Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Sophos Central, High Sierra, Files "Held" before appearing

On High Sierra, latest version, when I drag a file from an email, or do any sort of File / Save operation in any program, the file is "held" for a period of time before appearing on the desktop or wherever I save the file. After 5 to 30 seconds, the file appears. Larger files take longer amounts of time to appear.

My guess is that Sophos is "holding" these files and scanning them before they're showing up in their folder. The faster and more modern the Mac, the faster the files appear in their destination. It's a huge problem because you save a file, check the destination, it's not there, so you save it again, still not there, wonder what you're doing wrong, save it again, and then all of a sudden 5 of the files appear all at once.

It's not to a network drive, it's to anywhere on my local computer. I can duplicate this over multiple laptops.

How do I fix this?

  • I'm also experiencing this issue and first noticed it with doing screen caps.  Since updating to the latest OS, screencaps take anywhere between 5-18 seconds to appear on the desktop. This issue also coincides with the latest update to the Endpoint app, because when we were testing High Sierra, we never experienced any of these issues with the previous version of Sophos Anti-virus. We've tried temporarily disabling real-time scanning, but that didn't seem to help much.

  • Only work-around I found, is to turn off the Sophos Endpoint UIServer extension in the system preferences.  The annoying thing is, it turns back on after a restart.  Not sure why this extension is causing the holdup.

  • In reply to TroyGDG:

    Where is this extension and how did you disable it? Any other ill effects on the system after you disable it?

    If it keeps opening every startup I'll just remove permissions to the actual file to prevent Sophos from opening it. Pretty ridiculous, saving a PDF or copying a file to the desktop on my 2014 MBP literally takes 30+ seconds.

  • In reply to plochner:

    You can find the extension within the main OS System Preferences ->Extensions.  Apparently, it just adds the option to scan files on-demand from the right-click menu, that's it.


    You can also try to disable it by trashing the Sophos Endpoint UIServer.plist file in the LaunchAgents folder (Macintosh HD/Library/LaunchAgents), but it keeps regenerating.  The only workaround is to avoid saving files to the desktop entirely (ie. save to your documents folder).  Sophos informed me that they hope to fix this with the next version (9.7.6) but that will be some time in Q3 of this year.

  • In reply to TroyGDG:


    I just edited the .plist file in a Text Editor and changed the file location in the /array variable to a file location that doesn't exist. I'll see if that "sticks". I have many computers effected by this bug and it's been driving the users insane for months.

    Shame they won't be fixing it until Q3. My contract is up in Q2, and I won't be renewing for multiple reasons, with this bug just being the icing on the horrible tasting Sophos cake that we've been choking down the past 2 years.

  • In reply to plochner:

    Ah, it was a sly one and after a reboot, it figured out how to edit itself and turn itself back on even after editing the .plist file. The end result was to edit the .plist file (I just added "-donotuse" to the executable listed in the /array field). Then, Lock the file to prevent Sophos from changing it, by using:

    sudo chflags uchg com.sophos.endpoint.uiserver.plist

    After a reboot, the Extension remained disabled and I was able to save to my Desktop without a 20 second delay.

  • In reply to plochner:

    Dang, it has unlocked itself, changed the /array field on the .plist file, and thwarted my plans. Time to hit it with a huge hammer.

    Oh, how I hate you Sophos. Can't wait to give your salespeople a piece of my mind when you try in vain to sell me on another year.

  • In reply to plochner:

    LOL!  To re-iterate a previous reply I made to Sophos support, "...your product is more VIRUS than anti-virus."  We too have sent a complaint with our sales vendor about our negative experiences with Sophos so far.

  • In reply to TroyGDG:

    Looking down my list of endpoints in the Sophos Central console I don't see a single report of any actual virus or malware. Just hundreds of false positives that I have no ability to mass Acknowledge. The Dashboard looks nice but it's actual functionality is a joke.

    One of my favorite non-features is that I can't setup distribution lists for various alerts. Every time a computer goes out of date, it emails every single Sophos administrator, from the lowliest helpdesk employee to the top IT manager. There's no way to tell it to only email certain people for certain alerts, so in the end everyone just spam filters them, except for the IT managers who of course worry that their systems suddenly got infected because Sophos sent yet another false positive.

    I flat out despise this product.

  • In reply to plochner:

    Yes, email alerts are annoying and most of them are false positives.  I couldn't believe I don't have the ability to turn any of those off.  I had to VOTE to turn that "feature" to turn it off.  So odd.

    In lighter news, just got an update from Sophos support.  Here's what they wrote:

    "9.7.6 is starting release late next week through the end of the month. It includes the change to keep the Finder Extension off if the user has turned it off. Note that this is a per user setting, so each user would need to un-select it. I'll let you know when it finishes release."

  • In reply to TroyGDG:

    I love it how their solution is to add a feature to disable the Finder extension, NOT to fix the root cause of the problem. It's a joke. 

    We're bailing on Sophos Central. Actually in a sales demo call for a competitor right now, and even though we're paid up for Sophos for another year, we'll be eating that cost and switching as soon as we decide on an alternative. That's how disappointed and frustrated we are in the product.

  • In reply to plochner:

    Hello plochner and TroyGDG,

    I am very sorry to hear you are not satisfied with the product and its features. I would like to further assist you where possible, and gather your feedback to provide it to our team.

    If you could please send me a DM with your Sophos information, I will work on escalating your concerns.

    Thank you,

  • In reply to Barb@Sophos:

    Sorry Barb, it's a bit too little too late. I've been down this road with Sophos before and the product is a lost cause for me.

    You can check my post history to see only a handful of complaints I have about the product and Sophos' tech support, but rest assured I have many other issues with it that I haven't complained publicly about. After demoing other much more fully featured and configurable next-gen AVs like Crowdstrike and Carbon Black, I think in the future Sophos is going to have their work cut out for them. It's like night and day what those products offer compared to what I've been struggling with when using Sophos Central.

  • In reply to plochner:

    Hi plochner,

    I appreciate your update. If you would like to further discuss any issues, do not hesitate to send me a direct message.  

    Once again, apologies for any inconveniences you may have experienced with our products.