Sophos Endpoint and Apple macOS 11 Big Sur

I've read the KB and off course I'm not testing on production machines, so there is no real urgency for me.

However I'm stating I could NOT get the current EAP of Endpoint working on a brand new M1 Macbook Air. That is with Rosetta 2 activated (it will trigger its install the minute it is faced with Intel code). So my question is, do you guys have an M1 Mac available to you and have you tested this to work? In other words, is the statement the EAP version should work on M1 devices based on experience or theory? 

I'm not trying to be pedantic or a pain. Nor am I expecting real support at this stage. Just want to see if this can be made to work.

Harlock, we have tried it ourselves on an M1 device and got it to work OK

Thanks Darren, do you know if FileVault and the Mac's firewall were active? And was the Mac user login with Active Directory instead of a local account? This is how we set up our Macs and it might matter. Not sure if the chosen setup language matters (we use Dutch).

We are working on an EAP for MSP Flex customers that should be available next week if all goes well

I don't I'm afraid, I suspect that it would have been a local login, I will ask about FileVault and Firewall later.

With the current EAP on Big Sur I have a similar problem with an Intel Mac, Eicar files are not detected in real time, only with manual scans. Similarly I've seen real time scanning reported as off on the M1 Mac while on the Intel Mac it is reported as on (but fails Eicar tests). That Intel Mac is setup in the same manner (FileVault, firewall and AD login). 

Just thinking out aloud here. But it could be important enough for the development team to look at. however I'm sure you guys have your bases covered when it comes to testing this, at least before it goes GA.

Hi com.sophos.endpoint.scanextension is not removable, in Big Sur, even after uninstalling sophos via uninstall it is still there running 10% of CPU, the process can't be killed. I can't remove it even as a root. I need some steps please to remove this. it's more a malware behaviour rather than AV

I can confirm this issue. 

Strangely I had no issues removing Sophos Endpoint (including the file you mention) from a new install on a newly installed M1 Mac. However I have the exact same issue with an Intel Mac (this one isn't a new install, with an OS that has been through several installments of MacOS). 

After using the uninstall program (and entering the Tamper Protection code and all) it seems Sophos Endpoint is removed from the system. As a good measure I did a reboot. However there remained a process running called com.sophos.endpoint.scanextension. 

Related, there is a file of similar name remaining on the drive (In Macintosh HD > Library > SystemExtensions > Directory-called-by-random-capitals-and-numbers > com.sophos.endpoint.networkextension.systemextension). This file and its directory can't be deleted. There is also a db.plist file and an empty directory called EndPointSecurity in that SystemExtensions directory that can't be deleted either. 

The quick and dirty solution for me was to disable System Integrity Protection (SIP) in the Mac's recovery mode, log in and delete those SystemExtensions, log out and go into recovery mode again and re-enable SIP again and reboot.

A quick check of system activity, searching for processes with "sophos" in their name, showed nothing.

I can confirm Harlock. I have Sophos Home Premium installed on several Macintosh computers. I tired uninstalling Sophos Home with its removal tool. Everything was successfully removed EXCEPT com.sophos.endpoint.networkextension.systemextension, db.plist file, and an empty directory called EndPointSecurity. And Activity Monitor shows that the com.sophos.endpoint.networkextension process was still running.

Following Harlock's "quick and dirty solution", I then disabled System Integrity Protection (SIP), rebooted, changed the permissions on those files/folders, and deleted them. I rebooted again, enabled SIP, and rebooted one last time. And Activity Monitor  confirmed that the com.sophos.endpoint.networkextension process was not running.

Unfortunately, as things stand, extensions aren’t removable by Sophos, it’s a known issue (but having them persist is harmless).

Apple is aware of this issue but has not yet provided any APIs that allow us to do remove them programmatically. The reason we cannot remove the extensions is that Apple copies the extensions when they are first run and then runs them from a location we cannot modify.