I caught Sophos Mac Home having sent out 150MB of data. Is this program intended to send out any type of information? If so, what is being sent out?
I've removed the software for now.
This thread was automatically locked due to age.
Hi everyone,
Thanks for bringing up the important topic of data sharing. I can tell you exactly what we send to the web and why.
The biggest sender of data (and also receiver of data) will be the WebIntelligence daemon. This process is acting as a filter between your browser and the internet. So every byte that would normally pass through your browser's networking code actually goes through us. We are doing two things with the content: (1) evaluate the URL to see if we know anything about it (see below); and (2) run the content through the malware detection engine. These two features correspond to the Web Protection controls in the Preferences. Turn them both off, and we don't filter your web traffic. But if either control is on, you'll see lots of data (including YouTube videos) going through that process.
The WebIntelligence daemon asks the SXL daemon for information about URLs. This daemon contains a cache of recently looked-up URLs, to avoid hitting our servers too frequently. If the URL your browser is visiting isn't in the cache (or the cache entry has expired) then it will contact our SXL servers. The data sent to the SXL servers is an obfuscated and shortened version of the URL you visit, containing only the hostname, IP address, and path. No query arguments or other URL parameters.
The malware detection engine might also send requests to the SXL servers. We call this feature Live Protection, and its on/off control is also in Preferences. The data sent to our SXL servers contains hashes (checksums) of content, sometimes the filename of the file being scanned, and other bits of information that the scanner might have collected e.g. type of file being scanned. The file content itself is not sent to the SXL servers.
For both types of SXL queries, we do store the questions and answers for analytical purposes, but this data is never associated with a user name, computer name, etc.
(by the way, SXL stands for Sophos eXtensible List - we love three letter acroymns as much as everyone else)
One additional piece of information we send from the endpoint to ourselves is feedback about the endpoint environment e.g. what version of our software is installed, what version of the operating system is it installed on, and what features you have turned on. No specific information about your computer, your identity, etc. is included in this feedback. We have no way to say "person A is running OS X 10.9 while person B is running OS X 10.7". We can only tell the total numbers for things like that e.g. "40% of installations are running on 10.8.5".
I can assure you that we never intentionally send anything considered confidential or personally identifable back to ourselves.
---
Bob Cook (bob.cook@sophos.com) Director, Software Development
Hi everyone,
Thanks for bringing up the important topic of data sharing. I can tell you exactly what we send to the web and why.
The biggest sender of data (and also receiver of data) will be the WebIntelligence daemon. This process is acting as a filter between your browser and the internet. So every byte that would normally pass through your browser's networking code actually goes through us. We are doing two things with the content: (1) evaluate the URL to see if we know anything about it (see below); and (2) run the content through the malware detection engine. These two features correspond to the Web Protection controls in the Preferences. Turn them both off, and we don't filter your web traffic. But if either control is on, you'll see lots of data (including YouTube videos) going through that process.
The WebIntelligence daemon asks the SXL daemon for information about URLs. This daemon contains a cache of recently looked-up URLs, to avoid hitting our servers too frequently. If the URL your browser is visiting isn't in the cache (or the cache entry has expired) then it will contact our SXL servers. The data sent to the SXL servers is an obfuscated and shortened version of the URL you visit, containing only the hostname, IP address, and path. No query arguments or other URL parameters.
The malware detection engine might also send requests to the SXL servers. We call this feature Live Protection, and its on/off control is also in Preferences. The data sent to our SXL servers contains hashes (checksums) of content, sometimes the filename of the file being scanned, and other bits of information that the scanner might have collected e.g. type of file being scanned. The file content itself is not sent to the SXL servers.
For both types of SXL queries, we do store the questions and answers for analytical purposes, but this data is never associated with a user name, computer name, etc.
(by the way, SXL stands for Sophos eXtensible List - we love three letter acroymns as much as everyone else)
One additional piece of information we send from the endpoint to ourselves is feedback about the endpoint environment e.g. what version of our software is installed, what version of the operating system is it installed on, and what features you have turned on. No specific information about your computer, your identity, etc. is included in this feedback. We have no way to say "person A is running OS X 10.9 while person B is running OS X 10.7". We can only tell the total numbers for things like that e.g. "40% of installations are running on 10.8.5".
I can assure you that we never intentionally send anything considered confidential or personally identifable back to ourselves.
---
Bob Cook (bob.cook@sophos.com) Director, Software Development
