Web control lists specific endpoint as top malware downloader but no events can be found on the endpoint itself

Question

Hi, 
 we can see an endpoint and user as "huge" malware downloader in "Top Malware Downladers" report: https://central.sophos.com/manage/endpoint/reports/web-control/malware/create 
 
 But I can't find a single event or alert or anything linked to specific user or endpoint. I'm using new beta Sophos Central GUI but it is the same if I switch back to old view. 
 Is this report data accurate or am I missing something? Thanks for any info where to look for the details so that I we can check if there is something strange going on and/or inform the user to stop visiting dangerous sites.

Jonas Stadler · Accepted Answer

I encountered the same issue a few month ago. Maybe try to find the visited websites at Web control --> Blocked Sites. It will take some time, but you can figure out the exact date aswell by working with a custom time period at the Top Malware Downloaders section. 
 You can take a look at the sophos log of the client or maybe here: C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs --> SophosNetFilter.log 
 That was the answer from sophos support: "Also regarding your question, one cannot directly get information that which URL was responsible for 'Top Malware Downloaders' report under 'Web Threats Blocked' on Sophos Central. We understand that it would be great to see the URL that is responsible for the entry in this overview itself on the Sophos Central but it is not possible currently hence, it can be considered as a feature request."

Can someone from the sophos team submit this as a feature request?

Web control lists specific endpoint as top malware downloader but no events can be found on the endpoint itself

Top Replies