Skip to content
Find out how we support MDR.

Generate NDR detections from the command-line interface

You can generate test detections to check that Sophos NDR is correctly set up and working.

The test isn't malicious. It triggers a detection by simulating an event with features typical of an attack. The event is a client downloading a file from a server with suspicious domain and certificate details.

You can run the test from the command-line interface (CLI).


Download the NDR test file from Sophos NDR Testing.

Configure your firewall to allow TCP traffic to the domain and IP address in the region you want to connect to.

Domain name IP address TCP port AWS region 2222 us-west-2 (California, US) 2222 eu-central-2 (Zurich, Switzerland) 2222 ap-southeast-1 (Singapore) 2222 ap-east-1 (Hong Kong, China) 2222 sa-east-1 (São Paulo, South America)

Make sure you've included your network traffic in the current port mirroring setup. For help, see the NDR setup pages in Sophos integrations.

Generate a detection


You must run the command on a device on the same network as Sophos NDR.

In the following example, we'll show you how to generate a detection using the Windows command prompt, with the default options.

  1. Run Command Prompt as administrator.
  2. Type the following command: NdrEicarClient.exe.

    NDR test in the command prompt.


    If you generate a detection using the default options, the client will connect to the us-west-1 server and perform the file download one time.

    A detection will be generated.

  3. In Sophos Central, go to Threat Analysis Center > Detections.

  4. On the Detections page, you should see a recent high-risk detection named NDR-DET-TEST-IDS-SCORE in the list.

    Detections page.

  5. Click NDR-DET-TEST-IDS-SCORE to open its details.

    The Description shows a source and destination IP communicating over TCP and TLS on port 2222. It also shows IDS (Intrusion Detection System) as the main contributor to the detection. IDS is a list of blocked certificates.

    Detections details.

  6. Click the Raw Data tab. The flow_risk section shows the following details:

    • Known protocol on a non-standard port
    • Self-signed certificate
    • Uncommon Application-Layer Protocol Negotiation (ALPN)
    • Blocklisted certificate
    • High probability that the server domain is generated by algorithm (DGA)
    • Indications of a threat belonging to the Friendly Chameleon family.

    Detection raw data.

Eicar test command-line options

You can enter various command-line options after the NdrEicarClient.exe command.

Here are some of the command-line options:

  • Type --help to show the available options.
  • Type --region followed by the name of the region you want to connect to.
  • Type --extra to generate traffic around the detection.

    NDR test with extra traffic in the command output.

    The test file includes a web crawling capability to generate traffic. By default, the web crawler starts with the website and analyses all * web pages reachable from there. If your firewall or web proxy doesn't allow this, you can specify a different website to start with. The default run time for the web crawler is one minute before the EICAR traffic and 30 seconds afterward. You can use the --runtime CLI option to change this. The time you provide in seconds will run before the EICAR traffic, and then it'll run for half that time afterwards.


    We included a pause between web pages, so this tool can't be used for a denial-of-service (DoS) attack on a website.

For information about generating an NDR detection through Appliance Manager, see Generate detections (NDR).