This article provides instructions on how you can locate a file's unique SHA-256 hash. This can be useful when working with Sophos Support to investigate an infection or potential false positive. It is also an easy way to confirm a file hasn't changed/corrupted after sharing it over email/ftp etc as any changes to the file would result in the hash being different.
Applies to the following Sophos product(s) and version(s) Sophos Central Admin
For Sophos Central customers getting a file's hash can be done via a few methods, which one you will be able to use depends on if the file is being detected and removed by Sophos or not. For files that aren't being detected but you want to know what their hash is then you can use the Endpoint Self Help (ESH) tool, which is installed on every Sophos Central Endpoint. Launching the ESH tool and selecting the File Info tab will provide you with a simple file drag and drop option. This will provide you with the SHA-256 hash of any file dropped onto it. Please see this article for more information: Sophos Endpoint Self Help - File Info.
When the file in question is being detected and either blocked or has already been removed then you will need to use the Event details information in Sophos Central. To do this follow these steps:
After selecting the Details option you will then be presented with the Event details screen. This gives you information about the detection, the file and it's location. You will also be given the SHA-256 hash.
Note: Not all detections will have the Event details available. If the details are not available for the detection you are interested in, we suggest checking to see if a Threat case was created for the detection. By using the threat case you are able to get the SHA-256 hash of any processes included.
If you aren't able to get a files hash, or have any questions about doing this please contact Sophos Support.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.