Latest pre-release of 10.11.4 breaks Sophos AV Home Edition

I am also having the exact same problem. After updating from OS X 10.11.4 Beta 3 to beta 4 on-access protection is off and can not be enabled.

Note that if you turn System Integrity Protection off, you can enable On-Access Protection and it should stay enabled, at least until the next Beta is released.

Unfortunately that is not working for me. Did send Feedback to Apple earlier. Hopefully others here did so as well.

JohnGillett said:

Unfortunately that is not working for me

Assuming you mean getting On-Access Scanning working, did you turn off System Integrity Protection using csrutil in Terminal while in Recovery?

No, I am unaware of that method. Turned it off in Sys Prefs. What is the command line, please?

JohnGillett said:

No, I am unaware of that method. Turned it off in Sys Prefs. What is the command line, please?

Reboot into Recovery (Cmd+R at the chime). In Utilities>Terminal enter "csrutil disable" and reboot. That will disable SIP and On-Access Scanning should work. Note that this is not a "solution" since Apple added SIP to El Capitan for security purposes and really should be enabled. Moreover, it's likely that any future beta will turn it back on by default. Also, csrutil has three arguments: disable, enable, and status. The first two will only work in Recovery. Status will also work in Terminal after booting normally.

JohnGillett said:

No, I am unaware of that method. Turned it off in Sys Prefs. What is the command line, please?

Reboot into Recovery (Cmd+R at the chime). In Utilities>Terminal enter "csrutil disable" and reboot. That will disable SIP and On-Access Scanning should work. Note that this is not a "solution" since Apple added SIP to El Capitan for security purposes and really should be enabled. Moreover, it's likely that any future beta will turn it back on by default. Also, csrutil has three arguments: disable, enable, and status. The first two will only work in Recovery. Status will also work in Terminal after booting normally.

SIP is not new in OS X 10.11.4 Beta 4, it has been there, and enabled, since OS X 10.11 (El Capitan) came out and Sophos on-access protection has been working fine with SIP enabled.

I also reported the issue to Apple.

Thanks very much for the command (and your patience). Now have my Automatic Virus Protection on again.

Did turning off SIP fix the on-access protection for you?

Yes, as mentioned (AVP).

ZRL1, good detective work! This did, in fact, solve the problem, or as you note, allow SAV Home to run until Sophos can figure out how to fix this correctly without having to compromise my Mac's security.

How did you figure out that it was SIP that was causing the problem? It's a little puzzling that it's the problem since, as noted by VincentCina, SIP has been running in El Capitan since it was released.

VincentCina said:

SIP is not new in OS X 10.11.4 Beta 4, it has been there, and enabled, since OS X 10.11 (El Capitan) came out and Sophos on-access protection has been working fine with SIP enabled...

I'm aware of that and was using that trick to keep Sophos running back when El Capitan was first introduced until Sophos was made compatible. As Bob Cook pointed out, Apple has done something different in the most recent beta so turning off SIP is once again a temporary fix if the user needs to be running the latest El Cap version but also needs the protection Sophos provides.

bocaboy said:

...How did you figure out that it was SIP that was causing the problem? It's a little puzzling that it's the problem since, as noted by VincentCina, SIP has been running in El Capitan since it was released.

When El Cap was first introduced, SIP was the new security feature and it got enough coverage that some discussions included the Terminal commands to control it. After my original upgrade to El Cap, Sophos stopped working so turning off SIP seemed worth a try and it worked. As Sophos improved, I'd turn SIP on again as a test and left it on when the problem was solved. But when the problem recurred, turning SIP off was worth a try again, especially since it's simple enough to do. But since SIP is a good idea for security, the csrutil fix should be temporary at best if the betas are on a production machine. 

Thanks for the explanation. I had the same problem as I described here when I installed SAV under Yosemite on my iMac. (Inexplicably, my MacBook Pro was fine under the same OS. Go figure) Anyway, the problem with SAV resolved itself when 9.4.1 was released. It's also been working fine all the way to this beta of 10.11.4. In other words, SIP was never an issue prior to this beta.

Anyway, I did disable SIP, and that solved the problem of the dimmed icon. I have no idea if the problem is with Apple or Sophos, but I've reported it as a bug on the Developer forum at Apple as well as via Feedback Assistant. We'll see if that changes anything.

For the record, I'm surprised that Sophos QA doesn't uncover these problems. They have access to the same builds we do, and based on how many people experience issues, how is it that they're not uncovered prior to release? I'll give them a buy on 10.11.4 as it was just released last week, but this problem has existed on previous builds as well. Anyway, not trying to be difficult, just questioning the QA process at Sophos and that maybe it should be re-examined.

Rather than disable SIP I decided to install 10.11.3 last night. Sophos AV Home, and on-access scanning is working once again. I have lost the use of Photos until it is updated, but I can live with that as I have another production machine. I can live without this beta, as there are not any earth shattering feature enhancements.

That's a good solution in that you have both security systems working as well as whatever improvements 10.11.3 offers, especially when it's applied to a production machine.