Sophos Antivirus for Mac Home Edition version 9

18. August 2013 Security 11

Sophos released an updated version of their Mac antivirus software. How come you don’t know about it? Because your current version (probably 8.0.16C) will not notify you of it. I have not tested and reviewed the new version yet but installed it on one of my machines just to see what’s new. Here are my observations so far.

When performing a fresh install (no older versions installed) the installation and first update go smooth. You’ll end up with version 9.0.1 after the 120+ MB update completes. However when there is an older version present there can be some issues. On several occasions I found the new version installs without a problem but it won’t update leaving you with protection against 0 threats and version 9.0.0.

Installed over version 8.0.16C Sophos experiences some issues.
Installed over version 8.0.16C Sophos experiences some issues.
Installed over version 8.0.16C Sophos experiences some issues.
Installed over version 8.0.16C Sophos experiences some issues.

After uninstalling Sophos and reinstalling the latest version (preferences are saved) everything works as it should. After the first 120+ MB download it’s a good idea to update Sophos again, this will usually result in another 20+ MB update after which Sophos will tell you your version is now up to date. The update process now appears to run mostly via ocsp.startssl.com but the traffic itself still moves via unencrypted http, port 80.

The biggest change is the addition of Web Protection. You can read about what it does in the screenshot below.
WebProtection
The web protection runs as a background process called SophosWebIntelligence.bundle and monitors all traffic that passes through your browser (Firefox, Chrome, Safari and Opera are supported). When checking my browsers however i find no extensions, plugins or add-ons so I am not yet sure how this process works exactly. Unfortunately allowing this process complete access through Little Snitch overrides the already set rules to block Big Data collectors like Google so suddenly I was able to pull up google.com again without a problem. This was reason enough for me to disable both web protection options (they both use the same process). Also, not knowing where Sophos gets their malicious websites info or website reputation checks (I fear it’s Google) I am currently not comfortable using or recommending this feature. Even with web protection disabled in the preferences the process keeps running and can not be stopped. It still sees all traffic (indicated by CPU usage when loading a website) but it does not act on any of it. While mostly inactive, that’s still almost 1% of CPU resources being used for no good reason.

The web protection can take it’s toll on system performance with CPU spikes averaging 4 to 8% when loading a simple website to as high as 29% when loading complex websites. The process idles around 2%. On a multi-processor Mac Pro this is not a big deal, on a MacBook Air or older Mac this is a performance hit you do not want.

Another small change is in the log preferences where you can now set the amount of log files you wish to keep, something that may be useful to administrators and those with low capacity hard drives.

Whereas version 8.x ran three processes by default (up to six when an active scan was running), version 9.x has seven processes running by default and up to ten when scanning. The scanner is unfortunately still 32-bit which is surprising since three of the processes, including the new web protection, run in 64-bit. it still only uses a single processor core meaning scans probably take longer than they would when using more available cores. Because the web protection has it’s own process (able to use it’s own processor core) browsing the web appears not to be impacted by an active scan.

I’ll write more about system performance once I update the Sophos test and review page but so far I do not see a reason to upgrade to the latest version. For now I uninstalled this and went back to version 8.0.16C. Be careful if you feel like trying out this new version, the old installer is no longer available online so unless you still have it in your downloads folder somewhere you’ll be stuck with 9.0.1. Once I have properly tested and reviewed this new version I will update this blog.


11 thoughts on “Sophos Antivirus for Mac Home Edition version 9”

  • 1
    TED on October 7, 2013 Reply

    From what I know about Sophos and Astaro/Sophos UTM, Astaro uses McAfee enterprise filter/Site Advisor. I assume they use this data or part of it throughout all their products.

  • 2
    Brian on November 1, 2013 Reply

    Did you ever figure out a way to disable those resource intensive background processes used for web protection?

    • 3
      Jay on November 1, 2013 Reply

      I did not but further testing showed V9 overall actually runs lighter than V8. Will update this post early next week to reflect those results.

  • 4
    Great Pumpkin on November 3, 2013 Reply

    Yes, as you wrote, Google or any other website that was blocked through LS now passes through if you turn on web protection in SAV HE. But if you block the same traffic in LS for SophosWebIntelligence.bundle everything will work as before.

    Btw, I only turned on the second web protection option as the first one communicates with the Sophos cloud server to negotiate URLs and DNS requests with a malware database. The second option just scans the web traffic for malware with the already installed malware DB locally on the mac. Anyhow, I blocked sophosxl.net for all users and Sophos processes, just for the piece of mind.

    Nice blog.

  • 5
    Great Pumpkin on November 3, 2013 Reply

    Just to add: Also the first option of web scanning can be turned on. It just looks up DNS entries of your configured DNS server and if you block sophosxl.net then Sophos don’t get your web browser history.
    Also, do not forget to configure Sophos to work smoothly with 1Password 4:
    http://learn.agilebits.com/1Password4/Mac/en/KB/sophos.html

  • 6
    george on December 10, 2013 Reply

    so is avast or sophos v9 better(as in in terms of memory usage) ?

    • 7
      Jay on December 11, 2013 Reply

      I’d say Sophos V9 though they have been slipping when it comes to detection rates.

  • 8
    Lali on February 23, 2014 Reply

    Currently I have “Sophos Anti-Virus Immediate Scanner 4.9.19” in my MacBook Air. But this version is not supported by OSX 10.8.5 which I have. So If I want to install “Sophos Antivirus for Mac Home Edition version 9” on my machine, do I need to un-install the older version? If I have to un-install, then how I will handle it and where I can get the “Sophos Antivirus for Mac Home Edition version 9”?
    Please let me know,
    Thank you in advance,
    Lali

    • 9
      Jay on February 23, 2014 Reply

      I have seen a few issues when upgrading to a new version so I prefer to uninstall the old before I put in the new. Make sure you use the uninstaller that came with the old version though so it can remove all related files (preferences, application support, quarantine files etc). You can get version 9 directly from their website here. You may also want to check out Avira or Avast which have been performing better than Sophos lately when it comes to detection results.

  • 10
    Bob on June 10, 2014 Reply

    On our older iMac running 10.6.8, I see Sophos (9.0.11) (the SophosWebIntelligence process) sucking up not only a lot of CPU time, but also a lot of RAM, heading past 7 Gbytes, which sounds like something flawed in Sophos. It pretty much halts much browsing.

Leave a Reply

Your email address will not be published. Required fields are marked *

*