I have Sophos Endpoint Installed on my computer - What can my employer see about my activity?

It depends on the policy really but for a record of generated events, you could have a look in:

C:\ProgramData\Sophos\Health\Event Store\Trail\

Regards,

Jak

Hi Jak,

Thanks for your reply.

I am using MacOS, so the file path seems different.

The way Sophos Web Usage Monitor is used, is it via "this record of generated events", in the file as you mentioned? So unless it is sent out from my system, no other activity is seen? Only activity that was in that log file that has been sent out? Because from my understanding of how Sophos works is that ever browser activity is routed through Sophos networks. That would mean that my system doesn't need to send out anything.  The administrator would only need to check what has been router going through Sophos Central for a specific user to find out web activity.

I would appreaciate any clarification and help on me understanding this.

Kind regards,

Mike

If it is the web protection/control feature you're interested in there are 2 ways of setting it up:

1. Use Cloud Web Gateway.  I.e. your browser traffic is routed through the cloud and classified there.  https://community.sophos.com/kb/en-us/122461 

2. There is no remote 'proxy' for filtering web traffic but a local one.

In the second case event information is sent from the client to Sophos Central as events.  E.g. Site x is blocked.  If you open up the Sophos Endpoint client you can see there is an Events tab under which are all the events. Everything reported to Central would also be in that list.  That data is stored in a SQLite DB - /Library/Sophos Anti-Virus/Events.db.  You could download the SQLite DB Browser and open up the file but I think all the same event information would be displayed in the Events view in the Sophos UI anyway.

Data is stored in Central for 90 days but of course there are APIs and the ability to export data.

Regards,
Jak

Hi all,

Apologies for reviving my old thread but still want to be absolutely sure about this.

This is my screenshot regarding the events tab that was mentioned.

Looking at these screenshots, I can see what web activity data might be sent from my Mac to any remote server for analysis. Can you see any point of concern here?

It seems to me the real point of concern is what is mentioned by number 1. the "Use Cloud Web Gateway". How can I find out if this has been put in place and my web activity is passing through there or not?

I would deeply appreciate further clarification on this matter.

Kind regards,

Mike

Sophos Cloud Web Gateway is a less common product and doesn't, to the best of my knowledge feature in the Endpoint Self Help tool.

One way to check if you do have it would be to look under Applications as shown here:

The structure highlighted in red shows it to be installed.  I'm pretty sure you won't have it.

Regards

Jak

Hi,

Thanks for answering my queries.

I checked the Applications for the Sophos folder as shown in your screenshot but I couldn't find the same. What I did find was the following though.

Also recently I noticed something changed in the program. The updates has credentials attached to it now. Please see screenshots. I am particulary worried about the running services. Sophos Web Intelligence sound like a web activity monitoring tool to me. Device control also sounds potentially like a process that can monitor internet activity. Also there are many others like Sophos SXL, Sophos MCS Agent and Sophos File Monitor. It would be good to know if I should be concerned about all of the services running as seen on the screenshot in terms of privacy.

/Library/Application Support/Sophos/

mcs/config/configuration.plist

saas/receiptConfiguration.plist

saas/Sophos Installer Components/av.bundle

saas/Sophos Installer Components/savi.bundle

saas/Sophos Installer Components/shared.bundle

I also found the following in /Library/Caches/

These are folders, each one of these has many files inside it. One particularly big folder is the /warehouse folder which contains .dat and .xml files.

com.sophos.mcs

com.sophos.rms

com.sophos.sau

com.sophos.sav

com.sophos.sxld

I would appreciate any feedback on this to see if my computer and internet use has been monitored.

Kind regards,

Mike

Really concerned about the Web Control policy mentioned in the screenshot. Everything I've read about this online indicates in monitors web activity.

Hello,

Yes, Web Control in the product monitors web traffic from the machine. It applies policy per website based on what is configured. In general, it does a lookup to our servers for the category of the url being requested and if the returned category is on the blocked list or malicious - it will block the action (you will see either a block page in the browser or a connection error) and report that to the Central dashboard. You can see those in the main product ui in the dashboard and detection panel. 

Also, they are recorded in the logs and can be retrieved via dashboard at any time. The content includes the url visited and why it was blocked.

This is all dependent on policy - your company policy might not have web control enabled or it might just be set to warn instead of block. 

Hi Richard,

Thanks for your reply.

I have been reading up on Sophos, but I am more concerned about finding out what my company policy has set, by checking the settings on the laptop. I have put all the information I have found on the screenshots. In previous replies it was mentioned to me that all the information that is sent to the employer(enterprise/central/console) etc, is seen in the Events tab on Sophos Endpoint which I have access to. So on the Sophos Endpoint Events page, I selected "All sources" and checked what information is sent. Not seeing any web activity related data being sent was a relief. So I took a screenshot of this events tab and sent it back in my reply to see if anybody is going to tell me if there is a cause for concern. The conclusion was if you don't see it in the events tab your internet/web activity, then there is no need for privacy concerns.

However, I am still not convinced, for if the event tab displays everything that is sent to an employer, why can't I find a single video/image/documentation/example online showing this event tab displaying tons of web internet activity(which is sent to the sophos central/employer), for systems that do have the web control enabled and installed?

Initially it seemed to me that no web activity could possibly be sent but now, there is the point I mentioned above and now I've also come across this Web control policy that is visible on the Policy tab. What is not clear however, is that web control is not mentioned on any of the other tabs such as Running Services or Installed. So what does that mean? Does that mean it is not fully enabled if it is not mentioned on Services, if it is not mentioned on Installed. Intercept X is shown as not installed. Can web control work without it?

While using the internet I have never come across a blocked website nor a warning. Does the employer(Sophos central) have the ability to log web activity of sites that are not blocked or warned? Basically can it log internet activity in a stealthy way without raising suspicion by the employee that they are being monitored of the websites they are visiting? Obviously, if the website is blocked or if there is a warning, the employee will know they are being monitored. But what about if there is no warning and no website is blocked? Can they know which websites were visited?

Hi Mike,

The events that you see on your endpoint are the same events your employed will see.  There is no "stealth-mode" for the Sophos product.  Sophos is security software, not spyware.

The data that your employer sees is based on events that are detected on your device.  After a detection is logged locally, the event data is then sent to Sophos Central.  If there is nothing logged on your computer, then there is no event data to send to Sophos Central.

If you are not seeing any web-sites being blocked or warned in the events log on your computer, then the Web Control policy defined by your employer is not configured to block or warn on those event types.

Joe

Hi Mike,

The events that you see on your endpoint are the same events your employed will see.  There is no "stealth-mode" for the Sophos product.  Sophos is security software, not spyware.

The data that your employer sees is based on events that are detected on your device.  After a detection is logged locally, the event data is then sent to Sophos Central.  If there is nothing logged on your computer, then there is no event data to send to Sophos Central.

If you are not seeing any web-sites being blocked or warned in the events log on your computer, then the Web Control policy defined by your employer is not configured to block or warn on those event types.

Joe