Full disk access required message displays on Catalina when using an MDM solution with the correct access

In Sophos Mac Endpoint 9.9.5, we introduced a notification for “Full disk access required” when the OS is MacOS 10.15 Catalina, and we detect that the full disk access rights detailed in knowledge base article 134552 are not in place.

We have found an issue where customers using an MDM solution (eg: JAMF or Profile Manager) to provide this access will still receive this notice, even with the correct rights in place.

This will be corrected in the 9.9.6 release to Central and On Premise customers near the end of November/beginning of December 2019. It does not prevent the software from working, and is only a visual notice.

Applies to the following Sophos product(s) and version(s)

Central Mac Endpoint 9.9.5

Sophos Anti-Virus for Mac OS X 9.9.5

Customers using an MDM solution to provide disk access rights to Sophos in MacOS 10.15 Catalina will receive a notice on the endpoints titled “Full disk access required” in error.

It does not prevent our software from working, and is a notice only. If rights are added via the dialog, or manually via Security & Privacy on the Endpoint, the message will not appear.

Development have identified the issue and created a fix. This is currently in testing and confirmed for release in 9.9.6 in late November/early December 2019.

It is safe to dismiss the message. It will reappear approximately every 4 hours.

To avoid the message completely, add Full Disk Access rights using the method described in the dialog.

Add Full Disk Access rights using the method described in the dialog or ignore the dialog.]

This article will be updated when information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Anti-Virus for Linux and UNIX: Changes to supported platforms


Announced 30 June 2017 – As part of Sophos’ ongoing product lifecycle review process, we plan to update the platforms that are supported by the Sophos Anti-Virus for Linux and UNIX offerings. The changes are designed to enable Sophos to provide the strongest protection for the most popular platforms, and will affect the following:

The following sections are covered:

Applies to the following Sophos products and versions

Central Managed Threat Response [MTR] for Linux


The number of customers requiring Anti-Virus capabilities for legacy UNIX platforms continues to decline. Sophos plans to support the most popular platforms going forward, and plans to retire support for HP-UX.


The latest versions of many popular Linux distributions are now only available for 64-bit platforms. After June 30, 2018, with the exception of Red Hat Enterprise Linux 6, Sophos Anti-Virus for Linux will support 64-bit versions of Linux distributions only.

Update July 1, 2018: In line with previous communications, Sophos Anti-Virus for Linux now supports 64-bit platforms only, with the exception of Red Hat Enterprise 6.


The Sophos Anti-Virus for Linux agent currently includes a large number of pre-compiled Talpa Binary Packs for on-access scanning, many of which are for very old and deprecated kernel versions. Most customers use newer kernels in order to benefit from kernel enhancements and improved security, therefore Sophos plans to reduce the number of pre-compiled Talpa Binary Packs that are provided with the product.

  • When a new kernel version is introduced for a specific Linux distribution, Sophos typically aims to provide a Talpa Binary Pack for the new kernel version within approximately two to four weeks.
  • After June 2018, Talpa Binary Packs for kernel versions that are older than 18 months for that Linux distribution will be removed from the agent download. Update: This change is now scheduled for release October 22, 2018.
  • Talpa Binary Packs for kernel versions that are older than 18 months for that Linux distribution will be removed from the agent download.
  • Sophos will continue to provide Talpa Binary Packs for all kernel versions for supported Red Hat Enterprise Linux 6/7 distributions.

  • A definitive list of kernel versions for which Talpa Binary Packs are provided will continue to be published and updated on a regular basis. See TalpaBinaryPacks.txt for the current list. Note: this list is updated automatically when Talpa Binary Packs are added and removed.
  • Existing Sophos Anti-Virus for Linux installations will not be affected by this change. Talpa on-access scanning will continue to function without interruption and Sophos will continue to support customers using the product.
  • If on-access scanning is required and Sophos does not provide a pre-compiled Talpa Binary Pack for your kernel, the following options are available:

Related:

Sophos Endpoint for macOS – Intermittent hang of web browsing

Sophos Support has had reports of Apple Mac OS systems where web browsing stops while Sophos is installed. It appears that the SophosWebIntelligence service is getting stuck while connecting to the logging interface, which causes the service to hang.

