Skip to content

Scan from the command line

You can scan the computer using our command-line tool.

The command-line tool is installed automatically when you install Sophos Endpoint.

The tool is installed in Program Files/Sophos/Endpoint Defense and is called sophosinterceptxcli.exe.

The tool lets you do as follows:

  • Run a system scan. This is a scan of the whole computer.
  • Run a user scan. This is a scan of files or folders specified by the user.

This page lists the commands and options you can use.

Commands

The commands are as follows.

scan

The scan command starts a scan of the device and shows a scanning progress dialog. Results are shown in the Sophos Endpoint user interface and any threats detected are reported to Sophos Central.

To run a scan, you enter a command in the following format:

scan <options> <targets>

For details of scanning options, see Options.

For details of how to specify targets, see Targets.

The files that a scan can access depend on the rights that the scan runs with:

  • A system scan runs with the local system process rights. It can't access files like Microsoft EFS-encrypted files because the local system process can't access a user's keys.

  • A user scan (a scan of specific files or folders) runs with your user rights, so it can only scan files you can access.

A user scan doesn't check files that are excluded by policy or global exclusions set in Sophos Central.

Scans use Live Protection, which checks suspicious files against the latest threat information from SophosLabs. If Live Protection is off or the device is disconnected from the network, the scan is less effective.

help

The help command shows a list of available commands.

help <command> shows all the options available for the command.

Options

Here are the options you can use with the scan command. They apply to all the targets (items to scan) that you specify. They apply regardless of where you put them in the command line.

Option Description
Expand archives

--expand_archives

The scan expands archives and scans the contents.

No user interface

--noui

No user interface is shown. Any detections are written to stdout. The tool doesn’t close until the scan finishes.

Verbose output

--verbose

Only valid if --noui is specified. Writes information on each file scanned (the file name and the clean or detected status) to stdout.

System scan

--system

By default (or if --full is also specified), scans all local files on the current device and performs other system scan activities like MBR (Master Boot Record) and memory scans.

If --quick is specified together with --system, the system scan will only scan commonly used files, including the image files for running and recently-running processes, and programs configured to run automatically at startup. It also scans MBR and memory.

If you use --system don’t specify any targets.

System scans always run with the rights of the local system process. They can't access items like the content of Microsoft EFS-encrypted files because the local system process doesn't have access to the user's keys.

Targets

Targets are things you want to scan. Targets may be drives, folders, or files.

To scan a drive, enter a single upper or lowercase letter followed by a colon and a backslash, such as C:\

Note

You must include the backslash. If you don't, the scan only checks files in the current folder on that drive. If you specify C:, that's usually the folder where you're running the command-line tool.

To scan a specific folder or file, enter a full or partial path. The scan treats folder and file paths as relative to the folder where you started the command-line tool.

You can use DOS-style or Unix-style path separators. You can also use UNC paths.

Wildcards

You can use wildcards in folder and path names but not in drive names.

Wildcard Description
* (asterisk) Use to match 0 or more characters
? Use to match a single character

See MS-DOS and Windows Wildcard Characters.

The scan can expand wildcards before it checks for folders and files. This applies only if the wildcard is in the last element of the path. So the scan expands C:/Test/Folder/F*le, but not C:/Test/F*lder/File.

Error codes

The command-line tool can return the following error codes:

Code Description
0 Successfully scanned all files and found no malware
1 Error during command handling
2 Unexpected error during command-line tool setup
3 A threat was detected in one or more files
4 One or more files encountered an error during the scan
5 One or more files were encrypted
6 One or more files have an unsupported format
7 One or more files were inaccessible

If multiple errors occur, we'll return the most severe error code. Codes are shown in order of severity above, with the highest number indicating the highest severity.

The Intercept X CLI tool doesn't return additional error codes of the type used by earlier Sophos endpoint products.

For a scan started by a user (not a system scan), we write additional output to the console. For each category, we show the number of files affected, and list them.

Results in JSON format

Use the --json option to output results in JSON format at the end of the scan.

Unless a fatal error occurs (error code 1 or 2), only a JSON object is written to stdout to support scripting.

JSON output format

When --json is specified, a JSON object is written providing the same level of detail as the human-readable output provided by default with --noui.

For a user scan, the following keys are always provided, even if no files are listed under them, to support discoverability:

{
"type": "user",
"targets": ["C:\\test", "C:\\foo", "C:\\bar"],
"summary": {
"detections": 1,
"cleanFiles": 3,
"filesWithScanningErrors": 1,
"filesWithUnsupportedFormats": 1,
"inaccessibleFiles": 1,
"encryptedFiles": 1,
"corruptedFiles": 1
},
"detections": [{"path": "C:\\test\\eicar.com", "name": "EICAR-AV-Test", "type": "Malware"}],
"filesWithScanningErrors": [{"path": "C:\\test\\bad.exe", "reason": "Stream read failure (source: SAVI, code: -1610350039)"}],
"filesWithUnsupportedFormats": [{"path": "C:\\bar\\bar.exe"}],
"inaccessibleFiles": [{"path": "C:\\foo\\bar.exe", "reason": "Access is denied (5) (source: ScanCoordinator)"}],
"encryptedFiles": [{"path": "C:\\bar\\baz.exe"}],
"corruptedFiles": [{"path": "C:\\bar\\corrupted.zip"}]
}

For a system scan, only the top-level type and summary keys are provided, where the type is "fullSystem" or "quickSystem".

For a user scan, if --verbose is also specified, an additional scannedFiles key is included, listing all files that have been scanned, except those that were inaccessible.

`"scannedFiles": [{"path": "C:\\test\\eicar.com"}]`