Hello dear community,
I would like to draw your attention to the following facts for the Sophos Intercept X and Sophos Central.
Unfortunately, the details of a scan cannot be included in the assessment of the status of a computer.
Unfortunately, the information is not clear and can lead to incorrect assumptions.
We noticed that a scan that is not completed has the same entry in the events as a scan that "really" ran. It is therefore not possible to assess whether a scan has run correctly based on the events.
As an an example:
I started a 'User initiated scan' and aborted after about 10 seconds. The scan is specified in the events in Sophos Central as "Scan 'User Initiated Scan' completed" and the Sophos Intercept X also shows the time of the canceled scan as the time of the last scan.
Our Scheduled Scan ran on the same day. This is also listed in the Sophos Central events with "Scan 'Sophos Central Scheduled Scan' completed".
This means that the correct execution of a scan cannot be judged from the entries. So it has to be with every scan the worst-case scenario can be assumed that this was not carried out correctly.
We have already addressed this issue at Sophos and received the following response:
"This is as designed - We don't say "completed successfully". We say "scan has completed", which it has. Complete means it's
stopped whether it's because it's scanned everything or the user has stopped it, doesn't make a difference."
From my point of view, this makes a big difference when evaluating the security of a computer!
This thread was automatically locked due to age.