This will be corrected in version 9.9.6

Applies to the following Sophos product(s) and version(s)

Central Mac Endpoint 9.9.4

Central Mac Endpoint 9.9.3

Sophos Anti-Virus for Mac OS X 9.9.5

Central Mac Endpoint 9.9.5

When this issue occurs, no web browsing is possible. The trigger for the issue is intermittent. Some calls to an Apple interface do not respond according to spec, resulting in the service hanging.

Development is investigating with high priority as ticket MACEP-4493.

Update: October 9, 2019 – Development has a build which is undergoing testing for positive confirmation that it resolves the issue. Any customer experiencing this issue that wishes to test this build should contact Support and open a ticket. Note: The build can only be applied to all Macs on an account, not individually.

Update: October 28, 2019 – Development has tested a fix, both internally and with customers. During this time, the issue no longer occurred. As such, we are confident that the changes included in this fix are successful at correcting the issue. These changes will be incorporated into the release version 9.9.6, which we will be rolling out to Central customers around the end of November / beginning of December.

As a workaround, we have made a modified version of 9.9.4 available until 9.9.6 is released. Any customers who want this will need to contact support, and it will be applied to all Macs for the customer. Please note that going on this special, you will not get the 9.9.5 release (Mid-November), and be placed in the first group for the 9.9.6 release. The 9.9.5 release contains two major changes, Sophos’ new Managed Threat Response (MTR) protection for Mac (https://www.sophos.com/en-us/products/managed-threat-response.aspx), and a pop-up notification for any permissions issues on Mac OS 10.15 Catalina. 9.9.6 will include everything in 9.9.5 when it releases.

To determine if you have the special build:

  1. Open the Sophos Endpoint GUI
  2. Option+Click on About (lower right)
  3. The version displayed will be 9.9.4 (217546) if you are on the special build.

To confirm you are impacted by this issue, run a Sophos Diagnostic (found in the About menu) and then SDU. This will place a file on the desktop. In this file, under SophosDiagnostics, open SophosDiagonostics.1.gz, then the file SophosDiagnostics.1 within it.

If you find many lines saying “[SophosWebIntelligence” in this log during the time of the issue, then it is NOT this problem. This issue is indicated by the lack of SophosWebIntelligence log lines when attempting to browse.

Please contact Sophos Support so we can track impacted customers and alert them to any updates.

Please contact Sophos support if you wish to get moved to the 9.9.4 special release with the fix, until 9.9.6 is released.

This article will be updated when information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux: System requirements

This knowledge base article lists the system requirements of the Sophos Anti-Virus for Linux for Sophos Central, Sophos Enterprise Console and the standalone versions.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux 10

Sophos Anti-Virus for Linux 10 offers additional capabilities which include Malicious Traffic Detection and Sophos Security Heartbeat™ (applies to Central Server Protection license).

Here is the list of its minimum system requirements:

Sophos Anti-Virus for Linux 9

Sophos Anti-Virus for Linux 9 is the only version available for the standalone and Enterprise Console-managed versions.

Here is the list of its minimum system requirements:

  • Supported Distributions (latest minor point or LTS version):
    • Amazon Linux, Amazon Linux 2
    • CentOS 6/7
    • Debian 9, 10
    • Oracle Linux 6/7
    • Red Hat Enterprise 6/7/8
      • Red Hat Enterprise Linux 6 32-bit version supported until Nov 30th 2020
    • SUSE 12/15
    • Ubuntu 16/18 LTS
  • System type:x86_64
  • Free disk space: 1 GB
  • Free Memory: 1 GB
  • Stack sizes: Non-default stack sizes are not supported.
  • Language version: English and Japanese (EUC and UTF-8). Shift JIS and JIS are not supported.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related:

SAV for UNIX: AIX fails to update over UNC after upgrading to 9.14.0

In some rare cases, SAV for UNIX 9.14 (AIX) can fail to update over UNC after installing/upgrading to 9.14.0. This only impacts UNC updating. HTTP updating is not impacted.

