Skip to content

Computer Summary

The Summary tab in a computer's details page shows you the following information.

Go to Devices and then click Computers and click the computer you want to view details for.

The sections you see depend on your license and the features you've set up.

Security health status

In the left-hand pane, you can see the security health status and take action.


The left-hand pane always shows, even when you click the other tabs on this page.

An icon shows you whether the computer has any security alerts:

Icon Description
Green check mark. Green checkmark if there are low-priority alerts or no alerts.
Orange warning sign. Orange warning sign if there are medium-priority alerts.
Red warning sign. Red warning sign if there are high-priority alerts.

Actions you can take

You can take actions on the computer with the buttons and links in the left-hand pane. Click More actions to show the extended list of actions.

All the actions are described below.

Isolate or remove from isolation

This option is available if you have Intercept X Advanced with XDR.

Isolate isolates the computer from the network. You might want to do this if it has potential threats on it. You can still manage the computer from Sophos Central, and you can remove it from isolation at any time.

When a computer is isolated, you see the following status message under the computer icon and security status.

  • The message Isolated by Admin.
  • A link labeled Remove from Isolation. Click it to reconnect the computer to the network.

You won't see the Isolate option if the computer has already isolated itself automatically. See Device Isolation.

Adaptive Attack Protection

Adaptive Attack Protection applies extra protections to the computer. These protections are designed to disrupt the actions of an attacker.

You can turn on Adaptive Attack Protection if you see suspicious activity on the computer and want extra security while you investigate. You can only turn it on for a fixed time.

Click Adaptive Attack Protection and select a time. The default is 24 hours. The maximum is 72 hours. The menu now shows that Adaptive Attack Protection is on. You also see two new options:

  • Extend Adaptive Attack Protection. Click this to extend the time for which Adaptive Attack Protection will be on. For example, if you turned it on for 24 hours, you can extend that to 48 or 72 hours.
  • Turn off Adaptive Attack Protection.


Adaptive Attack Protection is also available in Threat Protection policies. If you select it in a policy, it turns on automatically when an attack is detected on a computer. The computer's summary tab shows it's turned on, and lets you extend it or turn it off.

Update now

Update now updates the computer with the latest Sophos software. See Computer restarts.


Delete deletes the computer from Sophos Central. It also deletes the alerts associated with the computer.


You must uninstall the Sophos software before deleting a computer.

Live Response

Live Response allows you to connect to the computer to investigate and remediate possible security issues. You can connect to the computer even if it’s isolated.

To use Live Response, you must meet these conditions:

  • You must be a Super Admin or have a custom role that includes Start Live Response sessions on computers.
  • You must sign in with multi-factor authentication (MFA).

We recommend signing in with a Sophos ID, because other methods, such as a Microsoft federated sign-in with MFA, might not let you access Live Response.

Before you start, ensure Live Response is turned on in My Products > General Settings > Endpoint Protection > Live Response.

To start Live Response, do as follows:

  1. Click Live Response.

  2. In Session purpose, summarize your session.

  3. Click Start.

    A connection to the computer opens in another browser tab. The tab shows a terminal window.

    If the new tab doesn't open, your browser may have blocked it. Configure your browser to allow it.

  4. At the command prompt, enter commands to perform your investigation or remediation.

    Use DOS, UNIX, or Linux commands depending on the computer to which you’ve connected.

  5. When you finish, click End Session.

    The connection is closed, although the tab remains open. You can browse elsewhere in Sophos Central from here.

    The connection is also closed in the following cases:

    • You close the tab.
    • You refresh the tab.
    • You browse elsewhere in Sophos Central from here.
    • There is no activity for 30 minutes.

To see which Live Response sessions have started or ended, view the Sophos Central audit log.

Change group

Click More actions to see Change group. This lets you add the computer to a group, move it to a different group, or remove it from its current group.

Scan Now


If you use Sophos XDR Sensor, this option isn't available.

Click More actions to see Scan Now. This scans the computer for threats.

The scan may take some time. When complete, you can see a "Scan completed" event and any successful cleanup events on the Reports > Logs > General logs > Events page. You can see alerts about unsuccessful cleanup on the Alerts page.

If the computer is offline, it's scanned when it is back online. If a computer scan is already running, the new scan request is ignored, and the earlier scan carries on.


Click More actions to see Diagnose. This runs the Sophos Diagnostic Utility, which collects logs and sends them to Sophos support. For more information, see Sophos Diagnostic Utility.

Create forensic snapshot

Click More actions to see Create forensic snapshot. You can create a "forensic snapshot" of data from the device. This gets data from a Sophos log of the device's activity and saves it on that device. For more information on forensic snapshots see Forensic snapshots.

