Dear Support Team,

I have observed that whenever you open the Sophos Home Premium agent on the Endpoint (client computer), it has a settings tab located on it. I have observed that by clicking this settings tab automatically takes you to the Sophos Home Premium Cloud Management Console, without even asking or prompting for the username or password on the website, which is quite insecure I would say.

That way anyone using the home computer can change the policies and security settings. I want to enforce certain restriction on the Laptops used by the kids. Since the settings tab does not prompt for credentials, they get direct access to modify the policies.

In addition to to prompt for credentials I would request you to even provide MFA for Advanced users., and simply credentials for standard users.

Please take this on priority.

Thanking you.

Regards,

In Sophos Central, you can block all peripherals by default - and then have an allow list

You can't do it the opposite way round, where you allow all devices and just have a block list.

When trying to create a Peripheral Exemption to Block a device, with the default being Allow, it says that "Exemptions cannot be stricter than global settings."

This mean that for a particular customer, we have to Allow around 300 USB devices just to block a singular device which a user brought in with malicious content on.

It would be good to just block a singular device, whilst allowing all devices by default

It seems that the higher up the ladder that the user is, the harder it is to get them to reboot. The disruption that closing their many, many, multi-tasking windows left open as project or task placards, makes it extremely difficult for them to pick up where they left off.

Then a week after I had convinced all of my users to reboot for an update, I had another warning in the console to reboot all of the clients again.

And now two weeks later, I have a new warning to reboot the endpoint users for Hitman.

If we keep requiring the users to reboot, they loose their urgency, and could compromise the security of the network.

Could we find a way to update the client without a reqired reboot, as many competitors have?

We have several site all around the world but Sophos is centraly managed which means that we cannot always physically go to client computers or remotely connect to them (because of time zone, bad internet connectivity, etc...).

So when an alert for files like those is raised in the console:
Manual malware cleanup required: 'Mal/VMProtBad-A' at 'G:\PortableApps\Sid Meier's Civilization V + DLC\CivilizationV_DX11.exe'
Manual malware cleanup required: 'Mal/Sality-D' at 'E:\hasna .scr'
Manual malware cleanup required: 'Mal/VB-OL' at 'E:\Data Dell.exe'

I would like to be able to select "Delete" and not just wait that something happen. Currently the only option is "Marked as resolved" which is useless if cannot directly access the concerned computer.

Such Alerts are lasting for weeks now, so it would be nice to be able to clean the dashboard.

Thanks!

Allow localized exclusions per machine/client to play nice with global policies from the management portal.
Currently it appears that policy based exclusions prevent the ability to add additional exclusions at an agent or client level.
It would be ideal to have the policy enforced when pushed out but still allow subordinate exclusions to be configured for end user networks and devices.

For example:
I have global policies that apply well to all clients but not all and as a result certain several clients have had to be purposefully removed from the policy target group. Having to reconfigure common exclusions for every client instance is a major time-sink that I feel could be avoided.

Our PCI-DSS Level 1 audit has asked us to show logs when any attempt to kill any Sophos process is done. None can be found, despite Sophos Support claiming an event is logged in Event Viewer - no Event Source, Event ID or other information was provided to prove this is the case. An "Access Denied" Error is generated by tamper protection, that's nice. We have no proof that someone or something attempted to circumvent Sophos until it has actually be circumvented - alert in Sophos central that the computer is no longer protected, nor how long this attempt to circumvent has been underway. Like closing the barn doors after the cows have left.

Use Case:
- a malicious attacker (External actor or disgruntled employee) manages to gain access to a workstation or server via a legitimate path - Powershell WRM or Interactive console access - without triggering any other malicious payload alert by Sophos - an otherwise legit login to the targeted machine/environment (credentials obtained via phishing attack). Then the attacker attempts to stop Sophos. At the absolute minimum an audit log in the Windows Security Event Viewer log should be logged of the attempt, like any other access denied log windows generates for system events. This will allow administrators to see any potential attacks under way that have not otherwise triggered a malicious payload alert or even something in the Tamper Protection logs themselves and not just "Tamper Protection has been disabled". The logs can also be analyzed in real time by 3rd party monitoring platforms like SumoLogic that can correlate the data from the Windows Event Logs, that Sophos is simply not designed to do. And with appropriate setup, can be alerted with Real Time Alerts from the 3rd party monitoring platform or even Sophos Central if the attempt to kill any Sophos process is relayed back to Sophos Central alerting.

Example Log:

An attempt was made to access an object.

Subject:
Security ID: ad\UserName (or Local System Account if accessed via System account)
Account Name: UserName
Account Domain: ad
Logon ID: 0xFFFFFFFF

Object:
Object Server: Security
Object Type: File
Object Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
Handle ID: 0x0000
Resource Attributes: S:AI

Process Information:
Process ID: 0x000
Process Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe

Access Request Information:
Accesses: EndTask
Outcome: Access Denied