This is due to a defect in the Samba code we use for this connection, which fails if an IPv6 address is added on a network adapter with IPv4 configured. We have also informed the Samba community of this bug to ensure it can be fixed at the appropriate level.

Note: This bug was fixed in the version 9.14.1, available as of December 7th, 2017.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Unix 9.14.0

If the system is already impacted by this issue (failing to update), there are three solutions. #1 and #3 will work without the updated SAV version (9.14.1+), but it is recommended to upgrade to this. Solution #2 is the recommended solution.

Solution 1: HTTP Updating:

Switch to HTTP WebCID updating. This will allow the client to update.


Solution 2: Reinstall:

Switch to a Subscription that contains 9.14.1+ (Preview, Recommended, and Previous all have this version as of December 7th, 2017).

Since this is an updating issue, if Solution 1 is not an option, the way to correct it is to uninstall and reinstall each impacted client, using the updated client.

Solution 3: Disable IPv6:

Turn off IPv6 on all network adapters on the AIX system. This will allow the client to update.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos Central – Some users are intermittently experiencing issues with the Central Dashboard

We are investigating reports of some Sophos Central users intermittently experiencing issues with the Central Dashboard.

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

Some Sophos Central users are experiencing issues logging into the Central Dashboard and/or intermittent performance and slowness issues navigating the Dashboard.

[11/1/2019 – 8.30pm EST] – RESOLVED

  • The Sophos Central Admin login issue has been resolved. All Services have been restored to normal.
  • Completed. Sophos is actively monitoring.

[11/1/2019 – 7.30pm EST]

  • The Sophos Central Admin login issue has been resolved, however some users may experience intermittent performance and slowness issues while accessing the Central Dashboard. Sophos is actively monitoring to ensure this is resolved.

[11/1/2019 – 6pm EST]

  • Some Sophos Central Customers are unable to log into Central and unable to load Devices List. All Sophos product functionality is otherwise unaffected. We are actively working to address this issue and will update as soon as possible.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Sophos Anti Virus for Linux – Malicious Traffic Detection when enabled, can cause High CPU usage

This article confirms the expected behaviour of Malicious Traffic Detection when it is enabled as part of Sophos Anti Virus for Linux

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux

Central Sophos Anti-Virus for Linux Version 10.4.1

Malicious Traffic Detection

Malicious Traffic Detection (MTD) on Linux server can be a very effective tool and is a valuable feature in many environments. In certain situations though, it can consume a notable amount of CPU time, this means it is not always an appropriate feature to enable.

Although MTD only actually queries packets like TCP, HTTP and HTTPS, and exclusions can be set to ignore data to specific addresses, every single packet needs to be touched to confirm what type of data packet it is or where it is going. This means that making configuration changes to reduce the scan look-ups “may” in some circumstances help a little, there is nothing that can be done to reduce the work load in making that initial scan.

For this reason, systems with a high network presence, like web-servers or file-servers, may experience periods of very high CPU usage as all the network data is touched. Sophos recommends testing the MTD feature on your Linux Servers before rolling it out fully. Note: The CPU peak usage may lag behind the network peaks..

Related information / See also

Sophos Malicious Traffic Detection: Frequently asked questions (FAQ)

Introduction to Central managed Sophos with Malicious Traffic Detection functionality

Related:

  • No Related Posts

Sophos Antivirus for Linux: Limited Support for RHEL 6 during Extended Life Phase (Japan only)

Sophos plans to provide Limited Support for Sophos Antivirus for RHEL 6 during Red Hat’s Extended Life Phase (ELP), until June 30, 2024, on the following basis:

