Malware and PUA events types
These are the malware and PUA event types you can see in Sophos Central.
Depending on the features included in your license, you may see all or some of the following event types.
See Malicious behavior types and ML/PE-A detection explained.
Runtime Detections
Event type | Severity | Action required? | Description |
---|---|---|---|
Running malware detected | Medium | No | A program that was running on a computer and exhibited malicious or suspicious behavior has been detected. Sophos Central attempts to remove the threat. If it succeeds, no alerts are shown on the Alerts page, and a Running malware cleaned up event is added to the events list. |
Running malware not cleaned up | High | Yes | A program that was running on a computer and exhibited malicious or suspicious behavior could not be cleaned up. The following events may be displayed for this event type:
|
Running malware cleaned up | Low | No | |
Malicious activity detected | High | Yes | Malicious network traffic, possibly headed to a command-and-control server involved in a botnet or other malware attack, has been detected. |
Running malware locally cleared | Low | No | A running malware alert has been cleared from the alerts list on an endpoint computer. |
Ransomware detected | High | No | An unauthorized program attempted to encrypt a protected application. |
Ransomware attack resolved | Low | No | |
Remotely-run ransomware detected | Medium | Yes | An unauthorized program attempted to remotely encrypt a protected application. |
Remotely-run ransomware attack resolved | Low | No | |
Ransomware attacking a remote machine detected | High | Yes | This computer has been detected attempting to remotely encrypt applications on another computer. |
Safe Browsing detected compromised browser | High | Yes | An attempt to exploit a vulnerability in an internet browser has been blocked. |
Exploit prevented | Low | No | An attempt to exploit a vulnerability in an application, on an endpoint computer, has been blocked. |
Application hijacking prevented | Low | No | Application hijacking was prevented on an endpoint computer. |
Behavioral | Low | Yes | This application has been detected behaving suspiciously. In some instances a reboot is required to complete the cleanup process. A reboot event is shown if this happens. This type of detection is only available if you are signed up to the Early Access Program. |
AMSI protection blocked a threat | Low | No | We blocked a threat detected by AMSI protection. |
AMSI protection could not clean up a threat | High | Yes | An AMSI detection could not be cleaned up. You need to clean this up. |
AMSI protection cleaned up a threat | Low |
Application Control
Event type | Severity | Action required? | Description |
---|---|---|---|
Application blocked | Medium | No | |
Application allowed | Low | No | A controlled application has been detected and then allowed. |
Malware
If you have deep learning enabled, you may see malware detections shown as ML/PE-A.
Event type | Severity | Action required? | Description |
---|---|---|---|
Malware detected | Medium | No | Malware has been detected on a device monitored by Sophos Central. Sophos Central will attempt to remove the threat. If successful, no alerts will be displayed on the Alerts page, and a "Malware cleaned up" event will appear on the events list. |
Malware not cleaned up | High | Yes | The following events may be displayed for this event type:
|
Malware cleaned up | Low | No | |
Recurring infection | High | Yes | A computer has become reinfected after Sophos Central attempted to remove the threat. It may be because the threat has hidden components that haven't been detected. |
Threat removed | Low | No | |
Malware locally cleared | Low | No | A malware alert has been cleared from the alerts list on an endpoint computer. |
Potentially Unwanted Application (PUA)
Event type | Severity | Action required? | Description |
---|---|---|---|
Potentially Unwanted Application (PUA) blocked | Medium | Yes | A potentially unwanted application has been detected and blocked. |
Potentially Unwanted Application (PUA) not cleaned up | Medium | Yes | The following events may be displayed for this event type:
|
Potentially Unwanted Application (PUA) cleaned up | Low | No | |
Potentially Unwanted Application (PUA) locally cleared | Low | No | A potentially unwanted application alert has been cleared from the alerts list on an endpoint computer. |