I would like the ability to have the actual malware samples that were detected on an Endpoint accessible for post breach incident response and mitigation. Ideally once a file is detetced it will be moved or uploaded to Sophos Central and an Administrator can download the file in a ZIP. If this is not possible instead of deleting the file I would like it encrypted and moved to ProgramData so it can be collected after by Incident responders.

HTML in emails is considered as a bad idea at least by the German CERT.
So it would be good if the Sophos Support would get away from this
marketing bullsh** and send his responses in plain text.

Furthermore it would be good, if the processes with email based sample submission
would be aware of S/MIME signed emails and evaluate the cryptographic signatures
instead of marking them "non-detect worthy" (big lol)

The as-is-state does not look professional.

The on prem server console should report back via email and state whether the threat found was sucesfully cleaned, quarentined or deleted.
At present it just indicates that something was found. But no second email with the outcome.

As a system admin i dont want to be always logging in from home at night or on weekends to over look the outcome if i am notified a threat was found

fire your entire (non-)support staff! Destroy any manuals or operating procedures they have made

In order to handle incidents properly it would be much easier if SEC would provide some more relevant information about detected files.
Essential information missing:
- File size
- File meta data: Application Name
- File meta data: Company Name
Additional nice to have information:
- True file type detection
- Original file timestamps (Created/Modified/Accessed)
- Information about whether the file is signed

Under Enterprise Console, you had the ability to create a standalone install package with all IDE files, etc. This was really handy on slower internet connections, as you don't have to tie up all available bandwidth.

Would really like this function again, as I am fighting through installing at another site with only a 5MB connection (fibre broken during renos)

It would be infinitely more useful if threat containment/quarantine provided the modified time of the binary before it quarantined the file. For forensics and timeline correlation of events, other artifacts can be found using a time window around the malinary's modification date/time. *malinary - a malicious binary

On the Sophos Cloud Dashboard, allow to disable the popup alert detections so that the detection information is displayed only on the Dashboard console.
This same feature is already available on the SEC (On-Premise endpoint console) but not on the Cloud dashboard.

Please add the ability of the SAV endpoint
to send email alerts when it encounters a web protection issue.

For example when a user browses a web site
that contains a contaminated image, an email should be sent, as with on-access
scanning

Please add the ability of the SAV endpoint
to log/debug the sending of email alerts and also log the response from
the SMTP server upon sending of an email alert