Hi all,

We're wondering why there is no FIM (File Integrity Monitoring) functionality for endpoints but servers, only.

There are also files or paths on endpoints where it would higher the security level a lot if you could assure the integrity of these files and paths.
We have a specific scenario that I cannot cover with Sophos Endpoint Security because we cannot assure the integrity of certain files.
To allow us central management of credentials of local administrator accounts on our windows client we use a well-known tool from MS called LAPS.
LAPS uses a little application on the clients to create the random administrator passwords as soon as the passwords expire after the given amount of days.

To do this, it uses the admpwd.dll which creates the passwords and writes it back to the assigned attribute field of the AD computer account.
This works great but the big deal is that the source of this dll is published at GitHub network.
So if there is an attacker who knows how to code he just has to extend the code of this dll e.g. to write the created passwords additionally in a text file.
We had to deal with this case in our network!

Currently, we don't see any way to close this security issue without changing the local admin password management tool.
If the endpoint would also use the FIM feature we could protect or check the integrity of this dll file and make it way harder for attackers.

So let's roll up the sleeves and bring this amazing feature to endpoints as well :)

Regards
Matthias Schmidt

Alerts can be received via email. Sophos only sets these events as alerts, which are not automatically resolved by Sophos.

But some events may be crucial, such as:
- Someone tries again and again to open the same blocked websites
- A Virus/Ransom Ware was blocked by Sophos

For now you have to look into the Events Report in the Admin Center of every single customer to get these information,
which is quite time-consuming, especially if you have a lot of customers.

A Feature that allows you to choose by yourself, which events you want to receive via email, would save a lot of time.

Estate Licensing for Mixed Windows/Linux only makes "Cents" for Sophos, Does NOT make "Sense" for customers. Effectively Sophos and MSP's have to charge more for a product that gets no or limited additional features from the Standard protection. When selling to clients whom have both Linux and windows servers it is kind of hard tell them. Get advanced its great on your windows boxes. Oh, and you get to pay more for your Linux servers and get no extra benefit.

Linux products really should have there own SKU. And be priced separately. I see some posts for Linux workstations to have there own SKU as well. Maybe with this change both Servers and workstations could have different pricing and have a price to match that actual features they are getting. Lets have the licensing make "Sense" and not "Cents"

Bug Fix/Feature Request for Sophos Central Admin:

Feature: Computer Search

When performing a search on computer devices to check health status, you get a list of desired computers displaying either of the following 3 statuses: All Health Status, Computers with a medium or bad status, Computers with a bad status. When user selects a specific computer, more device detail information is displayed. However, when you go back to the previous screen, the previous list is no longer displayed; page is back to default.

NEW IDEA PALMDALE SCHOOL DISTRICT IS REQUESTING:
REASON: FOR EASIER END-USER MANAGEMENT (SAVE ALOT OF TIME & ENERGY)

Instead of the Computer search page going back to its default display when you go back to the previous screen after user selects a specific computer and goes into the device detail screen when you can see SUMMARY, EVENTS, STATUS, POLICIES, have it retain the same computer search list you performed the search on.

Easy fix!

Thank you!

Please add a link to view event details for macOS machines. This feature exists for Windows machines, but not macOS.

When responding to alerts in Sophos Central, the first thing I do is gather as much information as possible from the alert itself. Whether the endpoint is Windows or macOS, I need to be able to view details such as the file hash, raw detection data, file publisher, etc. in order to properly triage the alert.

After reviewing an alert, I go directly to the events tab of the device in question. On a Windows machine I am able to click a "Details" link for each of the events that were alerted on, as well as the events that may have preceded the detection. On a macOS machine no such link exists, so I am left relatively blind to details that are crucial to continue my investigation.

I was told that because many of the detections I was seeing were PUPs and PUAs, a detail link was not provided since they are not necessarily malicious in nature. However, I also encountered instances where I cannot see details for 'Malware detected: 'Mal/Phish-A' events either. In addition to this, I should be able to view details on PUP and PUA detections (just like is available in Windows) so that my teammates and I can make the determination on whether to block the application across our environment.