  • Limited Support for Sophos Antivirus for RHEL 6 is provided on the assumption that the customer subscribes to Red Hat’s Extended Life-cycle Support (ELS) Add-On to receive critical security fixes for the operating system through the Extended Life Phase (ELP)
  • Limited Support is subject to a valid subscription to a current Sophos Server Protection license and receipt by Sophos of a support extension fee.
  • Limited Support means that Sophos will continue to test and release new versions of the Virus Engine or Virus Data Library as part of the release calendar. Only critical product issues will be addressed, which may include hot fixes, vulnerabilities or improvements to protection, at Sophos’ discretion.
  • Limited Support will be provided for 64-bit platforms and the last minor point release of RHEL 6. Sophos will endeavor to provide support for other minor releases on a ‘commercially reasonable efforts’ basis, as follows:
    • Support for product configuration and usage questions will be provided by Sophos Technical Support.
    • Technical product issues will be investigated using Sophos’ existing maintenance process, on the basis that the issue can be replicated on the last minor release
    • If a reported product issue cannot be replicated on the last minor release, Sophos advises that such issues would fall outside the scope of support.
  • Limited Support for Sophos Antivirus on RHEL 6 does not include CentOS and Oracle Linux derivatives. See Retirement calendar for supported platforms and operating systems.
  • Sophos currently plans to provide Limited Support for Sophos Antivirus on RHEL 6 through Red Hat’s published Extended Life Phase (June 30, 2024). Sophos reserves the right to suspend, reduce or terminate Limited Support before this date for reasons including but not limited to changes in demand, security, and technology. For example, if Sophos discovers an issue that requires the third-party operating system provider to provide a fix and the third party does not provide such fix, or if Sophos determines that a product code change would be required to address an issue for the RHEL 6 operating system.

Limited Support Terms

RHEL 6 Limited Support. AVAILABLE IN JAPAN ONLY. Subject to receipt by Sophos of a support extension Fee (either directly or via an authorized reseller as applicable), Sophos agrees that it will continue to provide Limited Support on a technically and commercially reasonable endeavours basis for a version of Sophos Anti-Virus for Red Hat Enterprise Linux (RHEL) version 6 on 64 bit platforms, beyond the published end of support date until the earlier of (i) the expiry of the support extension period stated in the relevant Schedule, or (ii) 30 June 2024. RHEL 6 Limited Support comprises regular updates to security data and periodic updates to the product engine only. Sophos reserves the right to suspend, reduce or terminate RHEL 6 Limited Support prior to such date for reasons including but not limited to changes in demand, security and technology, and if and to the extent that Sophos determines that a code change would be required to the Sophos Anti-Virus Product to address an issue for the RHEL 6 operating system.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Mac OS 10.15 Catalina Support and Known Issues

This article provides information about support for MacOS 10.15 Catalina, as well as known issues. It is highly advisable to read the known issues as there are several unavoidable issues in this OS release.

Apple has new enforced per application permissions in this version. Some permissions (such as user folders) will present a pop-up notice to the user to allow access, however for system level access, no notification is presented by the OS. Several Sophos services require this system level of access in order to detect and clean threats. This means that Apple will not notify users if these issues are being experienced.

All of our applications and installers are 64-bit, and will not be limited by Apple’s 32-bit restriction.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Sophos Anti-Virus for Mac OS X

Operating systems

MacOS 10.15 Catalina

MacOS 10.15 Catalina overview

With the release of macOS 10.15 Catalina, Apple has added additional security lock downs to the operating system, including per application disk access lock downs. This results in several large impacting issues that must be corrected for full protection. Please see the Known Issues section below for full details. It is not recommended upgrading to 10.15 until your organization has a transition plan in place.

Required version: Sophos Endpoint 9.9.4 or above

In order to support macOS 10.15 Catalina, Sophos Endpoint 9.9.4 or above is required. Earlier versions will run if present during an upgrade, but are subject to the same known issues below, but not all permissions can be added (SophosServiceManager and SophosScanAgent cannot be added with 9.9.3), 9.9.3 and below will not install on a 10.15 system, and Central clients 9.9.2 or below will fail to communicate with Central until they update.

Sophos released 9.9.4 to Central in September 2019. 9.9.4 is also Preview subscription for Enterprise Console customers as of mid-September 2019.

For both Central and Enterprise Console, 9.9.5 releases in mid-October 2019 (to Recommended and Preview for Enterprise Console), and includes permissions popup to make installations a bit easier.

Apple has locked down the following User Folders in OS 10.15.

