Sophos released an updated version of their Mac antivirus software. How come you don’t know about it? Because your current version (probably 8.0.16C) will not notify you of it. I have not tested and reviewed the new version yet but installed it on one of my machines just to see what’s new. Here are my observations so far.
When performing a fresh install (no older versions installed) the installation and first update go smooth. You’ll end up with version 9.0.1 after the 120+ MB update completes. However when there is an older version present there can be some issues. On several occasions I found the new version installs without a problem but it won’t update leaving you with protection against 0 threats and version 9.0.0.
After uninstalling Sophos and reinstalling the latest version (preferences are saved) everything works as it should. After the first 120+ MB download it’s a good idea to update Sophos again, this will usually result in another 20+ MB update after which Sophos will tell you your version is now up to date. The update process now appears to run mostly via ocsp.startssl.com but the traffic itself still moves via unencrypted http, port 80.
The biggest change is the addition of Web Protection. You can read about what it does in the screenshot below.
The web protection runs as a background process called SophosWebIntelligence.bundle and monitors all traffic that passes through your browser (Firefox, Chrome, Safari and Opera are supported). When checking my browsers however i find no extensions, plugins or add-ons so I am not yet sure how this process works exactly. Unfortunately allowing this process complete access through Little Snitch overrides the already set rules to block Big Data collectors like Google so suddenly I was able to pull up google.com again without a problem. This was reason enough for me to disable both web protection options (they both use the same process). Also, not knowing where Sophos gets their malicious websites info or website reputation checks (I fear it’s Google) I am currently not comfortable using or recommending this feature. Even with web protection disabled in the preferences the process keeps running and can not be stopped. It still sees all traffic (indicated by CPU usage when loading a website) but it does not act on any of it. While mostly inactive, that’s still almost 1% of CPU resources being used for no good reason.
The web protection can take it’s toll on system performance with CPU spikes averaging 4 to 8% when loading a simple website to as high as 29% when loading complex websites. The process idles around 2%. On a multi-processor Mac Pro this is not a big deal, on a MacBook Air or older Mac this is a performance hit you do not want.
Another small change is in the log preferences where you can now set the amount of log files you wish to keep, something that may be useful to administrators and those with low capacity hard drives.
Whereas version 8.x ran three processes by default (up to six when an active scan was running), version 9.x has seven processes running by default and up to ten when scanning. The scanner is unfortunately still 32-bit which is surprising since three of the processes, including the new web protection, run in 64-bit. it still only uses a single processor core meaning scans probably take longer than they would when using more available cores. Because the web protection has it’s own process (able to use it’s own processor core) browsing the web appears not to be impacted by an active scan.
I’ll write more about system performance once I update the Sophos test and review page but so far I do not see a reason to upgrade to the latest version. For now I uninstalled this and went back to version 8.0.16C. Be careful if you feel like trying out this new version, the old installer is no longer available online so unless you still have it in your downloads folder somewhere you’ll be stuck with 9.0.1. Once I have properly tested and reviewed this new version I will update this blog.