How to test Sophos Protection for Linux detection features
You can test Sophos Protection for Linux detection features to confirm that your device is protected and communicating with Sophos Central.
On-demand and on-access scanning
Requirement
On-access scanning requires you to turn on Enable scan for Server Protection for Linux Agent in your server threat protection policy. This setting is turned off by default. See Real-time Scanning - Local Files and Network Shares.
You can test scanning with EICAR. EICAR is an industry-standard detection test file, not a virus.
- Go to www.eicar.org.
- Click Download anti malware test file.
- Download the EICAR test file. It's detected and cleaned when it's written to the disk.
You'll see the detection in av.log
. Run the following command:
cat /opt/sophos-spl/plugins/av/log/av.log
Example
180191342 [2023-01-18T16:03:43.969] INFO [9358345792] av <> Threat cleaned up at path: /.../eicar.com
You'll also see the alert in Sophos Central on the Server Summary page.
Here's an example:
Runtime detections
Restrictions
To test Sophos Protection for Linux runtime detections, your Sophos Central account must have one of the following product licenses:
- Intercept X Advanced for Server with XDR
- Intercept X Advanced for Server with MDR Complete
You can use the runtimedetections
command to create a test alert. To create a test alert, do as follows:
- Go to
/opt/sophos-spl/plugins/runtimedetections/bin
. - Run the following command:
./runtimedetections --test-alert
You'll see that the alert is created and sent to Sophos Central in /opt/sophos-spl/plugins/runtimedetections/log/runtimedetections.log
. Run the following command:
cat /opt/sophos-spl/plugins/runtimedetections/log/runtimedetections.log
Example
14 [2023-01-16T17:26:37.631Z] INFO [0000000000] runtimedetections <> Alert testing command executed, exiting
12363670 [2023-01-16T17:26:37.641Z] INFO [0000000000] runtimedetections <> Sent alert to event journal Alert Tester as 1673889997640013873 (31b7076e-5723-46e3-b5ec-90dc9267d6a2)
You'll also see the alert in Sophos Central on Threat Analysis Center > Detections.
Here's an example: