolation at any time.
When a server is isolated, you see the following under the server icon and security status.
- The message Isolated by Admin.
- A link labeled Remove from Isolation. Click it to reconnect the server to the network.
Delete deletes the server from Sophos Central.
You should uninstall the Sophos software before deleting a server.
Scan Now scans the server immediately.
The scan may take some time. When complete, you can see a "Scan 'Scan my computer' completed" event and any successful cleanup events on the Logs & Reports > Events page. You can see alerts about unsuccessful cleanup on the Alerts page.
If the server is offline, it will be scanned when it is back online. If a computer scan is already running, the new scan request will be ignored and the earlier scan will carry on.
Lock Down prevents unauthorized software from running on the server.
This option makes a list of the software already installed on the server, checks that it is safe, and allows only that software to run in future.
If you need to make changes on the server later, either unlock it or use the Server Lockdown preferences in the server policy.
Unlock: Unlocks the server. This button is available if you have previously locked down the server.
Diagnose runs the Sophos Diagnostic Utility, which collects logs and sends them to Sophos support.
For more information, see Sophos Diagnostic Utility.
Reset health status
Reset health status resets the health status to "Healthy".
A reset doesn't clean up threats or fix software, but does clear alerts in Sophos Central and on the server.
Do a reset if you want to clear old issues and focus on current or future ones. A server that's issue-free stays “Healthy” after the reset, so any current or future protection or malware issues will be more obvious.
A reset doesn't affect protection. If the server has issues that need action, it'll return to bad health status.
Live Response enables you to connect to the server to investigate and remediate possible security issues. You can connect to the server even if it’s isolated.
To use Live Response, you must meet these conditions:
You must be a Super Admin or have a custom role that includes Start Live Response sessions on computers.
You must sign in with multi-factor authentication (MFA).
We recommend signing in with a Sophos ID, because other methods, such as a Microsoft federated sign-in with MFA, might not let you access Live Response.
Before you start, ensure Live Response is turned on in Global Settings > Server Protection > Live Response.
To start Live Response, do as follows:
- Click Live Response.
- In Session purpose, summarize the purpose of your session.
A connection to the server is opened in another browser tab. The tab shows a terminal window.
At the command prompt, enter commands to perform your investigation or remediation.
Use DOS, UNIX, or Linux commands depending on the computer to which you’ve connected.
When you finish, click End Session.
The connection is closed, although the tab remains open. You can browse elsewhere in Sophos Central from here.
The connection is also closed in the following cases:
- You close the tab.
- You refresh the tab.
- You browse elsewhere in Sophos Central from here.
- There is no activity for 30 minutes.
To see which Live Response sessions have started or ended, view the Sophos Central audit log.
This lists recent events on the server.
For a full list, click the Events tab.
The summary shows the following details.
Some details are only available for Windows servers.
- Last Sophos Central Activity: The last time the server communicated with Sophos Central.
- Last Agent Update: The last time the Sophos agent was updated. Update Now updates the Sophos agent. See Server restarts.
- Agent Version: The version number of the Sophos agent.
- Assigned Products: Shows the Sophos products installed (for example, Intercept X). Shows the license and the version number for each installed product.
- Installed component versions: Click this to see a full list of the Sophos components and their version numbers.
- IPv4 Address
- IPv6 Address
- Operating System: If this is shown as "Sophos Security VM", the server is a host with a Sophos security VM installed.
- Lockdown Status : Shows the status of Server Lockdown, which prevents unauthorized software from running on servers.
Group: Shows the group the server belongs to (if any). Change group lets you add it to a group, move it to a different group, or remove it from its current group. A server can only be in one group.
Connected Guest VMs: You see this only if the server is a host with a Sophos Security VM. It shows the number of guest VMs connected to the Security VM. Click the number to see a list of the guest VMs.
If no guest VMs are powered on, or if you’re still installing agents on them, you may see zero guest VMs.
If you have enabled guest VMs to migrate between Security VMs, this can affect the number of guest VMs connected.
Usually, a connected guest VM is protected. However, if the agent is newly installed, or there is a problem, scanning for threats may not have started yet.
Tamper Protection. This shows whether Tamper Protection is enabled on the server or not. Click Disable Tamper Protection to manage the tamper protection password for the server. See Tamper Protection.
Update Cache and Message Relay Status
If you're using update caches or message relays on your network, you see this status information.
If the server is being used as an update cache or a message relay, you see:
- The status of the cache and when the last update was made. It also shows how many computers are using it as a cache.
- The status of the relay and how many computers are using it.
Alternatively, if the server is getting its updates from a cache (or using a relay) that's been set up elsewhere, you see details of where that cache or relay is. See Manage Update Caches and Message Relays.
Windows Firewall is active and being managed on the computer. It also shows:
- Whether Windows Group Policy is being used.
- The active network profiles.
- If other registered firewalls are installed and active.