Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Real-time protection of Sophos for email attachment.

Question from my coworker:

Today I had an issue with Sophos that I thought I should share with you. When I started a Time Machine Backup, I got a message from Sophos saying it had detected a threat.

The full path reported is as follows. 

/Volumes/Time Machine Backups/.............../Attachments/394629/2/shop order 19-11-2020-#23.xlsm

So, it looks like Sophos saw a malicious attachment to a mail in a spam folder. The curious thing is, it only saw it when it was written to the Time Machine backup; not when it was written to the local filesystem. Even more curious: when I navigated to the file in Finder (on the local system, not the backup volume) and selected the file in Finder, then Sophos saw it, issued a message, and deleted the file.

What I find "suboptimal" is that Sophos obviously didn't detect the file being written by Mail.app when it first downloaded the attachment. This kinda seems to defeat that whole real-time scanning, right? I'm even more upset because this real-time scanning slows things down and taxes the CPU. Updating or installing things like XCode makes the fans spin and I see Sophos using lots and lots of CPU cycles, presumably scanning all the bits and bytes signed by Apple. Well, if now it turns out that that real-time scanning doesn't really work...

----------end of question-----

Could anybody help us to understand it?  Thanks a lot.

Parents Reply
  • Hi there,

    Thanks for your reply.

    It should be " the email was just recently received and sophos did not detect it".

    IMO, every "Real-time" software has a necessary condition to trigger the scan, for Sophos, maybe it only can scan the email attachment when we attempt to open it, or when system attempt to read it. But Sophos can still keep the danger out of our laptop.


    For getting  the accurate information, I left this topic here.

    I will make case query in sophos central if necessary.

    Thanks again, I think your reply is helpful.

    BTW, we didn't enable the deep learning ( it's the EDR feature if I remembered correctly).

    Regards,

Children
No Data