Home version for Mac sending out data?

Sounds like a valid question.  I'd be interested to know what you find out.

I've been trying to download Sophos to my iMac with no success.  I am currently running Avast virus protection software, but it isn't cleaning everything--or if it is, it keeps reporting about viruses.  I wonder if Avast is eating Sophos?

The installation will be checking for updates with our servers.  There is also SXL data being sent - online lookup for web protections and live protection.

Try turning off both web protection and live protection (all three options) and see if the data out drops.  Is it a problem?

---

Barak88 wrote:

I wonder if Avast is eating Sophos?

---

 Don't run two antivirus at the same time.  Two on-access scanners (real-time scanning) can be very problematic.

What is the SXL data? Why and what would it be sending that would be that large? Downloading new patches and virus definitions I can completely understand. The bandwidth isn't a problem, it's that uploading that much data makes no sense.

To fully protect your computer Sophos for Mac (and our Windows products) compliment the signature based detection.  These days it's sometimes not enough to have just the local signatures to spot constant malware releases - you could get a malicious file on your computer before the local installation checks in for a scheduled update.  Hence to meet (even exceed) what's required these days the local Sophos AV can immediately ping back to the global servers located around the world to check for the very latest information.

• Install SAV = AV engine knows about everything from the point the installer was built and published backwards.
• Install SAV + update = your Mac has all of the signatures SophosLabs have published to date.
• Install SAV + update + live protection/web protection = your are fully protected, even from something we only just added (maybe a minute ago).

As fast as SophosLabs publishes new signature (.ide) files) it still takes a bit of time.  Then consider that your Mac is on an update schedule -- probably an hour, that's the default -- and may have just checked in, say 10 minutes ago.  Hence it won't check again for another 50 minutes.

Web protection does URL filtering (for known malicious links and pages) and browser download scanning and is constantly pinging our servers to check there isn't potential malware heading to your computer.  The amount of data uploaded will change depending on local activity on the computer, but it's just data about whether 'something' (web page, file, download, etc.) is malicious.

It's the performance/security slider - on one end is performance, on the other is security.  The defaults try to please most with maybe a slight nudge to security.  The options are there to configured as required based on personal preferences.

I hope that helps.

---

ruckus wrote:

...Web protection does URL filtering (for known malicious links and pages) and browser download scanning and is constantly pinging our servers to check there isn't potential malware heading to your computer.  The amount of data uploaded will change depending on local activity on the computer, but it's just data about whether 'something' (web page, file, download, etc.) is malicious...

---

v8media's question caught my attention too. Constant comparison of currently accessed links and pages for newly discovered malicious content by pinging your servers is understandable in the "live protection/web protection" context but not 150 MB's worth. Am I correct in thinking that the "data" sent is the result of scanning and detecting something matching newly flagged malware and/or the malware itself for analysis at your end?  Or is Sophos uploading a freshly obtained "file, download, etc" for real-time checking at your end just in case, which could cover a lot of territory.

If someone can provide exact steps to recreate 150MB+ of data being sent out I'll see if I can find out more information.

Currently I'm unable to tell how this has been observed/monitored, over what time period nor the impact.

This was on Sophos Home on a Mac running 10.9. The Activity Monitor tool has been improved in 10.9 to allow more information about energy and network usage. At a glance in the Network tab, you can see sent and received bytes summed up per program (you were only able to see "sent and received messages" previously, which didn't mean much to most people). Everything had been scanned at that point, and I had rebooted in the last few days before seeing this. I was actually just playing around with what new information you could see in Activity Monitor and wouldn't have noticed this amount of data going out otherwise, so no impact, just unexpected behavior. I had probably imported photos to Aperture from three different sources in the couple days while this amount of data was being sent and done some normal heavy web surfing.

I can understand having an option like this, and since I have and move around tons of files and photos and am a fairly heavy web user, 150MB is probably not too big of a deal. It would be great if something about this could be mentioned in the section of the preferences about this, or at least in some info file or help menu in the program. Additionally, at the same time, I noticed 8 or so separate Sophos processes running. It would be great to have some reference for what all those processes are doing. I really like knowing at least generally what the programs I install are doing on my machines.

I can't re-create this ATM.  Soz.

Below is an Activity Monitor screenshot after I deleted the entire update cache and forced a full download.  SophosAutoUpdate process is --as expected-- receiving the most data, but in terms of sent (outbound) bytes - nada.

Keep and eye on it and see if it crops up again.  Note the process, column heading and value.  Screenshot if you can.