Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=NDR-Essentials-Test-Detections

Generate NDR test detections

You can generate test detections to check that Sophos NDR is correctly set up and working.

The test isn't malicious. It triggers a detection by simulating an event with features typical of an attack. The event is a client downloading a file from a server with suspicious domain and certificate details.

In the following example, we'll show you how to generate a detection using the Windows command prompt.

To generate a test detection, do as follows:

  1. Go to Sophos Test.
  2. Click Network Security > Network Detection and Response.
  3. Click Download File.
  4. Extract the file contents to your preferred location.
  5. Run Command Prompt as administrator.

  6. In Command Prompt, go to your file location, and run the following command: NdrEicarClient.exe -- all.

    Note

    You must run the command on a device located behind the firewall, where its traffic passes through the firewall.

    Running the executable simulates communication with a suspicious domain with expired certificate details.

    Wait for few minutes for the detection to complete.

  7. Run the command again.

    The firewall detects the communication and classifies it under a specific threat category. NDR analyzes the flow, assigns a threat score, and flags the IoC. The firewall adds the detected IoC to the threat indicator list.