Home version for Mac sending out data?

I caught Sophos Mac Home having sent out 150MB of data. Is this program intended to send out any type of information? If so, what is being sent out?

I've removed the software for now. 

:1014057
  • Thanks for your reply, Bob.

    But then how do you explain, for example, if I download a 1.28GB mail archive file from Google the SophosWebInteligence process receives AND sends 1.28GB according to my Mac's Activity Monitor / Network tab?

    Surely this means exactly what I said earlier: every received byte (so yes, full content of a user's web access) goes back up through the Sophos servers? This is not just checksums and URLs.

    It doesn't happen if I disable the Sophos Web Protection with the ON/OFF sliders.

    Perhaps this is not what is intended, but it's what happens.

    :1016947

  • Peter9 wrote:

    But then how do you explain, for example, if I download a 1.28GB mail archive file from Google the SophosWebInteligence process receives AND sends 1.28GB according to my Mac's Activity Monitor / Network tab?


    The network flow without our Web Protection feature enabled looks like this:   Internet (say google.com) -> browser

    The network flow with Web Protection enabled looks like this:   Internet (say google.com) -> WebIntelligence -> browser

    We receive 1.28GB from the Internet then send 1.28GB to your browser. Your browser will receive 1.28GB from us.

    Wireshark is an excellent tool to show you what data is actually going in and out of your machine.

    :1016961
  • Thanks Bob.

    That makes it clearer now what's happening and what OSX Activity Monitor Networking is actually showing me in the summary & graph at the bottom (which isn't what's going in and out of my computer but just a sum of all the ins and outs for all processes - and that isn't very useful at all, as processes like SophosWebIntelligence are middle men sending to other processes).

    Thanks for your quick responses too. 

    :1016973
  • sophos1.jpg

    Thanks for explaining things in this thread. Follow up question however...

    I've had browsers open in the background, but nothing running - just static pages...and I walk away for 8 hours with SophosWebIntelligence at around 50k/50k... Can you explain why then when I come back to my computer several hours later, over a gig of data has not only been shown as processed incoming but OUTGOING as well via the process?

    Again, there's nothing happening on my computer in the web browsers.

    Naturally WireShark is going up next but just wanted to inquire as to this behavior.

    :1018455

  • damienthorne wrote:

    I've had browsers open in the background, but nothing running - just static pages...and I walk away for 8 hours with SophosWebIntelligence at around 50k/50k... Can you explain why then when I come back to my computer several hours later, over a gig of data has not only been shown as processed incoming but OUTGOING as well via the process?


    I can't explain it, although I can assure you that we aren't sending out any data that didn't originate from a web browser (or something that acts like one - curl, wget, and telnet all end up going through our daemon). Let me know how you get on with WireShark, I'm curious about the results. Be sure to watch for all TCP traffic that is destined for something not on the loopback address 127.0.0.1.

    :1018457
  • Can I show you how Sophos Web Intellegence is hammering my iMac (Retina 5K, 27-inch, 2017) (High Sierra 10.13.4)

    My Mac has been on for 28 hours now and Sophos Web Intellegence has sent 1.2Gbs  and received 1.2Gbs through the network. What kind of information sharing is this? 10-20Mbs is fine, but 1Gb and climing is extreme!

    Also related to traffic hits - can we stop Virus updates happening at peak times please?

  • In reply to Mark Mogridge:

    Hi Mark , 

    The SophosWebIntelligence (SWI) is acting as a proxy for all your request so the data sent and received to the SWI will be counted as well. The diagnostics will also count internal communication between applications.

     

    e.g. 

    Website 1

    say the website is 600KB , the browser would send say 10kb data for the request this request is gone through the SWI and goes to the web server.  The data received is 600KB by your PC will be processed through SWI i.e Received DATA is 600KB and forwarded to your browser which is sent from SWI which is SENT data i.e. 600KB . So SWI sent and receive will almost be the same as the browser communication.

    Your actual internet usage would still remain 600KB not 1200KB.