Please add a link to view event details for macOS machines. This feature exists for Windows machines, but not macOS.

When responding to alerts in Sophos Central, the first thing I do is gather as much information as possible from the alert itself. Whether the endpoint is Windows or macOS, I need to be able to view details such as the file hash, raw detection data, file publisher, etc. in order to properly triage the alert.

After reviewing an alert, I go directly to the events tab of the device in question. On a Windows machine I am able to click a "Details" link for each of the events that were alerted on, as well as the events that may have preceded the detection. On a macOS machine no such link exists, so I am left relatively blind to details that are crucial to continue my investigation.

I was told that because many of the detections I was seeing were PUPs and PUAs, a detail link was not provided since they are not necessarily malicious in nature. However, I also encountered instances where I cannot see details for 'Malware detected: 'Mal/Phish-A' events either. In addition to this, I should be able to view details on PUP and PUA detections (just like is available in Windows) so that my teammates and I can make the determination on whether to block the application across our environment.

Brief: Currently there are only 7/9 Exclusion Types (compared to the 9 Exclusion Types in Global Settings/ Global Exclusions) available when adding an exclusion to a threat protection policy. We need the ability to create "Exploit Mitigation" exclusions at a threat policy level, not just as a global exclusion.

Discussion: In an enterprise environment with many users filling a variety of job requirements, the inability to create granular Exploit Mitigation exclusions makes for a cumbersome exclusion process. Yes, this option is available in Global Exclusions, however we may only want to exclude a certain Exploit Mitigation (i.e. Lockdown exploit) from being detected in a given application (i.e. Excel, Adobe, etc.) for only a handful of tens of thousands of computers. In this case, we would want to create a specific policy for a subset of users to which we could apply this exlcusion for.

Because of the unique nature of a detection ID/ thumbprint that is assigned to an exploit mitigation event, creating a custom policy and adding a "Detected Exploits" exclusion is not effective. One example is a user who had a custom script that is run on everchanging Excel reports. The script that gets run on the report is a PowerShell script, and had a handful of commands that could be run. Different commands generated different detection IDs, thus requiring a custom policy to be created with 7 Detected Exploit exclusions.

Hi All,

Are we able to tidy up the licence renewals process for customers?

Customers are unhappy with the way licence renewals are processed and are finding the notifications around this to be quite confusing, please see the following feedback from a customer below:

"Thanks for keeping on at Sophos about this, it's just a bit alarmist and
doesn't really paint Sophos in the best light. It suggests that at a
minimal they don't know what licenses you have and at a worst it feels like
scare tactics to dupe the unwary into paying for their licenses over again!
Especially as the license number for the “Intercept X Advanced” is the SAME
as for the “Intercept X” that expired. Maybe they should go on License #
instead of License Name (or better yet, stop renaming their products half
way through the lifecycle!)"

Hi, please consider this simple suggestion.

Ability to include quarantined messages by reason "Attachment file type" in the quarantine summary but without the "release" option to keep them safe from themselves.

Some messages that are not flagged as spam/bulk with attachments get flagged and sent to quarantine due to potential threats, but no one other than admins can see them. Unless you have a dedicated resource monitoring this quarantined list, users will never know about these messages.

Not asking to open potential security holes here, but if the users could see they got messages that were deemed dangerous because the attached files, at least they could tell their known senders they are sending bad stuff.

Another option would be to send a quarantine summary only to admins with all these messages, or event better, the option to only report to admins messages flagged by reason "attachment file type".

Thanks for your hard work on this tool.

Under the allow and block you are only allowing for IP, Domain and email.
I suggest also adding the ability to block phrases or keywords determined by quotations

For example: "you have won 1 bitcoin", "Click here to see my hot photos" etc

This will then assist in blocking multiple emails that contain vulgar content in the subject/content lime instead of the user receiving them in the quarantine section.

This would be a great way for IT staff to filter spam emails that have the same subject line or the same content. We constantly find that we receive the same emails but the origin is always different, the IP Changes, the domain changes... this makes it difficult to keep on top of these types of emails.