Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protect-devices-server-Linux-agent-test-features

How to test Sophos Protection for Linux detection features

You can test Sophos Protection for Linux detection features to confirm that your device is protected and communicating with Sophos Central.

On-demand and on-access scanning

Requirement

On-access scanning requires you to turn on Enable scan for Server Protection for Linux Agent in your server threat protection policy. This setting is turned off by default. See Real-time Scanning - Local Files and Network Shares.

You can test scanning with EICAR. EICAR is an industry-standard detection test file, not a virus.

  1. Go to www.eicar.org.
  2. Click Download anti malware test file.
  3. Download the EICAR test file. It's detected and cleaned when it's written to the disk.

You'll see the detection in av.log. Run the following command:

cat /opt/sophos-spl/plugins/av/log/av.log
Example 
180191342 [2023-01-18T16:03:43.969]    INFO [9358345792] av <> Threat cleaned up at path: /.../eicar.com

You'll also see the alert in Sophos Central on the Server Summary page.

Here's an example:

EICAR detection.

Runtime detections

Restrictions

To test Sophos Protection for Linux runtime detections, your Sophos Central account must have one of the following product licenses:

  • Intercept X Advanced for Server with XDR
  • Intercept X Advanced for Server with MDR Complete

You can use the runtimedetections command to create a test alert. To create a test alert, do as follows:

  1. Go to /opt/sophos-spl/plugins/runtimedetections/bin.
  2. Run the following command:
./runtimedetections --test-alert

You'll see that the alert is created and sent to Sophos Central in /opt/sophos-spl/plugins/runtimedetections/log/runtimedetections.log. Run the following command:

cat /opt/sophos-spl/plugins/runtimedetections/log/runtimedetections.log
Example 
14      [2023-01-16T17:26:37.631Z]    INFO [0000000000] runtimedetections <> Alert testing command executed, exiting
12363670 [2023-01-16T17:26:37.641Z]    INFO [0000000000] runtimedetections <> Sent alert to event journal Alert Tester as 1673889997640013873 (31b7076e-5723-46e3-b5ec-90dc9267d6a2)

You'll also see the alert in Sophos Central on Threat Analysis Center > Detections.

Here's an example:

Test alert.