Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Real-time protection of Sophos for email attachment.

Question from my coworker:

Today I had an issue with Sophos that I thought I should share with you. When I started a Time Machine Backup, I got a message from Sophos saying it had detected a threat.

The full path reported is as follows. 

/Volumes/Time Machine Backups/.............../Attachments/394629/2/shop order 19-11-2020-#23.xlsm

So, it looks like Sophos saw a malicious attachment to a mail in a spam folder. The curious thing is, it only saw it when it was written to the Time Machine backup; not when it was written to the local filesystem. Even more curious: when I navigated to the file in Finder (on the local system, not the backup volume) and selected the file in Finder, then Sophos saw it, issued a message, and deleted the file.

What I find "suboptimal" is that Sophos obviously didn't detect the file being written by Mail.app when it first downloaded the attachment. This kinda seems to defeat that whole real-time scanning, right? I'm even more upset because this real-time scanning slows things down and taxes the CPU. Updating or installing things like XCode makes the fans spin and I see Sophos using lots and lots of CPU cycles, presumably scanning all the bits and bytes signed by Apple. Well, if now it turns out that that real-time scanning doesn't really work...

----------end of question-----

Could anybody help us to understand it?  Thanks a lot.