Computer Summary

The Summary tab in a computer's details page shows you the following information.

The sections you see depend on your license and the features you've set up.

Security status

In the left-hand pane, you can see the security status and take action.

Note The left-hand pane always shows, even when you click the other tabs on this page.

An icon shows you whether the computer has any security alerts:

Icon

Description

Green check mark

Green checkmark if there are low-priority alerts or no alerts.

Orange warning sign

Orange warning sign if there are medium-priority alerts.

Red warning sign

Red warning sign if there are high-priority alerts.

Actions you can take

The action buttons are in the left-hand pane.

Update: This updates your computer with the latest Sophos software.

Delete: This deletes the computer from Sophos Central. It also deletes the alerts associated with the computer.
Warning You must uninstall the Sophos software before deleting a computer.

Isolate: This isolates the computer from the network.

Live Response (Beta): This allows you to connect to the computer to investigate and remediate possible security issues.

Change group: This lets you add it to a group, move it to a different group, or remove it from its current group.

Scan Now: This scans the computer for threats.

The scan may take some time. When complete, you can see a "Scan completed" event and any successful cleanup events on the Logs & Reports > Events page. You can see alerts about unsuccessful cleanup on the Alerts page.

If the computer is offline, it's scanned when it is back online. If a computer scan is already running, the new scan request is ignored, and the earlier scan carries on.

Diagnose: This diagnoses potential issues with the computer.

Create forensic snapshot: This gets data from a Sophos log of the device's activity and saves it on that device. You can also save it in the Amazon Web Services (AWS) S3 bucket you specify. You can then do your analysis.

Isolate or remove from isolation

This option is available if you have Intercept X Advanced with EDR.

Isolate isolates the computer from the network. You might want to do this if it has potential threats on it. You can still manage the computer from Sophos Central, and you can remove it from isolation at any time.

When a computer is isolated, you see the following under the computer icon and security status.

  • The message Isolated by Admin.
  • A link labeled Remove from Isolation. Click it to reconnect the computer to the network.
Note You don't see the Isolate option if the computer has already isolated itself automatically. See Device Isolation in Threat Protection Policy.

Live Response (Beta)

This option is available only if you're a Super Admin, or you have a custom role that includes Start Live Response sessions on computers, and you’ve signed in using multi-factor authentication. Also, you must turn on Allow Live Response connections to computers in Global Settings. See Live Response for devices.

This option allows you to connect to the computer to investigate and remediate possible security issues. You might want to do this if there is an infection or suspicious activity on the computer. You can connect to the computer even if it’s isolated. To connect to the computer, do as follows:

  1. Click Live Response (Beta).
  2. In Session purpose, summarize your session.
  3. Click Start.

    A connection to the computer opens in another browser tab. The tab shows a terminal window.

  4. At the command prompt, enter commands to perform your investigation or remediation.

    Use DOS, UNIX, or Linux commands depending on the computer to which you’ve connected.

  5. When you finish, click End Session.

    The connection is closed, although the tab remains open. You can browse elsewhere in Sophos Central from here.

    The connection is also closed in the following cases:

    • You close the tab.
    • You refresh the tab.
    • You browse elsewhere in Sophos Central from here.
    • There is no activity for 30 minutes.

To see which Live Response sessions have started or ended, view the Sophos Central audit log.

Create forensic snapshot

You can create a "forensic snapshot" of data from the device. This gets data from a Sophos log of the device's activity and saves it on that device. You can also save it in the Amazon Web Services (AWS) S3 bucket you specify. You can then do your analysis.

You'll need a converter (which we provide) to read the data.

Note You can choose how much data you want in snapshots and where to upload them. To do this, go to Global Settings > Forensic Snapshots. These options may not be available for all customers yet.

To create a snapshot:

  1. Go to a threat case's Analyze tab.

    Alternatively, on the details page of the device, open the Status tab.

  2. Click Create forensic snapshot.
  3. Follow the steps in Upload a forensic snapshot to an AWS S3 bucket.

You can find the snapshots you generated in %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\.

Snapshots generated from detections are in %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Saved Data\.

Note You need to be an administrator with access to the tamper protection password and run a command prompt as an administrator to access the saved snapshots.

Recent Events

This lists recent events on the computer. For a full list, click the Events tab.

The icons indicate which Sophos agent reported each event. Hover over an icon to see what it means.

Agent Summary

The Endpoint Agent provides threat protection and other features like peripheral control, application control, and web control.

The summary shows the following details. It also includes links to update the computer, install products, or change the group the computer's in, as needed.

  • Last Activity: Shows when the last activity occurred.
  • Last Agent Update: Shows whether the computer is up to date.
  • Assigned Products: Shows the Sophos products installed (for example, Intercept X or Device Encryption). Shows the license and the version number for each installed product. The version information is only available for Windows computers.
  • Installed component versions: Click this to see a full list of the Sophos components and their version numbers. This is only available for Windows computers.
  • Group: Shows which group the computer is in (if any).

Device Encryption

Device Encryption allows you to manage BitLocker Drive Encryption on Windows computers and FileVault encryption on Macs.

This summary shows:

  • All volumes of the computer.
  • The volume ID for each volume.
  • The encryption status.
  • The authentication type.
  • The encryption method.

For Windows computers, you can see Encrypted since. The information shown depends on the device.

  • For computers already encrypted with Sophos Central Device Encryption, it shows the date and time the computer upgraded to Sophos Central Device Encryption version 2.1.
  • For computers encrypted using another encryption product, it shows the date and time Sophos Central Device Encryption was installed.
  • For new computers encrypted with Sophos Central Encryption 2.1 (or later), it shows the date and time of encryption.

You can encrypt volumes with software-based or hardware-based encryption. Device Encryption always uses software-based encryption for new volumes, even if the drive supports hardware-based encryption.

If a drive is encrypted with hardware-based encryption, it isn't changed.

If a BitLocker group policy setting requires hardware-based encryption, it is used.

Retrieve Recovery Key

You can also get a recovery key here. You can use this to unlock the computer if users forget their login credentials.

Trigger change of password/PIN

This requires users to change their BitLocker password or PIN immediately. A message is displayed when the request is sent successfully.

On the endpoint, users are asked to set a new BitLocker password or PIN. If users close the dialog without entering a new password or PIN, the dialog is shown again after 30 seconds. This stops when they enter a new password or PIN. After users have closed the dialog five times without changing the password or PIN, an alert is logged.

Web Gateway summary

Sophos Web Gateway provides advanced protection against risky or inappropriate web browsing.

The summary shows the last network activity. It also shows the version of the Web Gateway agent (and if it's up to date).

If you need to update the Web Gateway agent, an Update button is displayed.

Tamper Protection

This shows whether tamper protection is turned on or not.

When tamper protection is on, a local administrator can't make any of the following changes on their computer. They need the necessary password:

  • Change settings for on-access scanning, suspicious behavior detection (HIPS), web protection, or Sophos Live Protection.
  • Disable tamper protection.
  • Uninstall the Sophos agent software.

Click Disable Tamper Protection to manage the tamper protection password for the computer. If tamper protection is off, we recommend you turn it on.

Update Cache and Message Relay

Sophos Update Cache enables your computers to get their Sophos Central updates from a cache on a server on your network, rather than directly from Sophos. You can also designate servers to communicate with Sophos Central as message relays.

This shows that a cache has been set up for the computer. It shows which server is being used.

Windows Firewall

Windows Firewall is active and managed on the computer. It also shows:

  • Whether Windows Group Policy is used.
  • The active network profiles.
  • If other registered firewalls are installed and active.