You can also save it in the Amazon Web Services (AWS) S3 bucket you specify. You can then do your analysis.

You'll need a converter (which we provide) to read the data.


You can choose how much data you want in snapshots and where to upload them. To do this, go to My Products > General Settings > Forensic Snapshots. These options may not be available for all customers yet.

To create a snapshot, do as follows:

  1. Go to a threat graph's Analyze tab.

    Alternatively, on the details page of the device, open the Status tab.

  2. Click Create forensic snapshot.

  3. Follow the steps in Upload a forensic snapshot to an AWS S3 bucket.

You can find the snapshots you generated in %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\.

Snapshots generated from detections are in %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Saved Data\.


You need to be an administrator with access to the tamper protection password and run a command prompt as an administrator to access the saved snapshots.

Reset health status


This option is not available for macOS.

Click More actions to see Reset health status. This resets the health status to "Healthy".

A reset doesn't clean up threats or fix software, but does clear alerts in Sophos Central and on the computer.

Do a reset if you want to clear old issues and focus on current or future ones. A computer that's issue-free stays “Healthy” after the reset, so any current or future protection or malware issues will be more obvious.

A reset doesn't affect protection. If the computer has issues that need action, it'll return to bad health status.

Recent Events

This lists recent events on the computer. For a full list, click the Events tab.

The icons indicate which Sophos agent reported each event. Hover over an icon to see what it means.

Agent Summary

The Endpoint Agent provides threat protection and other features like peripheral control, application control, and web control.

The summary shows the following details. It also includes links to update the computer, install products, or change the group the computer's in, as needed.

  • Last Activity: Shows when the last activity occurred.
  • Last Agent Update: Shows whether the computer is up to date.
  • Assigned Products: Shows the Sophos products installed (for example, Intercept X or Device Encryption). Shows the license and the version number for each installed product. The version information is only available for Windows computers.
  • Installed component versions: Click this to see a full list of the Sophos components and their version numbers. This is only available for Windows computers.
  • Group: Shows which group the computer is in (if any).

Device Encryption

Device Encryption allows you to manage BitLocker Drive Encryption on Windows computers and FileVault encryption on Macs.

This summary shows:

  • All volumes of the computer.
  • The volume ID for each volume.
  • The encryption status.
  • The authentication type.
  • The encryption method.

For Windows computers, you can see Encrypted since. The information shown depends on the device.

  • For computers already encrypted with Sophos Central Device Encryption, it shows the date and time the computer upgraded to Sophos Central Device Encryption version 2.1.
  • For computers encrypted using another encryption product, it shows the date and time Sophos Central Device Encryption was installed.
  • For new computers encrypted with Sophos Central Encryption 2.1 (or later), it shows the date and time of encryption.

You can encrypt volumes with software-based or hardware-based encryption. Device Encryption always uses software-based encryption for new volumes, even if the drive supports hardware-based encryption.

If a drive is encrypted with hardware-based encryption, it isn't changed.

If a BitLocker group policy setting requires hardware-based encryption, it is used.

Retrieve Recovery Key

You can also get a recovery key here. You can use this to unlock the computer if users forget their login credentials. See Encryption Recovery Key Search.

Trigger change of password/PIN

This requires users to change their BitLocker password or PIN immediately. A message is displayed when the request is sent successfully.

On the endpoint, users are asked to set a new BitLocker password or PIN. If users close the dialog without entering a new password or PIN, the dialog is shown again after 30 seconds. This stops when they enter a new password or PIN. After users have closed the dialog five times without changing the password or PIN, an alert is logged.

Tamper Protection

This shows whether tamper protection is turned on or not.

When tamper protection is on, a local administrator can't make any of the following changes on their computer. They need the necessary password:

  • Change settings for on-access scanning, suspicious behavior detection (HIPS), web protection, or Sophos Live Protection.
  • Disable tamper protection.
  • Uninstall the Sophos agent software.

Click Disable Tamper Protection to manage the tamper protection password for the computer. If tamper protection is off, we recommend you turn it on.

You can recover tamper protection passwords for deleted computers. See Recover deleted devices.

Update Cache and Message Relay

Sophos Update Cache enables your computers to get their Sophos Central updates from a cache on a server on your network, rather than directly from Sophos. You can also designate servers to communicate with Sophos Central as message relays.

This shows that a cache has been set up for the computer. It shows which server is being used.

Windows Firewall

Windows Firewall is active and managed on the computer. It also shows:

  • Whether Windows Group Policy is used.
  • The active network profiles.
  • If other registered firewalls are installed and active.