Scan from the command line
You can scan the computer using our command-line tool.
The command-line tool is installed automatically when you install Sophos Endpoint.
The tool is installed in
Program Files/Sophos/Endpoint Defense and is called
The tool lets you do as follows:
- Run a system scan (a scan of the whole computer).
- Run a scan of specific files or folders.
This page lists the commands and options you can use.
The commands are as follows.
The scan command starts a scan of the device and shows a scanning progress dialog. Results are shown in the Sophos Endpoint user interface and any threats detected are reported to Sophos Central.
To run a scan, you enter a command in the following format:
scan <options> <targets>
For details of scanning options, see Options.
For details of how to specify targets, see Targets.
Scans don't check files that are excluded by policy or global exclusions set in Sophos Central.
The files that a scan can access depend on the rights that the scan runs with:
A system scan runs with the local system process rights. It can't access files like Microsoft EFS-encrypted files because the local system process can't access a user's keys.
A scan of specific files or folders runs with your user rights, so it can only scan files you can access.
Scans use Live Protection, which checks suspicious files against the latest threat information from SophosLabs. If Live Protection is off or the device is disconnected from the network, the scan is less effective.
The help command shows a list of available commands.
help <command> shows all the options available for the command.
Here are the options you can use with the scan command. They apply to all the targets (items to scan) that you specify. They apply regardless of where you put them in the command line.
|Expand archives|| |
The scan expands archives and scans the contents.
|No user interface|| |
No user interface is shown. Any detections are written to
|Verbose output|| |
Only valid if
|System scan|| |
Scans all local files on the current device and performs other system scan activities like an MBR (Master Boot Record) scan.
If you use
System scans always run with the rights of the local system process. They can't access items like the content of Microsoft EFS-encrypted files because the local system process doesn't have access to the user's keys.
Targets are things you want to scan. Targets may be drives, folders, or files.
To scan a drive, enter a single upper or lowercase letter followed by a colon and a backslash, such as
You must include the backslash. If you don't, the scan only checks files in the current folder on that drive. If you specify
C:, that's usually the folder where you're running the command-line tool.
To scan a specific folder or file, enter a full or partial path. The scan treats folder and file paths as relative to the folder where you started the command-line tool.
You can use DOS-style or Unix-style path separators. You can also use UNC paths.
You can use wildcards in folder and path names but not in drive names.
|* (asterisk)||Use to match 0 or more characters|
|?||Use to match a single character|
The scan can expand wildcards before it checks for folders and files. This applies only if the wildcard is in the last element of the path. So the scan expands
C:/Test/Folder/F*le, but not
The command-line tool can return the following error codes:
| ||Error during command handling|
| ||Unexpected error during CLI setup|
The Intercept X CLI doesn't return additional error codes of the type used by earlier Sophos endpoint products.