  • Desktop
  • Documents
  • Downloads
  • Mail
  • Safari cache

The agents will need to be added to the Full Disk Access area of security and privacy, unless otherwise noted.

All Versions

The following issues will be experienced after upgrading to macOS 10.15 and before applying the corrective steps.

  • SophosCleanD – Unable to clean up threats in the above folders
  • SophosScanAgent – On Demand scans / Scheduled scans will not detect threats in the above folders
  • Sophos Finder Scan (Through SophosScanAgent) – Will not detect threats in the above folders
  • SophosServiceManager – Parent process for SophosScanAgent
  • Sophos Diagnostic Utility (Standalone only) – User prompted to allow access to the above folders, This is “Files and Folders” access.
  • sweep – Command line scanning tool. Only used manually and only needs to be added if command line scans are being run.
  • SDU4OSX / Sophos Diagnostic Utility – Unable to access all logs

Sophos Central 9.9.4 and above

  • SophosEndpointUIServer – User is not notified of threat detection (no popup)
  • SophosCleanD – Unable to restore files (Cryptoguard) in the above folders
  • Sophos MCS Server Change – MCS has been changed to use SHA2+TLS1.2 for its connection. This uses different servers than before, and should only be an issue if specific firewall allow rules are required for the communication). (note: 9.9.3 has this change in place already)

Sophos Endpoint (Enterprise Console Managed) 9.9.4 and above

  • For initial install, all install files must be copied from the CID share locally first before running the install.
  • SophosAutoUpdate – Cannot update from SMB shares. Only HTTP/HTTPS will work until approved

Older Endpoint versions

  • Subject to the same limitations as above
  • May have other issues not covered
  • Will upgrade to 9.9.4 (other than if impacted by SophosAutoUpdate issue) even with errors
  • 9.9.2 and below will fail to communicate with MCS (Central)

The following can be performed on OS 10.14, before upgrading to 10.15, or after 10.15 has been installed. The only exception to this is SophosServiceManager, which can only be added on 10.15.

  1. Open System Preferences.
  2. Open Security & Privacy.
  3. Go to the Privacy tab.
  4. Click the lock in the lower left and authenticate to make changes
  5. Select “Full Disk Access” on the left side
  6. Leave this window open.
  7. Open a Finder window
  8. Go, go to folder
  9. Enter: /Library/Sophos Anti-virus and click go.

  10. Drag and drop the following item from the Finder window to the Security & Privacy Full Disk Access window
    • SophosAutoUpdate (Enterprise Console managed only)
    • SophosCleanD
    • SophosScanAgent
    • SophosServiceManager
    • Sophos Endpoint UIServer (Central Managed only)
    • Sophos Diagnostic Utility (from /Library/Sophos Anti-virus/tools/)

  11. You may receive a notice that some applications will not have full access until it is quit. This is fine, Later or Quit Now are both valid.

Note: The tool “sweep”, which is /usr/local/bin/, cannot be added via this method as it is not a .app. It will prompt the user the first time the tool is run in order to be allowed. It will only be called if you are using it via command line.

Alternate Method of correction:

Using an MDM solution like Apple Profile Manager, or JAMF, you can add permissions in TCC to allow these processes. Visit the following kba articles for further instructions:

KNOWN ISSUE: “Full disk access required” message displays on Catalina when using an MDM solution with the correct access (with Sophos 9.9.5). Please see this KB134833

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: [RESOLVED] Sophos Phish Threat New Campaign wizard hangs if content customized

Advisory: Sophos Phish Threat New Campaign wizard hangs if content customized

Making changes to a campaign at the customize stage (e.g from name/email, subject etc) and clicking ‘Next’ results in the wizard hanging with the spinning progress circle.

Applies to the following Sophos product(s) and version(s)

Phish Threat

Will not be able to customize a Campaign before sending to users.

[RESOLVED] As of Saturday 16th November this issue should now be resolved.

Sophos Phish Threat Version 2

Issue should now be resolved. Anyone still experiencing these symptoms after the above resolution date should contact Sophos Support

No further update expected

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related: