Home version for Mac sending out data?

Reinstalled Sophos Home at maybe 10pm, updated, and then started a full scan. Just checked again around 2am to see how much it has sent, and it's saying almost a GB of data sent. It's only a third of the way through the initial scan.

I've been watching streaming video, and just letting it scan in the background. Again, I have a lot of data, video I've shot and edited, tons of photos and a large iTunes library as well.

I did some testing on this today.  I ran a scan while watching a YouTube video playlist.  Data out for the SWI process does seem to increase when watching YouTube.  If I graph the rate it is linear with or without running a scan.

Graph of results	1hr recording truncated to 6mins 19secs

Hi everyone,

Thanks for bringing up the important topic of data sharing. I can tell you exactly what we send to the web and why.

The biggest sender of data (and also receiver of data) will be the WebIntelligence daemon. This process is acting as a filter between your browser and the internet. So every byte that would normally pass through your browser's networking code actually goes through us. We are doing two things with the content: (1) evaluate the URL to see if we know anything about it (see below); and (2) run the content through the malware detection engine. These two features correspond to the Web Protection controls in the Preferences. Turn them both off, and we don't filter your web traffic. But if either control is on, you'll see lots of data (including YouTube videos) going through that process.

The WebIntelligence daemon asks the SXL daemon for information about URLs. This daemon contains a cache of recently looked-up URLs, to avoid hitting our servers too frequently. If the URL your browser is visiting isn't in the cache (or the cache entry has expired) then it will contact our SXL servers. The data sent to the SXL servers is an obfuscated and shortened version of the URL you visit, containing only the hostname, IP address, and path. No query arguments or other URL parameters.

The malware detection engine might also send requests to the SXL servers. We call this feature Live Protection, and its on/off control is also in Preferences. The data sent to our SXL servers contains hashes (checksums) of content, sometimes the filename of the file being scanned, and other bits of information that the scanner might have collected e.g. type of file being scanned. The file content itself is not sent to the SXL servers.

For both types of SXL queries, we do store the questions and answers for analytical purposes, but this data is never associated with a user name, computer name, etc.

(by the way, SXL stands for Sophos eXtensible List - we love three letter acroymns as much as everyone else)

One additional piece of information we send from the endpoint to ourselves is feedback about the endpoint environment e.g. what version of our software is installed, what version of the operating system is it installed on, and what features you have turned on. No specific information about your computer, your identity, etc. is included in this feedback. We have no way to say "person A is running OS X 10.9 while person B is running OS X 10.7". We can only tell the total numbers for things like that e.g. "40% of installations are running on 10.8.5".

I can assure you that we never intentionally send anything considered confidential or personally identifable back to ourselves.

If I understand it right, with WebIntelligence running (i.e. if we want any web protection at all), if I receive any data from the internet it first has to be uploaded to the Sophos servers for checking (including therefore sensitive data by the way) before I can access this data on my computer (be it videos/ photos/ files/ web pages/ anything).

Now, even assuming this is being done cleverly and this upload is (almost) simultaneous to the download (rather than being uploaded after it has first all downloaded) it means, if I use Sophos, my internet connection speed is effectively reduced to the upload speed of my broadband (which is very much slower than the download speed for most people).

Can't we have an option that checks things locally on our machines? We're uploading to the internet as much as we're downloading (I've checked) and our broadband speed is crippled!

Please respond to these concerns.

Thanks.

Hi Peter9,

Your understanding is incorrect. The only data that is sent to Sophos (related to web browsing) is the URL hostname and path. We definitely DO NOT send the content. We do scan the content locally.

The list of information sent to Sophos from the Mac endpoint product:

1) for Web Protection reputation checks, the URL hostname and path are sent to Sophos;

2) for any scanning, if LIve Protection is enabled, various file checksums and attributes (but not full content) are sent to Sophos;

3) various non-personally-identifable anonymous information about the system configuration (version of Mac OS X, version of the Sophos product, what features are used, etc) is sent to Sophos.

All 3 items are covered by our license agreement during installation.

None of the information above is traceable to a user name or machine name or a specific person or organization. Obviously we receive the IP address of your machine, this is how the internet works. Although we do store this data, its used for data mining purposes that helps us understand how people are using the product.

Thanks for your reply, Bob.

But then how do you explain, for example, if I download a 1.28GB mail archive file from Google the SophosWebInteligence process receives AND sends 1.28GB according to my Mac's Activity Monitor / Network tab?

Surely this means exactly what I said earlier: every received byte (so yes, full content of a user's web access) goes back up through the Sophos servers? This is not just checksums and URLs.

It doesn't happen if I disable the Sophos Web Protection with the ON/OFF sliders.

Perhaps this is not what is intended, but it's what happens.

---

Peter9 wrote:

But then how do you explain, for example, if I download a 1.28GB mail archive file from Google the SophosWebInteligence process receives AND sends 1.28GB according to my Mac's Activity Monitor / Network tab?

---

The network flow without our Web Protection feature enabled looks like this:   Internet (say google.com) -> browser

The network flow with Web Protection enabled looks like this:   Internet (say google.com) -> WebIntelligence -> browser

We receive 1.28GB from the Internet then send 1.28GB to your browser. Your browser will receive 1.28GB from us.

Wireshark is an excellent tool to show you what data is actually going in and out of your machine.

Thanks Bob.

That makes it clearer now what's happening and what OSX Activity Monitor Networking is actually showing me in the summary & graph at the bottom (which isn't what's going in and out of my computer but just a sum of all the ins and outs for all processes - and that isn't very useful at all, as processes like SophosWebIntelligence are middle men sending to other processes).

Thanks for your quick responses too. 

Thanks for explaining things in this thread. Follow up question however...

I've had browsers open in the background, but nothing running - just static pages...and I walk away for 8 hours with SophosWebIntelligence at around 50k/50k... Can you explain why then when I come back to my computer several hours later, over a gig of data has not only been shown as processed incoming but OUTGOING as well via the process?

Again, there's nothing happening on my computer in the web browsers.

Naturally WireShark is going up next but just wanted to inquire as to this behavior.

---

damienthorne wrote:

I've had browsers open in the background, but nothing running - just static pages...and I walk away for 8 hours with SophosWebIntelligence at around 50k/50k... Can you explain why then when I come back to my computer several hours later, over a gig of data has not only been shown as processed incoming but OUTGOING as well via the process?

---

I can't explain it, although I can assure you that we aren't sending out any data that didn't originate from a web browser (or something that acts like one - curl, wget, and telnet all end up going through our daemon). Let me know how you get on with WireShark, I'm curious about the results. Be sure to watch for all TCP traffic that is destined for something not on the loopback address 127.0.0.1.