Navigating Sophos Cloud antivirus for Mac

This tutorial applies to the following operating system(s):

Apple macOS

Overview:

Sophos Cloud endpoint antivirus provides protection to your device against malware and other online threats. The client provides an interface to view recent events and manage settings.

 

Open the Client

To open the Sophos Cloud client, click the Sophos icon in the status bar and click "Open Sophos Endpoint...".

Screenshot of Sophos client status

 

Home Screen

After opening the client the home screen defaults to the Status tab. The Status tab displays an overview of security events on the device. Each box represents a different threat category:

Malware and PUAs - Malware and Potentially Unwanted Applications present on the device.

Web Threats - Blocked attempts to visit websites categorized as malicious.

Malicious Behavior - Events and actions on the device that Sophos has flagged as malicious.

Controlled Items - Removable drives, system utilities, and other potentially interesting security events are recorded here.

Malicious Traffic - Communication between the local computer and other devices that has been categorized as hostile or malicious.

Exploits - Possible attempts to exploit a vulnerability in software on the device.

Clicking any of the categories will take you to the Events tab and automatically filter the events by the chosen category You can also click Scan to initiate a scan of the device.

 

Events

The Events tab contains a log of security events and detections on the device. You can filter the events by priority by clicking on the All Events drop down menu. The All Sources drop down menu allows you to filter by threat type like Malware, Web Threats, etc.

 

Settings

You can temporarily change settings on the client by clicking Admin Login in the upper right of the client window. Enter a username for an administrator account on your Mac and corresponding password, then click "OK".

screenshot of mac admin login prompt

Once authenticated you can now access the previously inaccessible "Settings" tab. Click it to view and change client settings.

Click the "Override Sophos Central Policy for up to 4 hours to troubleshoot" checkbox towards the top of the window to enable settings modifications. Once checked you can turn different components on or off such as real time scanning, website blocking, and malicious traffic detection.

Note that the changes are not permanent, only lasting for 4 hours. Changes made do persist between reboots during that 4 hour window.

 

Scan Info

The "Scan Info" tab allows you to initiate a scan of the device and view the most recent scan's results. Click "Scan Now" to initiate a scan.

Screenshot of the Scan Info tab

 

Advanced Options

Click "About" in the lower right hand corner at any time to view advanced information and options.

The About screen indicates the presence of Sophos components on the device. The value for "Device Encryption" will appear as "Not Installed" even if your device is encrypted with Sophos Safeguard and can be ignored. Clicking "Update Now" updates the detection database and synchronizes policy with Sophos Central management console.

You can view the health of Sophos services running on the client by clicking "Run Diagnostic Tool". This opens a new window with more options.

 

Diagnostics

The Diagnostics window shows the current health status of various Sophos components. Clicking an entry on the left hand column displays relevant information in the right hand pane.

System - Displays the computer name, currently logged in user, and last 10 Windows updates.

System Info in Sophos Self-Help

Installed Components - Displays the Sophos Cloud components installed on the device and the version numbers.

Services - Lists the status of Sophos related services

Sophos Self-Help System

Management Communication - Displays the last communication time with Sophos Central management console and the specific cloud server the client is connected to.

Management Communication in Sophos Self-Help

Update - Displays the last update time and update method.

Sophos Self-Help Update

Policy - Lists the policies present and the last time the policy was received.

Sophos Self-Help Policy

File Info - allows you to scan a file and provides the file's SHA256 hash.

The Launch SDU... option on the lower left provides a convenient shortcut to launch the Sophos Diagnostic Utility.

 

Sophos Diagnostic Utility

The Sophos Diagnostic Utility (SDU) is a Sophos program that collects information about Sophos products installed on the system or those that have attempted recent installation. The collected information can be used to debug any issues with Sophos related products.

The SDU is a standalone program and can be found in your device's list of software. Alternately, you can start the SDU by opening Sophos Cloud and navigating to About -> Run Diagnostic Tool -> Launch SDU.

The SDU prompts for agreement to the terms and conditions. Click Accept to continue.

Click Run to begin the log collection process.

The SDU then collects both Sophos and system logs. This process may take a few minutes to complete.

The SDU creates an archive file with the collected logs and places it on the current user's desktop.