Skip to content

User Events

You can see a list of events detected on the user's devices.

  1. Go to People > Manage Users & Groups.
  2. On the Users tab, click the user you want to view details for.
  3. Click the Events tab to see the events detected on the user's devices.

You can see details and, in some cases, take action to prevent unwanted detections.

The list includes:

  • Severity: Hover over an icon to see what it means.
  • Type: An icon shows which Sophos agent reported the event. Hover over it to see what it means.
  • Details: This link (for certain events) lets you get further details and take action.

View Events Report shows events arranged by type and a graph of events day by day.

Stop detecting an application

If an application is reported as malware but you know it's safe, you can allow it from the events list.

For help with deciding whether an application is safe see How to investigate and resolve a potential False Positive or Incorrect Detection.

Click the Details link beside the event and then allow the application.


This currently applies only to malware events reported by Intercept X.

Stop detecting an exploit

You can exclude an application from exploit detection, either in response to a detection or in advance of any detection.

For help on how to do this see Stop detecting an exploit.

Stop detecting ransomware

If ransomware is detected but you're sure the detection is incorrect, you can stop it happening again.

This will apply to all your users and computers.

  1. On the Events tab, find the detection event and click Details.
  2. In Event details, look for Don't detect this again.

    Select Exclude this Detection ID from checking. This prevents this detection on this app.

  3. Click Exclude.

We'll add your exclusion to the Global Exclusions list.