Latest pre-release of 10.11.4 breaks Sophos AV Home Edition

GaryAlevy said:

Should work is not it does work. It does not work. On access scanning still does not work with SIP disabled.

In Terminal "csrutil status" returns "disabled?" After a reboot, if On Access scanning is off, trying to turn it on fails? And you're using OS X 10.11.4?

FYI we have scheduled the release of 9.4.2 (which resolves the 10.11.4 beta issue in this thread) on February 10th around 9AM Pacific Standard Time. All endpoints should upgrade automatically.

That's good news indeed! Are there any other improvements and/or tweaks included too?

There are a few improvements (these will also be listed in the release notes):
MACEP-1171 Resolved a rare issue that could interrupt web browsing sessions
MACEP-1322 Correct an issue that prevented kext loading on Mac OS X 10.11.4 (beta)
CPISSUE-2539 Resolved an issue scanning XAR archives that could hang scanning

I am using the OS X 10.11.4 beta. I found the following: SIP can be completely or partially disabled. When SIP is completely disabled - On-Access scanning does work. When SIP is partially disabled - On-Access scanning does not work. Note that csrutil reports the status of six different configuration variables. In my case I had OS X system configured using csrutil disable --without debug. When configured this way On-Access scanning did not work but another pre-SIP program that relies on code injection, Total Finder, does work while On-Access scanning will not.
SIP configuration components are:
Apple Internal, Kext Signing, Filesystem Protection, Debugging Restrictions, DTrace Restrictions, NVRAM Protections.

GaryAlevy said:

I am using the OS X 10.11.4 beta. I found the following: SIP can be completely or partially disabled. When SIP is completely disabled - On-Access scanning does work. When SIP is partially disabled - On-Access scanning does not work...

So the instructions I offered for disabling SIP do work to enable On-Access scanning but the method to disable SIP just enough to allow TotalFinder to work isn't also enough for On-Access scanning to work. As I understand it, "csrutil status" will only report the six different configuration variables when a custom configuration has been set (e.g., "--without debug") though there was a bug at one point which produced that list even when SIP was completely disabled.

Fortunately, the issue should be resolved with the release of 9.4.2 [:)] It doesn't look like TotalFInder's author will pursue a solution though.

...we have scheduled the release of 9.4.2 (which resolves the 10.11.4 beta issue in this thread) on February 10th around 9AM Pacific Standard Time. All endpoints should upgrade automatically.

Bob, I'm running Sophos Home 1.1.1. Will that be upgraded as well or do I need to uninstall and reinstall 9.4.2?

There are (currently) two different Home / Free products: the "classic" Mac Home Edition, and the new Sophos Home for Windows & Mac. Currently they are not updated at the same time, and in this particular case the Sophos Home product will be updated a short time later; current forecast is to release the update before the end of February. We are working to merge the two products together so this type of thing doesn't happen. Stay tuned over the next few months to see how this will unfold.

Is it still possible to download 9.4.1 rather than Home? When this latest issue began I switched to Home, but since it now seems 9.4.1 will be updated for 10.11.4 capability first, I'd like to go back to it. Unfortunately, the ability to download it seems to have vanished.

Its still possible, just not the default. www.sophos.com/.../sophos-antivirus-for-mac-home-edition-legacy.aspx