Sophos Firewall v22 EAP is now available! Click here to learn more.
Sophos Firewall v22 EAP is now available! Click here to learn more.
I just had an incident where an employee plugged in a USB drive containing hacking tools, scanners, BIOS updaters, service manipulation tools, and more. I didn't realize it until two hours later because I check Sopho central threat analysis center daily.
I just got off the phone with Sophos support, and they explained that you only get notifications if the endpoint can't resolve the issue.
So an attacker can basically try anything on your client until the endpoint fails, and then you get the notification.
Endpoint threat notifications are so fundamental and important, why is this missing?!!!! I'd like to know when malware is found.
Hello Ameisenbär,
We appreciate your reaching out to the Sophos Community Forum.
Please refer to this information if that helps you.
Let me explain how the notification process works in Sophos Endpoint and Sophos Central to help clarify your concern.
Sophos Endpoint is designed to automatically detect, block, and clean most threats without requiring manual intervention. Sophos Central, by design, only sends alert notifications when:
A threat can't be cleaned or remediated automatically by the endpoint, or
Manual action is needed because the threat remains active or unresolved.
When a threat or potentially unwanted program (PUP) is detected and successfully cleaned or blocked immediately, this event is logged in the device’s local logs and sophos Central’s event records. However, no alert email is triggered by default for these successful cleanups. This design helps reduce “alert fatigue” so administrators can focus on incidents requiring their attention.
We understand some administrators want to be notified of all detections, including those automatically resolved. Sophos Central does not offer built-in native alert rules to send immediate email notifications for every “malware cleaned up” event, as these are low-severity informational logs rather than critical alerts.
That said, to get comprehensive visibility, including all detection events, many organisations use one or both of these approaches:
You can review the detailed Threat Protection events in Sophos Central, where all detections and cleanups are recorded regularly.
Integrate Sophos Central with external SIEM or monitoring solutions via APIs. These solutions can ingest all endpoint event data and generate custom alerts or dashboards, including for cleaned malware events.
In your case, the endpoint successfully blocked and cleaned the hacking tools from the USB device, so no email alert was generated. Nonetheless, the event was recorded in Threat Protection events in Sophos Central for audit and investigation.
If you require more granular alerting capabilities, such as receiving immediate notifications for every malware detection, including automatically cleaned ones, I recommend submitting a formal feature request. You can do this by contacting your Sophos Account Manager or Partner. Sophos actively evaluates customer feedback and feature requests to guide future product enhancements and prioritisation.
Please refer to these articles for reference:
Sophos Central Admin: Alerts page and settings FAQ
Sophos Central APIs: Send alert and event data to your SIEM
Sophos Central Admin: SIEM frequently asked questions
Let me know if you need any further help.
