This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Computer is at Risk? Red icon showing on Mac OS version of Sophos Home. Web console shows it is secured.

I have Sophos Home installed on my MacBook Pro 2018. MacOS version is 10.14. 

The Sophos Home icon always turns to red and shows "Computer is at Risk" after several days. On Sophos' web console, I can see my Sophos Home works fine, and my laptop is secured.

To turn this off, I have to uninstall and reinstall the software.

What is the cause of the issue? Do I have to reinstall the software?

Here are some symptoms.

Once this happens, on Sophos Home's about window, Version becomes Unknown, and Last Updated shows N/A. The log file in /Library/Logs shows it was updated hours before.

Click the red icon, all Real-time Protection, Web Protection, Potentially Unwanted App Protection are disabled:

Click one of the Enables, I am redirected to Sophos Home's web console. However those options are showing enabled:

 

Removing the device and reinstalling solves the issue, but I just don't want to do this every couple days.

Thanks



This thread was automatically locked due to age.
Parents
  • Hi ygary,

    Due to a new security mechanism that Apple has released with MacOS 10.13, called Secure Kernel Extension Loading (SKEL), all non-Apple kernel extension (what we use to intercept files, etc) vendors must be manually added to a trusted list (Any user can add this). This allows the kernel extensions to load and is required for Sophos Anti-Virus to function properly. All 3rd party vendors are impacted by this change, and it is not possible to work around this requirement.

    Can you make sure if the Kext by Sophos is allowed manually? 

    Steps required after installation - High Sierra

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Thank you . Unfortunately I couldn't see any item listed on the page of Mojava's Security & Privacy after reinstallation or resart:

     

     

    However I manually enabled the two kexts:

    sudo kextutil -l /Library/Extensions/SophosFileProtection.kext

    sudo kextutil -l /Library/Extensions/SophosWebProtection.kext

     

    Did I miss anything? 

     

    Do I need to run spctl kext-consent? What is your  Team Identifier?

     

    Hope this will work. I'll observe the software in next several days.

     

    Thanks for your help

     

    Gary

  • Hi ygary,

    Can you follow the below steps and share the output of the following command?

    • Boot into Recovery mode (Apple Article ht201314
    • Open the Terminal.
    • Run the command: /usr/sbin/spctl kext-consent add 2H5GFH3774 
    • Reboot
    • To check if the Kext is loaded, please use this command and share the output here-  sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy "SELECT * from kext_policy”

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Thank you, Gowtham. Looks good now!

  • hi, Gpowtham

    Just want to report that I've done what you suggested, but the issue happened again today. I restart my Mac today and the icon became red after the restart.

     

    here is the KextPolicy sqlite3 query result:

     

    sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
    Password:
    SQLite version 3.24.0 2018-06-04 14:10:15
    Enter ".help" for usage hints.
    sqlite> select * from kext_policy where developer_name='Sophos';
    2H5GFH3774|com.sophos.nke.swi|1|Sophos|5
    2H5GFH3774|com.sophos.kext.oas|1|Sophos|5
    2H5GFH3774|com.sophos.kext.sfm|1|Sophos|1

     

  • I removed the rows of Sophos in recovery mode and restarted the computer. This time the computer gave me a warning about the kexts and I was able to give Sophos consent in the security dialog. Here are the new records in kext_policy table:

    sqlite> select * from kext_policy where developer_name='Sophos';
    2H5GFH3774|com.sophos.nke.swi|1|Sophos|1
    2H5GFH3774|com.sophos.kext.oas|1|Sophos|1

     

    Compare to the previous result, there are two differences:

    a. a record is gone: 2H5GFH3774|com.sophos.kext.sfm|1|Sophos|1 

    b. the flags of the remaining records are 1 instead of 5.

    I believe the flag value 5 was the cause of the issue.

     

    Hope this time it will work. I'll report back if the issue happens again

     

    Thanks.

Reply
  • I removed the rows of Sophos in recovery mode and restarted the computer. This time the computer gave me a warning about the kexts and I was able to give Sophos consent in the security dialog. Here are the new records in kext_policy table:

    sqlite> select * from kext_policy where developer_name='Sophos';
    2H5GFH3774|com.sophos.nke.swi|1|Sophos|1
    2H5GFH3774|com.sophos.kext.oas|1|Sophos|1

     

    Compare to the previous result, there are two differences:

    a. a record is gone: 2H5GFH3774|com.sophos.kext.sfm|1|Sophos|1 

    b. the flags of the remaining records are 1 instead of 5.

    I believe the flag value 5 was the cause of the issue.

     

    Hope this time it will work. I'll report back if the issue happens again

     

    Thanks.

Children
No Data