Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Question from my coworker:
Today I had an issue with Sophos that I thought I should share with you. When I started a Time Machine Backup, I got a message from Sophos saying it had detected a threat.
The full path reported is as follows.
/Volumes/Time Machine Backups/.............../Attachments/394629/2/shop order 19-11-2020-#23.xlsm
So, it looks like Sophos saw a malicious attachment to a mail in a spam folder. The curious thing is, it only saw it when it was written to the Time Machine backup; not when it was written to the local filesystem. Even more curious: when I navigated to the file in Finder (on the local system, not the backup volume) and selected the file in Finder, then Sophos saw it, issued a message, and deleted the file.
What I find "suboptimal" is that Sophos obviously didn't detect the file being written by Mail.app when it first downloaded the attachment. This kinda seems to defeat that whole real-time scanning, right? I'm even more upset because this real-time scanning slows things down and taxes the CPU. Updating or installing things like XCode makes the fans spin and I see Sophos using lots and lots of CPU cycles, presumably scanning all the bits and bytes signed by Apple. Well, if now it turns out that that real-time scanning doesn't really work...
----------end of question-----
Could anybody help us to understand it? Thanks a lot.
Thank you for contacting the Sophos Community!
May know what is the Sophos product you are referring to?
Thanks for your reply.
We are using the Sophos Endpoint (Mac OS version) + Sophos Central.
Thank you, for the follow-up!
I have moved this thread to the correct group, so it has better visibility.
When was this email being received? was the said mail already existed when sophos is not yet been installed on the system or was the email was just recently received and sophos did not detect it? This is a crucial information for us to identify as to why it's not getting detected in the first place. Also i can confirm to you the reason as to why the endpoint only detected it when you perform a transfer/perform a back-up since real-time scanning is running on your system. This is also same scenario when you manually went to the file path.Another thing your policy configuration. was deep learning enabled on your policy?
It should be " the email was just recently received and sophos did not detect it".
IMO, every "Real-time" software has a necessary condition to trigger the scan, for Sophos, maybe it only can scan the email attachment when we attempt to open it, or when system attempt to read it. But Sophos can still keep the danger out of our laptop.For getting the accurate information, I left this topic here.
I will make case query in sophos central if necessary.
Thanks again, I think your reply is helpful.
BTW, we didn't enable the deep learning ( it's the EDR feature if I remembered correctly).