Sophos Mac Catalina

Posted on  by 



Applies to the following Sophos products and versions Central Mac Endpoint, Sophos Anti-Virus for Mac OS X Operating systems macOS 10.15 Catalina Background Information With the release of macOS 10.15 Catalina, Apple has added additional security lockdowns to the operating system, including per application disk access lockdowns. After installing Sophos Anti-Virus, go to System Preferences of the affected Mac. Click Security & Privacy. In General tab, click Allow for the blocked Sophos Kernel Extensions (kexts). Once authorized, all future Sophos kernel extensions will now be allowed, even after the uninstall. Sophos Anti-Virus for macOS. These are the release notes for Sophos Anti-Virus for macOS (Sophos Central edition). Improved support for macOS 10.15 Catalina when using MDM profiles. The preferences panel immediately after an upgrade. To unlock the preferences panel, log out, then log in to your Mac again.

SophosSophos
22 Oct 2019

So macOS Catalina is here. I and others have been working on getting our systems ready for Catalina for the last few months… and we’re just about there thank goodness!

There are lots of new features in Catalina… with Data Protection being a big deal when it comes to our anti-virus tool, Sophos. From Apple’s webpage:

Data protections:

Sophos

macOS Catalina checks with you before allowing an app to access your data in your Documents, Desktop and Downloads folders, iCloud Drive, the folders of third-party cloud storage providers, removable media and external volumes.

Which is a problem for an anti-virus application that expects to have access to the whole disk - to make sure no nasties end up on your computer…

MDM to the rescue?

Apple’s mobile device management (MDM) framework does allow an admin to grant specific applications Full Disk Access to they can continue doing what they need to do.

Sophos mac os catalina

Sophos support originally produced some frankly horrible instructions… but recently we finally got somedocumentation that was a little more helpful.

However - it wasn’t perfect… we don’t use Jamf and we don’t use Profile Manager.

Our MDM of choice SimpleMDM does allow for adding Privacy Preferences - but the UI didn’t seem to lend itself to adding all of the components required in that Sophos doc.

Open source tools to the rescue?

Sophos For Mac Catalina

Enter Erik Berglund’s ProfileCreator - a GUI application for creating Apple configuration profiles. This made quick work of creating a suitable profile that I could upload into SimpleMDM as a “Custom” profile.

It was added at the device level… and appears to be installed correctly by SimpleMDM.

But how do we test that it’s working?

I was expecting to see Sophos or some Sophos components “pre-approved” in the Security & Privacy –> Privacy –> Full Disk Access part of system preferences. But, nope - nothing.

So is it working or not?

LightBulb

There’s an anti-malware testfile available from eicar which isn’t actually a virus - but is detected as such by anti-virus applications!

So - if the eicar test file is downloaded to a user home directory and gets detected as malware - that proves the profile is actually doing something…

so that’s what I tried, running

curl https://secure.eicar.org/eicar.com >> test_file.com to download the test file to a user home directory on a device enrolled in MDM with the Sophos “Full disk access” profile installed.

Bingo! Detected as Malware. Then I repeated the experiment after manually unenrolling, and rebooting for good measure…

…and it looks like Sophos can still see malware and viruses, but what it can’t do is remove or quarantine them.

Sophos Mac Catalina

This is a concern - as we’ve configured Sophos to raise a ticket automatically if it finds malware it can’t remove. In a Sophos install without “Full Disk Access” approval, that’s basically every. Single. Detection… :(

MDM to the rescue!

It’s great for now that we can use the profiles framework and SimpleMDM to ensure Sophos can continue to work as expected.

If you’re a Sophos user - and are interested in what the profile looks like - you’ll find a copy here.

Sophos Home Macos Catalina Download

Published on 22 Oct 2019Find me on Twitter and Mastodon.

Sophos Security For Mac

Please enable JavaScript to view the comments powered by Disqus.



Coments are closed