Sometimes emails get deleted by Email Gateway. Many times it is correct but there are times when it is not. Currently we have no way to recover a message that has been deleted. Rather than automatically dumping them, it would be helpful to allow messages to move to an admin only area to be reviewed and possibly downloaded directly from the portal, or released if it is determined that there is a need. A good example, we had an wayward block rule deleting all email from gmail.com. After finding the issue it would have been super helpful to go back and redeliver the deleted emails to users so they did not have to request the messages be resent.

Hi, please consider this simple suggestion.

Ability to include quarantined messages by reason "Attachment file type" in the quarantine summary but without the "release" option to keep them safe from themselves.

Some messages that are not flagged as spam/bulk with attachments get flagged and sent to quarantine due to potential threats, but no one other than admins can see them. Unless you have a dedicated resource monitoring this quarantined list, users will never know about these messages.

Not asking to open potential security holes here, but if the users could see they got messages that were deemed dangerous because the attached files, at least they could tell their known senders they are sending bad stuff.

Another option would be to send a quarantine summary only to admins with all these messages, or event better, the option to only report to admins messages flagged by reason "attachment file type".

Thanks for your hard work on this tool.

Suggesting some improvements to this existing feature:

Endpoint Protection - Controlled Updates
Go to:
Endpoint Protection > Settings > Controlled Updates

You can control how your computers get product updates below. All computers still get security updates immediately to protect them against the latest threats. When product versions expire, any computers on that version will be updated to the next version automatically.

When a new version becomes available, you can add computers to a list called "Test computers".

When you are satisfied with your testing, you can click a button that says: "Update to match test computers"

Suggestions:

1) Provide a confirmation button that says something similar to the following: "This will upgrade all computers to the newest version available. Are you sure you want to do this?"
2) Provide a way to use Groups in the "Test computers" section so that individual computers do not have to be added manually.
3) Provide a separate sub-screen for "Update to match test computers" that allows you to select Groups to update.
4) Provide a way to select a date/time range for updating the computers.

Sync email addresses from Office 365 rather than AD. Sync from AD causes an issue if you have lots of shared Mailboxes, they need to be added/removed manually from the console. Also if you use SharePoint or Teams where users have the ability to create Office 365 groups and associated email addresses these are not added into the Sophos portal so all inbound email is bounced. Also since Sync deletes any manual entries we have to turn it off but that causes issues when we have new starters especially grad programs where 40-50 start at a time, they all needed to be added manually into the portal and even worse every year a new year group for school starts and we need to manually create hundreds of users and 10-40 year group emails. This is a nightmare. Again if you have people leave, some customers want them converted to a shared mailbox so when they are converted and their AD user is disabled they get removed from Sophos.

1. Add a status column for Tamper Protection Enabled/Disabled in the Devices list.

2. Add a Enable/Disable Tamper Protection option to the Devices page. You would check as many boxes as necessary and then enable/disable tamper protection for them. This is necessary for mass reinstalls where Sophos is missing services or other.

3. Add a timed option for when Tamper Protection will automatically come back on. This could be a pop-up that shows after clicking disable which would then ask how many hours/days it should be disabled, or if it should be disable indefinitely. This will add administrative security as it's easy to forget re-enabling.

USE CASE: We need to reinstall Sophos to a large amount of computers currently missing services or having other issues. While we've found a way to push out a mass reinstall, we still have the task of going to each computer in Sophos Central, disabling the Tamper Protection, and then revisiting those computers later to re-enable Tamper Protection. I've noticed that there is a way to remove Tamper Protection for all computers in Global Settings, but that isn't ideal and presents an unnecessary security risk for every other unaffected computer.

I recently ran into an issue where all emails from gmail.com were being deleted. I could not figure out what was going on. I called support and they helped me solve the issue which turned out to be a wayward rule. My issue is the logging is so obtuse in Email Gateway that you can't really tell why something was deleted. There should be a simple note on the message as to why it was deleted. Was it an advanced threat, triggered by a block rule, malware, etc. There should also be verbose logging that lets you see the message the entire way through the Sophos system. This would save countless hours and support calls. Even the support Engineer did not have access to better logs. He just made a few guesses and we eventually found it. In the meantime, he was getting the case ready to send up to development which seems ridiculous. Please provide better logging and clear explanations in Sophos Central as a whole as to why something is happening.