Scan from the command line
You can scan the computer using our command-line tool.
The command-line tool is installed automatically when you install Sophos Endpoint.
The tool is installed in Program Files/Sophos/Endpoint Defense and is called sophosinterceptxcli.exe.
The tool lets you do as follows:
- Run a system scan. This is a scan of the whole computer.
- Run a user scan. This is a scan of files or folders specified by the user.
This page lists the commands and options you can use.
Commands
The commands are as follows.
scan
The scan command starts a scan of the device and shows a scanning progress dialog. Results are shown in the Sophos Endpoint user interface and any threats detected are reported to Sophos Central.
To run a scan, you enter a command in the following format:
scan <options> <targets>
For details of scanning options, see Options.
For details of how to specify targets, see Targets.
The files that a scan can access depend on the rights that the scan runs with:
-
A system scan runs with the local system process rights. It can't access files like Microsoft EFS-encrypted files because the local system process can't access a user's keys.
-
A user scan (a scan of specific files or folders) runs with your user rights, so it can only scan files you can access.
A user scan doesn't check files that are excluded by policy or global exclusions set in Sophos Central.
Scans use Live Protection, which checks suspicious files against the latest threat information from SophosLabs. If Live Protection is off or the device is disconnected from the network, the scan is less effective.
help
The help command shows a list of available commands.
help <command> shows all the options available for the command.
Options
Here are the options you can use with the scan command. They apply to all the targets (items to scan) that you specify. They apply regardless of where you put them in the command line.
| Option | Description |
|---|---|
| Expand archives |
The scan expands archives and scans the contents. |
| No user interface |
No user interface is shown. Any detections are written to |
| Verbose output |
Only valid if |
| System scan |
By default (or if If If you use System scans always run with the rights of the local system process. They can't access items like the content of Microsoft EFS-encrypted files because the local system process doesn't have access to the user's keys. |
Targets
Targets are things you want to scan. Targets may be drives, folders, or files.
To scan a drive, enter a single upper or lowercase letter followed by a colon and a backslash, such as C:\
Note
You must include the backslash. If you don't, the scan only checks files in the current folder on that drive. If you specify C:, that's usually the folder where you're running the command-line tool.
To scan a specific folder or file, enter a full or partial path. The scan treats folder and file paths as relative to the folder where you started the command-line tool.
You can use DOS-style or Unix-style path separators. You can also use UNC paths.
Wildcards
You can use wildcards in folder and path names but not in drive names.
| Wildcard | Description |
|---|---|
| * (asterisk) | Use to match 0 or more characters |
| ? | Use to match a single character |
See MS-DOS and Windows Wildcard Characters.
The scan can expand wildcards before it checks for folders and files. This applies only if the wildcard is in the last element of the path. So the scan expands C:/Test/Folder/F*le, but not C:/Test/F*lder/File.
Error codes
The command-line tool can return the following error codes:
| Code | Description |
|---|---|
0 | Successfully scanned all files and found no malware |
1 | Error during command handling |
2 | Unexpected error during command-line tool setup |
3 | A threat was detected in one or more files |
4 | One or more files encountered an error during the scan |
5 | One or more files were encrypted |
6 | One or more files have an unsupported format |
7 | One or more files were inaccessible |
If multiple errors occur, we'll return the most severe error code. Codes are shown in order of severity above, with the highest number indicating the highest severity.
The Intercept X CLI tool doesn't return additional error codes of the type used by earlier Sophos endpoint products.
For a scan started by a user (not a system scan), we write additional output to the console. For each category, we show the number of files affected, and list them.
Results in JSON format
Use the --json option to output results in JSON format at the end of the scan.
Unless a fatal error occurs (error code 1 or 2), only a JSON object is written to stdout to support scripting.
JSON output format
When --json is specified, a JSON object is written providing the same level of detail as the human-readable output provided by default with --noui.
For a user scan, the following keys are always provided, even if no files are listed under them, to support discoverability:
{
"type": "user",
"targets": ["C:\\test", "C:\\foo", "C:\\bar"],
"summary": {
"detections": 1,
"cleanFiles": 3,
"filesWithScanningErrors": 1,
"filesWithUnsupportedFormats": 1,
"inaccessibleFiles": 1,
"encryptedFiles": 1,
"corruptedFiles": 1
},
"detections": [{"path": "C:\\test\\eicar.com", "name": "EICAR-AV-Test", "type": "Malware"}],
"filesWithScanningErrors": [{"path": "C:\\test\\bad.exe", "reason": "Stream read failure (source: SAVI, code: -1610350039)"}],
"filesWithUnsupportedFormats": [{"path": "C:\\bar\\bar.exe"}],
"inaccessibleFiles": [{"path": "C:\\foo\\bar.exe", "reason": "Access is denied (5) (source: ScanCoordinator)"}],
"encryptedFiles": [{"path": "C:\\bar\\baz.exe"}],
"corruptedFiles": [{"path": "C:\\bar\\corrupted.zip"}]
}
For a system scan, only the top-level type and summary keys are provided, where the type is "fullSystem" or "quickSystem".
For a user scan, if --verbose is also specified, an additional scannedFiles key is included, listing all files that have been scanned, except those that were inaccessible.
`"scannedFiles": [{"path": "C:\\test\\eicar.com"}]`