Intercept X Trial - No Alerts on Central Dashboard?

Didn't know whether to put this under Central or Intercept X, so here I am...

I'm trialing Intercept X client to see how it performs over my standard Endpoint Protection clients by throwing test virus and ransomware at both of them. Wen I do, I expect to see Alerts on my Central dashboard for both, but only the standard Endpoints roll up to the Alerts page for me..

I have to navigate to to Threat Analysis Center to see alerts from my IX clients, and this seems to update much more slowly than the Alerts tab for teh Endpoint clients. Is this functioning as designed to have my alerts is two separate locations rather than consolidated under Alerts? It feels liek this is a major oversight and Alerts should be visible under teh Alerts tab, no?

Alerts Tab doesn't show my IX details:

 

versus TAC:

Please tell me that I'm just doing something wrong and this isn't another Sophos-click fest to get information...

Thanks,
Michael

  • Hi Michael,

    The Alerts tab only shows information that requires administrative interaction such as a reboot required on a machine or a manual cleanup is required.  For things seen in TAC such as Eicar, they don't show up in Alerts as Sophos Endpoint Protection has already stopped and cleaned up the threats, thus no administrative interaction is required.  TAC provides more information on where a detection originated from if one wants to perform a Root Cause Analysis.  With that information one can determine if a malicious file was downloaded and opened via web/email or coming from another computer in the network.  TAC can be used to do a lot more and this is just one of those possibilities.

  • In reply to MEric:

    This seems counterintuitive in a system that I use solely as an anti-malware tool, (I'd prefer to have ALL my malware incidents up front and in my face), and expanding the effort to "All Alerts" is misleading.. Perhaps you should change the name of this to Administrative Tasks, and All Alerts should be called More Administrative Tasks... and use the Alerts page for things that seem more like Alerts than my need to reboot a workstation...

    Thanks for answering my question.

    Thank you,
    Michael

  • In reply to MEric:

    I find myself in the same boat as Michael here. I can use TAC to search for test threats; running "powershell -exec -bypass" via cmd.exe as a standard user, for example, and it will list results for me.

    The problem here is that I already know about them. As far as I can see, there's no way to create an Alert based on the kinds of things we're seeing in TAC, even if that event is a simple email advising me that someone ran the command.