What happens when a threat is detected

If the Security VM detects a threat on one of the guest VMs, it does as follows:

  • Blocks the threat.
  • Attempts to clean up the threat automatically.
  • Sends an alert to Sophos Central if you need to take any action.
Note The Security VM does not automatically clean up threats detected during a full scan of all guest VMs.

What you see in Sophos Central

Sophos Central:

  • Shows that the threat has been blocked. See the Events tab of the details page for the Security VM.
  • Displays an alert in the Alerts page. This shows what the threat is, which VM it is on, and whether it is cleanable.
  • Removes the alert if automatic cleanup is successful.

If automatic cleanup is not available or is not successful, an alert in the Alerts page prompts you to clean up manually.

For more information on cleanup, see Clean up a threat.

What the user sees on the guest VM

If the Security VM detects a threat when a user tries to access a file, it blocks access to that file from the Guest VM. If the application used to access the file can do so, it notifies the user that the file is no longer accessible.