The current design of isolation UI for Windows is to pop up an alert on the notification area, which I assume Sophos utilizes Windows feature, then disappears after a short while. End users who missed this popup will be isolated from the network not knowing why it is happening. Isolation can be initiated by sysadmin in the EDR feature, but can happen unexpectedly if auto-isolation is enabled and an endpoint fails in red status. This unwanted event is occasionally observed mainly due to one of Sophos service failure - Central Device Encryption is the most observed. If the isolation message persists on the screen, for example displaying on the web browser like other vendors do, that would be very much beneficial to both end users and admins.

We had a strange behavior of Sophos Endpoint Protection which should be solved by changing the behavior of the "Scan with Sophos AV" option in the context menu of windows.

What happened:
A user had an infected word file stored on his desktop. When using the context menu function "scan file with Sophos AV" it doesn't find anything wrong or suspicious.
This was weird because according to Virus Total this file contained Malware which was also detected by Sophos endpoint protection.
When checking the exclusion list on Sophos Central we found an exclusion for C:\users*. This seems to prevent the "scan file with Sophos AV" function from doing its job!
As soon as we removed this exclusion Sophos detected the malware and cleaned it up immediately!
In our opinion, it's OK that sophos didn't remove the file because of the exclusion.
But as soon as the user checks the file with this context menu function it has to ignore all exclusions - at least file path exclusions!
Otherwise, the user has no clue of a potential danger and executes the malware!

When a customer has a termed license which is due to expire, a license expiry notification is sent to the end user, stating that their licenses have expired. This notification is fine if their licenses have not been renewed and have expired.

However if their licenses have been renewed and there is a new termed contract in place.
Please do not email customers that their licenses have expired. As a result we end up with complaints from the end user that we have not renewed their licenses. Then have to explain it is Sophos fault for an automated service sending incorrect information to the end user. This looks very unprofessional and would like if these notifications are stopped when a user has a new termed license contracts in place.

Here is a use case. One of our computers is used for demo purposes, and the demo includes uploading a file that knowingly contains a malware and demonstrating that the malware is detected.

We use a specific type of malware: OF97/EicarDrp-A, and we attempted to create a dedicated policy just for this computer that excludes this type of malware. However, this turned out to be impossible. Using a "Potentially Unwanted Application" exclusion type and setting it to "OF97/EicarDrp-A" didn't work. The support engineer advised to use "File or folder" exclusion type (case number 03580697), which is quite insecure (the user can store ANY malware under the whitelisted name, not just the approved OF97/EicarDrp-A).

Please add a possibility to exclude a specific threat from an endpoint policy.

I had to recently create a new drop rule with internal Zone any to wan zone to IP list, this was after repeated ATP alerts from a Linux host attempting Botnet detected host ip connections, I know ATP will block anyway but to be sure I decided to create this top-level Drop rule with the IP list for which I will add Detected IP addresses into so it applies to all internal traffic attempting communication to the same detected ip addresses. It then made me think it would be handy if it were possible to include firewall rules in the current notification lists available i.e. hits on certain FW rules would generate additional notifications as well as the existing ATP alerts. I realise this may be redundant as ATP does notify already but this would be a fall-back line of defence of which notifications would be so handy to have Aswell.