macOS 11.0.1 (20B50), Sophos Endpoint 10.0.2 & Confirming Endpoint Protection

Hi Dan,

Thank for the feedback, and sorry to hear that detection doesn't appear to be working.

Have you rebooted? If not, give that a try and let us know.

If you have, could you run the commands at the bottom of the article you mentioned? We've updated it with more steps to provide a more a detailed look at the configuration of the system extensions.

David Lancaster

I'm experiencing the same results after a reboot.

Here's the output from a test MacBook Air:

% sw_vers
ProductName:	macOS
ProductVersion:	11.0.1
BuildVersion:	20B50

% sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "select client,auth_value from access" | grep -i sophos | sort
Password:
com.sophos.endpoint.scanextension|2
com.sophos.scan|0

% systemextensionsctl list | grep -i sophos
*	*	2H5GFH3774	com.sophos.endpoint.networkextension (1.0/2)	networkextension	[activated enabled]
*	*	2H5GFH3774	com.sophos.endpoint.scanextension (1.0/1.0)	com.sophos.endpoint.scanextension	[activated enabled]

% gzcat /Library/Logs/SophosDiagnostics.* | grep -e 'ESServer.*Cache Stat'
gzcat: /Library/Logs/SophosDiagnostics.1.gz: unexpected end of file
gzcat: /Library/Logs/SophosDiagnostics.1.gz: uncompress failed
gzcat: /Library/Logs/SophosDiagnostics.5.gz: unexpected end of file
gzcat: /Library/Logs/SophosDiagnostics.5.gz: uncompress failed
2020-11-30 13:06:49.759 [SophosServiceManager 77:1814 TID:1782 ESServer PID:292] Create ScanD Cache Stat timer. (process: SophosScanD, pid: 494, xpc: com.sophos.esclient.xpc.SophosScanD.494.719DF)
2020-11-30 13:11:49.721 [SophosServiceManager 77:1814 TID:12943 ESServer PID:292] [Cache Stat: Total 3331 item(s), hit ratio: 42.87095%, miss ratio: 57.12905%]
2020-11-30 13:16:49.707 [SophosServiceManager 77:1814 TID:14867 ESServer PID:292] [Cache Stat: Total 3555 item(s), hit ratio: 42.646698%, miss ratio: 57.353306%]
2020-11-30 13:21:49.723 [SophosServiceManager 77:1814 TID:16705 ESServer PID:292] [Cache Stat: Total 3956 item(s), hit ratio: 42.542194%, miss ratio: 57.457806%]
2020-11-30 13:26:49.709 [SophosServiceManager 77:1814 TID:18143 ESServer PID:292] [Cache Stat: Total 4021 item(s), hit ratio: 42.49736%, miss ratio: 57.50264%]
2020-11-30 13:31:49.696 [SophosServiceManager 77:1814 TID:19417 ESServer PID:292] [Cache Stat: Total 4390 item(s), hit ratio: 42.431564%, miss ratio: 57.56843%]
2020-11-30 13:36:49.738 [SophosServiceManager 77:1814 TID:21216 ESServer PID:292] [Cache Stat: Total 4541 item(s), hit ratio: 42.712646%, miss ratio: 57.287354%]
2020-11-30 13:41:49.722 [SophosServiceManager 77:1814 TID:23002 ESServer PID:292] [Cache Stat: Total 4558 item(s), hit ratio: 42.952408%, miss ratio: 57.047592%]
2020-11-30 13:46:49.712 [SophosServiceManager 77:1814 TID:24282 ESServer PID:292] [Cache Stat: Total 4558 item(s), hit ratio: 43.005974%, miss ratio: 56.994026%]
2020-11-30 13:51:49.698 [SophosServiceManager 77:1814 TID:26686 ESServer PID:292] [Cache Stat: Total 6437 item(s), hit ratio: 41.309708%, miss ratio: 58.690292%]
2020-11-30 13:56:49.729 [SophosServiceManager 77:1814 TID:34697 ESServer PID:292] [Cache Stat: Total 8974 item(s), hit ratio: 61.980217%, miss ratio: 38.019783%]
2020-11-30 14:01:49.711 [SophosServiceManager 77:1814 TID:36920 ESServer PID:292] [Cache Stat: Total 9039 item(s), hit ratio: 61.590492%, miss ratio: 38.409504%]
2020-11-30 14:02:47.533 [SophosServiceManager 77:1814 TID:37314 ESServer PID:292] Invalidate ScanD Cache Stat timer. (process: SophosScanD, pid: 494, xpc: com.sophos.esclient.xpc.SophosScanD.494.719DF)
gzcat: /Library/Logs/SophosDiagnostics.gz: unexpected end of file
gzcat: /Library/Logs/SophosDiagnostics.gz: uncompress failed
2020-11-30 14:03:07.423 [SophosServiceManager 77:1814 TID:37585 ESServer PID:292] Create ScanD Cache Stat timer. (process: SophosScanD, pid: 3335, xpc: com.sophos.esclient.xpc.SophosScanD.3335.EBB37)

P.S. The last line of Step No. 7.a.A. most likely should be the first line of Step No. 7.b.

That is odd as the output all looks as expected.

Could you trigger an SDU and PM me the filename - we'll get someone to look a bit deeper.

https://support.sophos.com/support/s/article/KB-000038603?language=en_US

That is odd as the output all looks as expected.

Could you trigger an SDU and PM me the filename - we'll get someone to look a bit deeper.

https://support.sophos.com/support/s/article/KB-000038603?language=en_US

Happy Tuesday, David Lancaster!

Using mscottblake's instructions for …

https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/116397/sophos-mac-endpoint-how-to-configure-jamf-privacy-preferences-for-10-15-compatibility#mcetoc_1enrp9d056

… protect is working as expected.

Thanks.

Happy Tuesday! I'm happy to hear things are working as expected.

The team would still like to examine an SDU to understand why it was missed in the first instance. If you were able to find the time to trigger an SDU we'd be grateful.