Malware and PUA events types

These are the malware and PUA event types you can see in Sophos Central.

Depending on the features included in your license, you may see all or some of the following event types:

Runtime Detections

Event type

Severity

Action required?

Description

Running malware detected

Medium

No

A program that was running on a computer and exhibited malicious or suspicious behavior has been detected. Sophos Central attempts to remove the threat. If it succeeds, no alerts are shown on the Alerts page, and a Running malware cleaned up event is added to the events list.

Running malware not cleaned up

High

Yes

A program that was running on a computer and exhibited malicious or suspicious behavior could not be cleaned up. The following events may be displayed for this event type:

Running malware cleaned up

Low

No

Malicious activity detected

High

Yes

Malicious network traffic, possibly headed to a command-and-control server involved in a botnet or other malware attack, has been detected.

Running malware locally cleared

Low

No

A running malware alert has been cleared from the alerts list on an endpoint computer.

Ransomware detected

High

No

An unauthorized program attempted to encrypt a protected application.

Ransomware attack resolved

Low

No

Remotely-run ransomware detected

Medium

Yes

An unauthorized program attempted to remotely encrypt a protected application.

Remotely-run ransomware attack resolved

Low

No

Ransomware attacking a remote machine detected

High

Yes

This computer has been detected attempting to remotely encrypt applications on another computer.

Safe Browsing detected compromised browser

Medium

Yes

An attempt to exploit a vulnerability in an internet browser has been blocked.

Exploit prevented

Low

No

An attempt to exploit a vulnerability in an application, on an endpoint computer, has been blocked.

Application hijacking prevented

Low

No

Application hijacking was prevented on an endpoint computer.

Behavioral

Low

Yes

This application has been detected behaving suspiciously.

In some instances a reboot is required to complete the cleanup process. A reboot event is shown if this happens.

This type of detection is only available if you are signed up to the Early Access Program.

Application Control

Event type

Severity

Action required?

Description

Application blocked

Medium

No

Application allowed

Low

No

A controlled application has been detected and then allowed.

Malware

If you have deep learning enabled, you may see malware detections shown as ML/PE-A.

Event type

Severity

Action required?

Description

Malware detected

Medium

No

Malware has been detected on a device monitored by Sophos Central. Sophos Central will attempt to remove the threat. If successful, no alerts will be displayed on the Alerts page, and a "Malware cleaned up" event will appear on the events list.

Malware not cleaned up

High

Yes

The following events may be displayed for this event type:

Malware cleaned up

Low

No

Recurring infection

High

Yes

A computer has become reinfected after Sophos Central attempted to remove the threat. It may be because the threat has hidden components that haven't been detected.

Threat removed

Low

No

Malware locally cleared

Low

No

A malware alert has been cleared from the alerts list on an endpoint computer.

Potentially Unwanted Application (PUA)

Event type

Severity

Action required?

Description

Potentially Unwanted Application (PUA) blocked

Medium

Yes

A potentially unwanted application has been detected and blocked.

Potentially Unwanted Application (PUA) not cleaned up

Medium

Yes

The following events may be displayed for this event type:

Potentially Unwanted Application (PUA) cleaned up

Low

No

Potentially Unwanted Application (PUA) locally cleared

Low

No

A potentially unwanted application alert has been cleared from the alerts list on an endpoint computer.