Scan from the command line
You can scan the computer using our command-line tool.
The command-line tool is installed automatically when you install Sophos Endpoint.
The tool is installed in Program Files/Sophos/Endpoint Defense and is called sophosinterceptxcli.exe.
The tool lets you do as follows:
- Run a system scan (a scan of the whole computer).
- Run a scan of specific files or folders.
This page lists the commands and options you can use.
Commands
The commands are as follows.
scan
The scan command starts a scan of the device and shows a scanning progress dialog. Results are shown in the Sophos Endpoint user interface and any threats detected are reported to Sophos Central.
To run a scan, you enter a command in the following format:
scan <options> <targets>
For details of scanning options, see Options.
For details of how to specify targets, see Targets.
Scans don't check files that are excluded by policy or global exclusions set in Sophos Central.
The files that a scan can access depend on the rights that the scan runs with:
-
A system scan runs with the local system process rights. It can't access files like Microsoft EFS-encrypted files because the local system process can't access a user's keys.
-
A scan of specific files or folders runs with your user rights, so it can only scan files you can access.
Scans use Live Protection, which checks suspicious files against the latest threat information from SophosLabs. If Live Protection is off or the device is disconnected from the network, the scan is less effective.
help
The help command shows a list of available commands.
help <command> shows all the options available for the command.
Options
Here are the options you can use with the scan command. They apply to all the targets (items to scan) that you specify. They apply regardless of where you put them in the command line.
| Option | Description |
|---|---|
| Expand archives | --expand_archivesThe scan expands archives and scans the contents. |
| No user interface | --noui No user interface is shown. Any detections are written to |
| Verbose output | --verbose Only valid if |
| System scan | --systemScans all local files on the current device and performs other system scan activities like an MBR (Master Boot Record) scan. If you use System scans always run with the rights of the local system process. They can't access items like the content of Microsoft EFS-encrypted files because the local system process doesn't have access to the user's keys. |
Targets
Targets are things you want to scan. Targets may be drives, folders, or files.
To scan a drive, enter a single upper or lowercase letter followed by a colon and a backslash, such as C:\
Note
You must include the backslash. If you don't, the scan only checks files in the current folder on that drive. If you specify C:, that's usually the folder where you're running the command-line tool.
To scan a specific folder or file, enter a full or partial path. The scan treats folder and file paths as relative to the folder where you started the command-line tool.
You can use DOS-style or Unix-style path separators. You can also use UNC paths.
Wildcards
You can use wildcards in folder and path names but not in drive names.
| Wildcard | Description |
|---|---|
| * (asterisk) | Use to match 0 or more characters |
| ? | Use to match a single character |
See MS-DOS and Windows Wildcard Characters.
The scan can expand wildcards before it checks for folders and files. This applies only if the wildcard is in the last element of the path. So the scan expands C:/Test/Folder/F*le, but not C:/Test/F*lder/File.
Error codes
The command-line tool can return the following error codes:
| Code | Description |
|---|---|
0 | Success |
1 | Error during command handling |
2 | Unexpected error during CLI setup |
Note
The Intercept X CLI doesn't return additional error codes of the type used by earlier Sophos endpoint products.