I'm trying to find more information on a connection that just started popping up in my firewall with the update to the new Sophos Home addition. It constantly wants to connect to macfeedback.sophos.com Anyone have any idea what InstallationAlert does?

Firewall connection alert.

  • Hello Bill Leeper,

    Sophos Home is managed in the cloud and the backend servers for communication are different from the download servers, thus an as yet unknown connection is expected.
    InstallationAlert - guess it informs the backend of the status of the installation. Note that the device needs to register properly in order for Home to work (how else could the license be validated and enforced?).

    Christian

  • In reply to QC:

    Thanks for the reply. This is a new connection from the newly updated install of Sophos Home free. It came with a 30 day trial of the premium and i'm wondering if it had something to do with that. But, as an old oldtimer in computers I just don't like new connections in an updated old program. And when they have "feedback" in the connection name it always makes me wonder.

     

    Anyway, I will keep digging as time permits. I have used a temp deny on the connection with no discernible effect. Anyway, I will find out after the trial for premium expires if it is related to that.

  • In reply to Bill Leeper:

    Hello Bill Leeper,

    dunno if macfeedback is crucial to the install, apparently not.

    an old oldtimer
    booted from diskette? Nothing beats punched cards (if you use sequence numbers and have a sorter at hand) Wink. It's cloud everywhere nowadays.

    "feedback"
    definitely doesn't hide a potential "malicious" intent. Naw, IIRC it wasn't there from the start. It might serve several purposes, telemetry comes to mind. As it apparently is used by the installer it might be a supplement to detect failures when the communication system proper failed to install, or other "early" failures. So that you can see in the web console that install on a device has been attempted even when the device could not establish a management connection. Just guessing though.
    Not necessarily related to Premium.

    Christian

  • In reply to QC:

    Let's just say I learned computers on vacuum tubes.   :-)   Worked on IBM 360/75 mainframes later on for a few years while in the military. We used to mess the Denver power company by adding punches to the punch cards that came with our electric bills.   :-)   Did everything from the, at that time (ALU) not CPU, to tape drives, printers, keyboards, and anything else attached to the system. We even had 64k iron core memory modules that were cubes about 6" on a side. Not to mention two banks of 9 drives each removable 10 platter disks. And I have heard a hard drive crash which most people have no idea why it was called a crash these days.  :-)

     

    I wasn't worried about anything malicious just with what was going back home in the way of information. I have a habit of making rules to deny connections calling home when it is not needed. I just don't like needless outgoing stuff. Anyway, thanks again for your time. If I find anything out I will post it here but not many people will probably be interested in the info.

  • In reply to QC:

    I think I got it figured out. It looks to be tied to SophosWebIntelligence.bundle 

    "Sophos anti-virus has a built-in feature called Web Protection. If Web Protection is enabled, Sophos reroutes all network traffic through Sophos in order to analyze the content. Thus Sophos creates all network request instead of the original application."

    That would explain all the traffic from InstallationDeployer. Denying it just lets the traffic connect normally. Seems to me though that this would defeat the whole purpose of anonymous surfing. Anyway, thanks for your interest.