Latest pre-release of 10.11.4 breaks Sophos AV Home Edition

I am also having the exact same problem. After updating from OS X 10.11.4 Beta 3 to beta 4 on-access protection is off and can not be enabled.

Note that if you turn System Integrity Protection off, you can enable On-Access Protection and it should stay enabled, at least until the next Beta is released.

Unfortunately that is not working for me. Did send Feedback to Apple earlier. Hopefully others here did so as well.

Unfortunately that is not working for me. Did send Feedback to Apple earlier. Hopefully others here did so as well.

JohnGillett said:

Unfortunately that is not working for me

Assuming you mean getting On-Access Scanning working, did you turn off System Integrity Protection using csrutil in Terminal while in Recovery?

No, I am unaware of that method. Turned it off in Sys Prefs. What is the command line, please?

JohnGillett said:

No, I am unaware of that method. Turned it off in Sys Prefs. What is the command line, please?

Reboot into Recovery (Cmd+R at the chime). In Utilities>Terminal enter "csrutil disable" and reboot. That will disable SIP and On-Access Scanning should work. Note that this is not a "solution" since Apple added SIP to El Capitan for security purposes and really should be enabled. Moreover, it's likely that any future beta will turn it back on by default. Also, csrutil has three arguments: disable, enable, and status. The first two will only work in Recovery. Status will also work in Terminal after booting normally.

SIP is not new in OS X 10.11.4 Beta 4, it has been there, and enabled, since OS X 10.11 (El Capitan) came out and Sophos on-access protection has been working fine with SIP enabled.

I also reported the issue to Apple.

Thanks very much for the command (and your patience). Now have my Automatic Virus Protection on again.

Did turning off SIP fix the on-access protection for you?

Yes, as mentioned (AVP).

ZRL1, good detective work! This did, in fact, solve the problem, or as you note, allow SAV Home to run until Sophos can figure out how to fix this correctly without having to compromise my Mac's security.

How did you figure out that it was SIP that was causing the problem? It's a little puzzling that it's the problem since, as noted by VincentCina, SIP has been running in El Capitan since it was released.

VincentCina said:

SIP is not new in OS X 10.11.4 Beta 4, it has been there, and enabled, since OS X 10.11 (El Capitan) came out and Sophos on-access protection has been working fine with SIP enabled...

I'm aware of that and was using that trick to keep Sophos running back when El Capitan was first introduced until Sophos was made compatible. As Bob Cook pointed out, Apple has done something different in the most recent beta so turning off SIP is once again a temporary fix if the user needs to be running the latest El Cap version but also needs the protection Sophos provides.

bocaboy said:

...How did you figure out that it was SIP that was causing the problem? It's a little puzzling that it's the problem since, as noted by VincentCina, SIP has been running in El Capitan since it was released.

When El Cap was first introduced, SIP was the new security feature and it got enough coverage that some discussions included the Terminal commands to control it. After my original upgrade to El Cap, Sophos stopped working so turning off SIP seemed worth a try and it worked. As Sophos improved, I'd turn SIP on again as a test and left it on when the problem was solved. But when the problem recurred, turning SIP off was worth a try again, especially since it's simple enough to do. But since SIP is a good idea for security, the csrutil fix should be temporary at best if the betas are on a production machine.