This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web control lists specific endpoint as top malware downloader but no events can be found on the endpoint itself


we can see an endpoint and user as "huge" malware downloader in "Top Malware Downladers" report: 

But I can't find a single event or alert or anything linked to specific user or endpoint. I'm using new beta Sophos Central GUI but it is the same if I switch back to old view. 

Is this report data accurate or am I missing something?

Thanks for any info where to look for the details so that I we can check if there is something strange going on and/or inform the user to stop visiting dangerous sites.

This thread was automatically locked due to age.
  • I encountered the same issue a few month ago. Maybe try to find the visited websites at Web control --> Blocked Sites. It will take some time, but you can figure out the exact date aswell by working with a custom time period at the Top Malware Downloaders section.

    You can take a look at the sophos log of the client or maybe here: C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs --> SophosNetFilter.log

    That was the answer from sophos support: "Also regarding your question, one cannot directly get information that which URL was responsible for 'Top Malware Downloaders' report under 'Web Threats Blocked' on Sophos Central. We understand that it would be great to see the URL that is responsible for the entry in this overview itself on the Sophos Central but it is not possible currently hence, it can be considered as a feature request."

    Can someone from the sophos team submit this as a feature request?

  • Thanks!

    the sum of blocked accesses per specific site indeed corresponds to the summary number shown for user / endpoint.