This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Real-time protection of Sophos for email attachment.

Question from my coworker:

Today I had an issue with Sophos that I thought I should share with you. When I started a Time Machine Backup, I got a message from Sophos saying it had detected a threat.

The full path reported is as follows. 

/Volumes/Time Machine Backups/.............../Attachments/394629/2/shop order 19-11-2020-#23.xlsm

So, it looks like Sophos saw a malicious attachment to a mail in a spam folder. The curious thing is, it only saw it when it was written to the Time Machine backup; not when it was written to the local filesystem. Even more curious: when I navigated to the file in Finder (on the local system, not the backup volume) and selected the file in Finder, then Sophos saw it, issued a message, and deleted the file.

What I find "suboptimal" is that Sophos obviously didn't detect the file being written by Mail.app when it first downloaded the attachment. This kinda seems to defeat that whole real-time scanning, right? I'm even more upset because this real-time scanning slows things down and taxes the CPU. Updating or installing things like XCode makes the fans spin and I see Sophos using lots and lots of CPU cycles, presumably scanning all the bits and bytes signed by Apple. Well, if now it turns out that that real-time scanning doesn't really work...

----------end of question-----

Could anybody help us to understand it?  Thanks a lot.



This thread was automatically locked due to age.
Parents Reply Children
  • Hi,

    Thanks for your reply.

    We are using the Sophos Endpoint (Mac OS version) + Sophos Central. 

    Regards,

  • Hello there,

    Thank you, for the follow-up!

    I have moved this thread to the correct group, so it has better visibility.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi There,

    When was this email being received? was the said mail already existed when sophos is not yet been installed on the system or was the email was just recently received and sophos did not detect it? This is a crucial information for us to identify as to why it's not getting detected in the first place. Also i can confirm to you the reason as to why the endpoint only detected it when you perform a transfer/perform a back-up since real-time scanning is running on your system. This is also same scenario when you manually went to the file path.
    Another thing your policy configuration. was deep learning enabled on your policy?

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi there,

    Thanks for your reply.

    It should be " the email was just recently received and sophos did not detect it".

    IMO, every "Real-time" software has a necessary condition to trigger the scan, for Sophos, maybe it only can scan the email attachment when we attempt to open it, or when system attempt to read it. But Sophos can still keep the danger out of our laptop.


    For getting  the accurate information, I left this topic here.

    I will make case query in sophos central if necessary.

    Thanks again, I think your reply is helpful.

    BTW, we didn't enable the deep learning ( it's the EDR feature if I remembered correctly).

    Regards,