Skip to content

How to test Sophos Protection for Linux detection features

You can test Sophos Protection for Linux detection features to confirm that your device is protected and communicating with Sophos Central.

Test alert

You can use the runtimedetections command to create a test alert. To create a test alert, do as follows:

  1. Go to /opt/sophos-spl/plugins/runtimedetections/bin.
  2. Run the following command:
runtimedetections --test-alert

You'll see that the alert is created and sent to Sophos Central in /opt/sophos-spl/plugins/runtimedetections/log/runtimedetections.log. Run the following command:

cat /opt/sophos-spl/plugins/runtimedetections/log/runtimedetections.log

Example

14      [2023-01-16T17:26:37.631Z]    INFO [0000000000] runtimedetections <> Alert testing command executed, exiting
12363670 [2023-01-16T17:26:37.641Z]    INFO [0000000000] runtimedetections <> Sent alert to event journal Alert Tester as 1673889997640013873 (31b7076e-5723-46e3-b5ec-90dc9267d6a2)

You'll also see the alert in Sophos Central in the Threat Analysis Center.

Here's an example:

Test alert

On-demand and on-access scanning

EICAR is an industry-standard detection test file, not a virus.

  1. Go to www.eicar.org.
  2. Click Download anti malware test file.
  3. Download the EICAR test file. It's detected and cleaned when it's written to the disk.

You'll see the detection in av.log. Run the following command:

cat /opt/sophos-spl/plugins/av/log/av.log

Example

180191342 [2023-01-18T16:03:43.969]    INFO [9358345792] av <> Threat cleaned up at path: /.../eicar.com

You'll also see the alert in Sophos Central on the Server Summary page.

Here's an example:

EICAR detection