Test real-time scanning

Real-time scanning is your main method of protection against threats. When you open, write, move, or rename a file the Security VM scans the file and grants access to it only if it does not pose a threat. When you run a program the Security VM scans the executable file and any other files it loads.

Important Ensure that Sophos Endpoint for Windows is not installed on any guest VMs that are protected with a Security VM.

To check that a security VM is scanning files on access:

  1. Go to http://2016.eicar.org/86-0-Intended-use.html and use the EICAR test string. Copy the EICAR test string to a new file. Give the file a name with a .com extension and save it to one of the guest VMs.
  2. Try to access the file from the guest VM.
  3. In Sophos Enterprise Console, in the computer list in the lower right part of the window, click Status.
  4. In the list of computers, look for the Security VM.
    • If you have automatic cleanup on, double-click the Security VM to open the Computer Details. In the "History" section, you should see that EICAR has been detected and cleaned up.
    • If you don't have automatic cleanup on, you should see an alert in the Alerts and errors column. Right-click the Security VM. In Resolve alerts and errors, you should see that EICAR has been detected but not cleaned up.

If EICAR has not been detected, see Troubleshoot on-access scanning. If EICAR is not cleaned up, simply delete it.