Please add a link to view event details for macOS machines. This feature exists for Windows machines, but not macOS.

When responding to alerts in Sophos Central, the first thing I do is gather as much information as possible from the alert itself. Whether the endpoint is Windows or macOS, I need to be able to view details such as the file hash, raw detection data, file publisher, etc. in order to properly triage the alert.

After reviewing an alert, I go directly to the events tab of the device in question. On a Windows machine I am able to click a "Details" link for each of the events that were alerted on, as well as the events that may have preceded the detection. On a macOS machine no such link exists, so I am left relatively blind to details that are crucial to continue my investigation.

I was told that because many of the detections I was seeing were PUPs and PUAs, a detail link was not provided since they are not necessarily malicious in nature. However, I also encountered instances where I cannot see details for 'Malware detected: 'Mal/Phish-A' events either. In addition to this, I should be able to view details on PUP and PUA detections (just like is available in Windows) so that my teammates and I can make the determination on whether to block the application across our environment.

Brief: Currently there are only 7/9 Exclusion Types (compared to the 9 Exclusion Types in Global Settings/ Global Exclusions) available when adding an exclusion to a threat protection policy. We need the ability to create "Exploit Mitigation" exclusions at a threat policy level, not just as a global exclusion.

Discussion: In an enterprise environment with many users filling a variety of job requirements, the inability to create granular Exploit Mitigation exclusions makes for a cumbersome exclusion process. Yes, this option is available in Global Exclusions, however we may only want to exclude a certain Exploit Mitigation (i.e. Lockdown exploit) from being detected in a given application (i.e. Excel, Adobe, etc.) for only a handful of tens of thousands of computers. In this case, we would want to create a specific policy for a subset of users to which we could apply this exlcusion for.

Because of the unique nature of a detection ID/ thumbprint that is assigned to an exploit mitigation event, creating a custom policy and adding a "Detected Exploits" exclusion is not effective. One example is a user who had a custom script that is run on everchanging Excel reports. The script that gets run on the report is a PowerShell script, and had a handful of commands that could be run. Different commands generated different detection IDs, thus requiring a custom policy to be created with 7 Detected Exploit exclusions.

Hi All,

Are we able to tidy up the licence renewals process for customers?

Customers are unhappy with the way licence renewals are processed and are finding the notifications around this to be quite confusing, please see the following feedback from a customer below:

"Thanks for keeping on at Sophos about this, it's just a bit alarmist and
doesn't really paint Sophos in the best light. It suggests that at a
minimal they don't know what licenses you have and at a worst it feels like
scare tactics to dupe the unwary into paying for their licenses over again!
Especially as the license number for the “Intercept X Advanced” is the SAME
as for the “Intercept X” that expired. Maybe they should go on License #
instead of License Name (or better yet, stop renaming their products half
way through the lifecycle!)"

Hello,
I am able to see if a device has its local windows firewall disabled by running a report, but I am unable to have be a event that I am emailed on. I have spent hours on the phone with multiple support individuals trying to understand why this is not happening and have not gotten much help. I would love to be alerted when a local firewall is disabled. This is a huge security risk to have the local windows firewall disabled, and I feel to hove Sophos send me an email when this event happens would be extremely helpful.
Thanks,
Dustin Barott