Navigating Sophos Cloud antivirus for Mac

This tutorial applies to the following operating system(s):

Apple macOS


Sophos Cloud endpoint antivirus provides protection to your device against malware and other online threats. The client provides an interface to view recent events and manage settings.


Open the Client

To open the Sophos Cloud client, click the Sophos icon in the status bar and click "Open Sophos Endpoint...".

Screenshot of Sophos client status


Home Screen

After opening the client the home screen defaults to the Status tab. The Status tab displays an overview of security health of the device.
You can also click Scan to initiate a scan of the device.



The Events tab contains a log of security events and detections on the device. You can filter the events by priority by clicking on the "All Events" drop down menu. The "All Sources" drop down menu allows you to filter by threat type like Malware, Web Threats, etc.



You can temporarily change settings on the client by clicking "Admin Login" in the upper right of the client window. Enter a username for an administrator account on your Mac and corresponding password, then click "OK".

screenshot of mac admin login prompt

Once authenticated you can now access the previously inaccessible "Settings" tab. Click it to view and change client settings.

Click the "Override Sophos Central Policy for up to 4 hours to troubleshoot" checkbox towards the top of the window to enable settings modifications. Once checked you can turn different components on or off such as real time scanning, website blocking, and malicious traffic detection.

Note that the changes are not permanent, only lasting for 4 hours. Changes made do persist between reboots during that 4 hour window.



The "Detections" tab allows you to initiate a scan of the device and view the most recent scan's results. It also gives you a detections count for each category of threat detected.
Click "Scan Now" to initiate a scan.

Screenshot of the Scan Info tab

Each Category in "Detection History" represents a different threat category:

Malware and PUAs - Malware and Potentially Unwanted Applications present on the device.

Web Threats - Blocked attempts to visit websites categorized as malicious.

Controlled Items - Removable drives, system utilities, and other potentially interesting security events are recorded here.

Malicious Traffic - Communication between the local computer and other devices that has been categorized as hostile or malicious.

Ransomeware - Possible attempts to install or initiate a ransomware attack on the device.

Clicking any of the categories will take you to the Events tab and automatically filter the events by the chosen category


Advanced Options

Click "About" in the lower right hand corner at any time to view advanced information and options.

The About screen indicates the presence of Sophos components on the device. The value for "Device Encryption" will appear as "Not Installed" even if your device is encrypted with Sophos Safeguard and can be ignored. Clicking "Update Now" updates the detection database and synchronizes policy with Sophos Central management console.

You can view the health of Sophos services running on the client by clicking "Run Diagnostic Tool". This opens a new window with more options.




The Diagnostics window shows the current health status of various Sophos components. Clicking an entry on the left hand column displays relevant information in the right hand pane.

System - Displays the computer name, currently logged in user, operating system version, Sophos version, and Sophos products currently installed.

System Info in Sophos Self-Help


Management Communication - Displays the last communication time with Sophos Central management console and the specific cloud server the client is connected to.

Management Communication in Sophos Self-Help


Services - Lists the status of Sophos related services

Sophos Self-Help System


Update - Displays the last update time and update method.

Sophos Self-Help Update


Policy - Lists the policies present and the last time the policy was received.

Sophos Self-Help Policy


The "Launch SDU..." button on the lower left provides a convenient shortcut to launch the Sophos Diagnostic Utility.


Sophos Diagnostic Utility

The Sophos Diagnostic Utility (SDU) is a Sophos program that collects information about Sophos products installed on the system or those that have attempted recent installation. The collected information can be used to debug any issues with Sophos related products.

The SDU is a standalone program and can be found in your device's list of software. Alternately, you can start the SDU by opening Sophos Cloud and navigating to About -> Run Diagnostic Tool -> Launch SDU.

The SDU prompts for agreement to the terms and conditions. Click Accept to continue.

Click Run to begin the log collection process.

The SDU then collects both Sophos and system logs. This process may take a few minutes to complete.

The SDU creates an archive file with the collected logs and places it on the current user's desktop.



Article ID: 816
Tue 5/22/18 3:50 PM
Wed 2/15/23 10:25 AM

Related Services / Offerings (1)

What software can be loaded to protect the data on my desktop and laptop computers?