HOW TO: Confirm the Endpoint is Protected


Please create a new post in the Discussions section for any questions or comments.

Now that the endpoint is enrolled in the EAP and has the software, we need to confirm that the protection is working properly.

  1. Go to the target machine
  2. Click on the Sophos Icon in the upper ribbon
  3. Click on Open
  4. Click on the Endpoint Self Help Tool
    1. Confirm all elements are GREEN
  5. Go to and download the file to ..\Desktop\
  6. The file should get a detection immediately 
  7. Verify full disk access
    1. command: sudo sqlite3 /Library/Application\ Support/ "select client,auth_value from access" | grep -i sophos | sort
      1. expected output:
        /Library/Sophos Managed Detection and Response/SophosMDR|2
  8. Verify status of system extensions
    1. command: systemextensionsctl list | grep -i sophos
    2. expected output:
      * * 2H5GFH3774 com.sophos.endpoint.networkextension (1.0/2) networkextension [activated enabled]
      * * 2H5GFH3774 com.sophos.endpoint.scanextension (1.0/1.0) com.sophos.endpoint.scanextension [activated enabled]
  9. Verify endpoint security client functionality
    1. command: gzcat /Library/Logs/SophosDiagnostics.* | grep -e 'ESServer.*Cache Stat'
      1. expected output: (multiple results of the following liens with a non zero total)
        2020-11-27 12:43:41.104 [SophosServiceManager 83268:7386487 TID:7486301 ESServer PID:79882] [Cache Stat: Total 4424 item(s), hit ratio: 35.089123%, miss ratio: 64.91087%]
        2020-11-27 12:48:41.111 [SophosServiceManager 83268:7386487 TID:7488637 ESServer PID:79882] [Cache Stat: Total 4468 item(s), hit ratio: 34.990402%, miss ratio: 65.0096%]
        2020-11-27 12:53:41.130 [SophosServiceManager 83268:7386487 TID:7490203 ESServer PID:79882] [Cache Stat: Total 4503 item(s), hit ratio: 34.955013%, miss ratio: 65.04499%]

If you don't get a detection - please report this immediately in the Discussions forum.

[edited by: Florentino Sanchez at 8:14 PM (GMT -8) on 8 Mar 2021]