Hello, I am starting this discussion to solicit joint interest in the lack of a "Details" link for events on a macOS machine. Please vote using the ideas link below if you share the same sentiment.
When responding to alerts in Sophos Central, the first thing I do is gather as much information as possible from the alert itself. Whether the endpoint is Windows or macOS, I need to be able to view details such as the file hash, raw detection data, file publisher, etc. in order to properly triage the alert.
After reviewing an alert, I go directly to the events tab of the device in question. On a Windows machine I am able to click a "Details" link for each of the events that were alerted on, as well as the events that may have preceded the detection. On a macOS machine no such link exists, so I am left relatively blind to details that are crucial to continue my investigation.
I was told that because many of the detections I was seeing were PUPs and PUAs, a detail link was not provided since they are not necessarily malicious in nature. However, I also encountered instances where I cannot see details for 'Malware detected: 'Mal/Phish-A' events either. In addition to this, I should be able to view details on PUP and PUA detections (just like is available in Windows) so that my teammates and I can make the determination on whether to block the application across our environment.
Example 1 - No event details for detection on macOS machine (Malware detected: 'Mal/Phish-A')
Example 2 - No event details for detecion on macOS machine (PUP)
Windows OS example, PUP/ PUA showing event details
Hi txmx ,
Please let me confirm this with my team and get back to you in this.
Community Team Lead, Support & Services| Sophos Technical Support Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
Thanks, Yashraj I have submitted a support case (#9128470) that is now closed and I have also brought this up with my TAM, but I wanted to reach a broader audience and post here. Appreciate you following up on this. I'd like to know what the limitations are in implementing this for macOS, if any.
I would agree with this assessment, I mange a couple iMacs or OSX installs and the details are limited.
I manage a couple thousand Mac clients and the limited details is downright embarrassing. What a crap product.
bad robot & Trojan Horse would you mind going to vote on the idea I submitted if you haven't already?
Trojan Horse how do you conduct your security investigations with so little details? We are trying to figure out a flow for this, but haven't dealt much with Mac investigations before.
Unfortunately without all of the proper info, we don't. We just click resolve and move on .. the crazy thing, with Intercept X, it doesn't even tell us that it cleaned something up. I just noticed by looking at an infected computer that it indeed did clean up the thing it found (it told the end-user it cleaned it up but not the console?).
Voted, doubt it will be addressed. Macs are the red-headed step children for Sophos (which to be fair, in real life they are as well).
Thank you for providing me with the case number. I did check this with my team and as of now, this feature is not available for macOS clients. You took a correct step to raise a feature request for this.
The irony here is MacWorld just voted Sophos Home Premium as the best overall AV.