Threat Search Results

When you run a threat search, you'll see a list of devices where the search has detected suspicious files or threats.

Threat searches are only available if you have Intercept X Advanced with EDR or Intercept X Advanced with EDR for Server.

Click See details next to a device. This opens a page where you can see the history of each item.

On the details page, you can also take these actions (depending on the item detected):

  • Isolate the device.
  • Clean up and block applications.
  • Generate a new threat case (if required) or view an existing case.

Alternatively, if you have several affected devices, you can isolate them all at once on the main results page.

Latest status

The Latest status column shows these events for suspicious files:

Discovered: The search discovered the file but didn't detect a threat in it.

Detected: The search detected a threat in the file.

Added: The file was added to the device.

Executed: The file was run.

Reputation Updated: Sophos updated the file's reputation level or a Sophos Central admin allowed or blocked the file (which updates its "local" reputation).

Path Updated: The file was moved.

Removed: The file was removed from the device.

Note Different details are shown for network connections and admin tools.

Isolate the device

To isolate the device, select it and click Isolate.

You can allow isolated devices to communicate with other devices in limited circumstances. You can do this in the endpoint and server threat protection policies.

Clean up and block

To review, clean up and block a threat:

  1. Click See details.
  2. Review the details of the threat.

    To deal with a suspicious application:

    1. If the device is not already isolated, click Isolate.
    2. To clean up and block the application, click Actions > Clean and block.

      This cleans up the suspicious application on devices where it's been found and blocks it on all devices.

      You can also clean up and block applications by adding them to the Blocked Items list.

You can remove devices from isolation after you have investigated and taken action.