Test real-time scanning

Real-time scanning is your main method of protection against threats. When you open, write, move, or rename a file the Security VM scans the file and grants access to it only if it does not pose a threat. When you run a program the Security VM scans the executable file and any other files it loads.

Important Ensure that Sophos Endpoint for Windows is not installed on any guest VMs that are protected with a Security VM.

To check that a security VM is scanning files on access:

  1. Go to eicar.org/86-0-Intended-use.html. Copy the EICAR test string to a new file. Give the file a name with a .com extension and save it to one of the guest VMs.
  2. Try to access the file from the guest VM.
  3. Log in to Sophos Central.
    • If you have automatic cleanup on, go to the Servers page and click the Security VM to open its details page. On its Events tab, you should see that EICAR has been detected and cleaned up.
    • If you don't have automatic cleanup on, look at the Alerts page. You should see an alert on the Security VM. EICAR has been detected but not cleaned up.
If EICAR has not been detected, see Troubleshoot on-access scanning. If EICAR is not cleaned up, simply delete it.