Skip to content

Scan from the command line

You can scan the computer using our command-line tool.

The command-line tool is installed automatically when you install Sophos Endpoint.

The tool is installed in Program Files/Sophos/Endpoint Defense and is called sophosinterceptxcli.exe.

The tool lets you do as follows:

  • Run a system scan (a scan of the whole computer).
  • Run a scan of specific files or folders.

This page lists the commands and options you can use.


The commands are as follows.


The scan command starts a scan of the device and shows a scanning progress dialog. Results are shown in the Sophos Endpoint user interface and any threats detected are reported to Sophos Central.

To run a scan, you enter a command in the following format:

scan <options> <targets>

For details of scanning options, see Options.

For details of how to specify targets, see Targets.

Scans don't check files that are excluded by policy or global exclusions set in Sophos Central.

The files that a scan can access depend on the rights that the scan runs with:

  • A system scan runs with the local system process rights. It can't access files like Microsoft EFS-encrypted files because the local system process can't access a user's keys.

  • A scan of specific files or folders runs with your user rights, so it can only scan files you can access.

Scans use Live Protection, which checks suspicious files against the latest threat information from SophosLabs. If Live Protection is off or the device is disconnected from the network, the scan is less effective.


The help command shows a list of available commands.

help <command> shows all the options available for the command.


Here are the options you can use with the scan command. They apply to all the targets (items to scan) that you specify. They apply regardless of where you put them in the command line.

Option Description
Expand archives --expand_archives

The scan expands archives and scans the contents.

No user interface --noui

No user interface is shown. Any detections are written to stdout. The tool doesn’t close until the scan finishes.

Verbose output --verbose

Only valid if --noui is specified. Writes information on each file scanned (the file name and the clean or detected status) to stdout.

System scan --system

Scans all local files on the current device and performs other system scan activities like an MBR (Master Boot Record) scan.

If you use --system don’t specify any targets.

System scans always run with the rights of the local system process. They can't access items like the content of Microsoft EFS-encrypted files because the local system process doesn't have access to the user's keys.


Targets are things you want to scan. Targets may be drives, folders, or files.

To scan a drive, enter a single upper or lowercase letter followed by a colon and a backslash, such as C:\


You must include the backslash. If you don't, the scan only checks files in the current folder on that drive. If you specify C:, that's usually the folder where you're running the command-line tool.

To scan a specific folder or file, enter a full or partial path. The scan treats folder and file paths as relative to the folder where you started the command-line tool.

You can use DOS-style or Unix-style path separators. You can also use UNC paths.


You can use wildcards in folder and path names but not in drive names.

Wildcard Description
* (asterisk) Use to match 0 or more characters
? Use to match a single character

See MS-DOS and Windows Wildcard Characters.

The scan can expand wildcards before it checks for folders and files. This applies only if the wildcard is in the last element of the path. So the scan expands C:/Test/Folder/F*le, but not C:/Test/F*lder/File.

Error codes

The command-line tool can return the following error codes:

Code Description
0 Success
1 Error during command handling
2 Unexpected error during CLI setup


The Intercept X CLI doesn't return additional error codes of the type used by earlier Sophos endpoint products.