Server Summary

The Summary tab in a server's details page lets you see server details.

Go to Overview > Devices > Servers and click on the server you want to view details for.

You can manage the server from here.

The sections you see depend on your license and the features you've set up.

Security status

In the left-hand pane, you can see the security status and take actions.

Note The left-hand pane always shows, even when you click the other tabs on this page.

If you see "Sophos Security VM" under the server name, the server is a host with a Sophos security VM installed. You'll also see additional information in the "Device Status" summary.

Actions you can take

The actions links and buttons are in the left-hand pane.

Restriction Some actions are only available for Windows servers.
  • Isolate: This isolates the server from the network.
  • Delete: Deletes the server from Sophos Central.
    Warning You should uninstall the Sophos software before deleting a server.
  • Scan Now: Scans the server immediately.

    The scan may take some time. When complete, you can see a "Scan 'Scan my computer' completed" event and any successful cleanup events on the Logs & Reports > Events page. You can see alerts about unsuccessful cleanup on the Alerts page.

    If the server is offline, it will be scanned when it is back online. If a computer scan is already running, the new scan request will be ignored and the earlier scan will carry on.

  • Lock Down: Prevents unauthorized software from running on the server.

    This option makes a list of the software already installed on the server, checks that it is safe, and allows only that software to run in future.

    If you need to make changes on the server later, either unlock it or use the Server Lockdown preferences in the server policy.

  • Unlock: Unlocks the server. This button is available if you have previously locked down the server.
  • Diagnose: Runs the Sophos Diagnostic Utility, which collects logs and sends them to Sophos support. For more information, see Sophos Diagnostic Utility.
  • Live Response: Enables you to connect to the server to investigate and remediate possible security issues.

Live Response

Restriction To use Live Response, you must be a Super Admin or have a custom role that includes Start Live Response sessions on servers. You must also sign in with multi-factor authentication (MFA). We recommend signing in with a Sophos ID, because other methods, such as a Microsoft federated sign-in with MFA, might not let you access Live Response.

This option enables you to connect to the server to investigate and remediate possible security issues.You can connect to the server even if it’s isolated.

Before you start, ensure Live Response is turned on in Overview > Global Settings > Server Protection > Live Response.

To start Live Response, do as follows:

  1. Click Live Response.
  2. In Session purpose, summarize the purpose of your session.
  3. Click Start.

    A connection to the server is opened in another browser tab. The tab shows a terminal window.

  4. At the command prompt, enter commands to perform your investigation or remediation.

    Use DOS, UNIX, or Linux commands depending on the computer to which you’ve connected.

  5. When you finish, click End Session.

    The connection is closed, although the tab remains open. You can browse elsewhere in Sophos Central from here.

    The connection is also closed in the following cases:

    • You close the tab.
    • You refresh the tab.
    • You browse elsewhere in Sophos Central from here.
    • There is no activity for 30 minutes.

To see which Live Response sessions have started or ended, view the Sophos Central audit log.

Recent Events

This lists recent events on the server.

For a full list, click the Events tab.

Agent Summary

The summary shows the following details.

Restriction Some details are only available for Windows servers.
  • Last Sophos Central Activity: The last time the server communicated with Sophos Central.
  • Last Agent Update: The last time the Sophos agent was updated. Update Now updates the Sophos agent.
  • Agent Version: The version number of the Sophos agent.
  • Assigned Products: Shows the Sophos products installed (for example, Intercept X). Shows the license and the version number for each installed product.
  • Installed component versions: Click this to see a full list of the Sophos components and their version numbers.
  • IPv4 Address
  • IPv6 Address
  • Operating System: If this is shown as "Sophos Security VM", the server is a host with a Sophos security VM installed.
  • Lockdown Status : Shows the status of Server Lockdown, which prevents unauthorized software from running on servers.
  • Group. Shows the group the server belongs to (if any). Change group lets you add it to a group, move it to a different group, or remove it from its current group. A server can only be in one group.
  • Connected Guest VMs. You see this only if the server is a host with a Sophos Security VM. It shows the number of guest VMs connected to the Security VM. Click the number to see a list of the guest VMs.

    If no guest VMs are powered on, or if you’re still installing agents on them, you may see zero guest VMs.

    If you have enabled guest VMs to migrate between Security VMs, this can affect the number of guest VMs connected.

    Usually, a connected guest VM is protected. However, if the agent is newly installed, or there is a problem, scanning for threats may not have started yet.

  • Tamper Protection. This shows whether Tamper Protection is enabled on the server or not. Click Disable Tamper Protection to manage the tamper protection password for the server. See Tamper Protection.

Update Cache and Message Relay Status

If you're using update caches or message relays on your network, you see this status information.

If the server is being used as an update cache or a message relay, you see:

  • The status of the cache and when the last update was made. It also shows how many computers are using it as a cache.
  • The status of the relay and how many computers are using it.

Alternatively, if the server is getting its updates from a cache (or using a relay) that's been set up elsewhere, you see details of where that cache or relay is. See Manage Update Caches and Message Relays.

Windows Firewall

Windows Firewall is active and being managed on the computer. It also shows:

  • Whether Windows Group Policy is being used.
  • The active network profiles.
  • If other registered firewalls are installed and active.