Author Topic: Review: Sophos Home for Windows  (Read 513 times)

Offline joe53

  • Dell Community Colleague
  • SpywareHammer Staff
  • Bronze Member
  • Posts: 241
  • Certifiable
    • Free PC Security Software- A Primer
Review: Sophos Home for Windows
« on: November 13, 2016, 01:46:40 PM »
Sophos Home (SH) is a free anti-virus that has been available to home users for about one year. Sophos is a 30 year old security company from England, which established itself with endpoint security solutions aimed at business networks. These products have consistently scored well in independent testing at AV-Test and AV-Comparatives, as did Sophos Home for MAC. SH for Windows has yet to be tested at these sites. The reviews I've read so far have been mostly positive, so I gave it a test drive.

SH is promoted as offering free (and simple) commercial-grade security to home users. It can be installed on up to 10 home PCs. Like most free AVs, it is restricted to private, non-business use. It provides real-time malware and malicious website protection, phishing protection and potentially unwanted app (PUA) detection, as well as offering control/filtering of website access via a central dashboard that lives in the cloud.

System Requirements:
- Windows OS: 7, 8/8.1, and 10 (32- and 64-Bit)
- RAM: Minimum 1 GB
- Hard Drive: Minimum 1 GB of free disk space
- Browsers supported: Microsoft Edge, IE 10 or 11, Firefox, Safari, Chrome

Before downloading SH, you must first register and create an account with Sophos. You begin the process here:
https://www.sophos.com/en-us/lp/sophos-home.aspx

My test platform was a Dell Latitude E5410 notebook running Windows 7 Professional/sp1 64-bit, and IE 11 (without add-ons). It came with Intel Core i5 @2.40 GHz, 4 GB RAM, SATA HDD: 160 GB. Real-time protection was Avast Free AV, and Windows software firewall. On-demand scans by Avast, MBAM Free, Malwarebytes AdwCleaner, and HitmanPro Free detected nothing, and Avast was uninstalled prior to testing. All Microsoft and 3rd party  programs/patches were up-to-date.

My Results

Registration, Download and Installation

Registration to create an account at Sophos requires a first and last name, an email address, and a password prior to downloading the installer/extracter. As I expected, my Pale Moon browser was not supported to do any of this, so I switched my default to IE. An email confirmatory reply was needed. The download was swift, but the extraction and installation process from my desktop took about 15 minutes, the last several minutes involving downloading updates. During this time, no user input is involved - no "custom installation" option, no bundled software to accept/refuse, no desktop icon etc. The entire process  from registration to completed installation took about 30 minutes (via Wi-Fi/fast cable connection). Installing on other computers in your household takes about 15 minutes.

An icon was placed in my notification tray, 8 services were installed, and 3 Sophos programs were added to my installed programs list (Sophos Anti-Virus, Sophos AutoUpdate, and Sophos Management Communications System). Windows Defender (anti-malware for Windows 7) was turned off automatically during the installation.

Display and Controls

A right-click on the tray icon offers only the option to open the program, and to download the latest update. Updates are otherwise performed automatically several times per day.

The GUI opened to fill about one-third of my 14 inch screen, and was simple and easy to read. Unfortunately, it could not be minimized to the Taskbar, which hindered using my desktop while the program is open, or during a scan. With the display, what you see is what you get - there are no tabs to adjust settings locally, to view scan logs or quarantined items, or to configure settings. The GUI will display 3 green checkmarks to indicate that real-time virus, web and PUA protection modules are ON. There is a Help link that takes you to a useful site with FAQs. But the only functional buttons are [Scan Now] and [Home Dashboard]. There is also a link to "Exceptions ..." where any files, folders or websites you have whitelisted in your Dashboard from scanning or blocking are listed.

What little configuration of settings that is possible must be done using the Dashboard button, which takes you to a Sophos site. There you must log on with your email address and password, before you can access the controls. The only settings that can be configured are to toggle off/on the 3 real-time protection modules, to activate the web filters that block sites according to content category (adult content, gaming sites etc).

To test the web filters, I configured SH to block 1) download sites, and 2) forum/blog sites. The results were interesting (and a bit schizophrenic):
- Access to SpywareHammer, bleepingcomputer, and Malwarebytes forums were blocked, but I had no problem accessing the Dell Community Forums or Wilders Security forums.
- I was able to download Avast Free and MBAM Free, but SH blocked downloading for Panda Free, MSE, and WinPatrol Free.

Scanning

The only scan option in the GUI is a full scan. (You can scan individual drives, files or folders by right-clicking on them, where SH is integrated into the context menu). There is no option to schedule regular scans, for those who prefer to do this. Unlike with Panda AV, I was not offered a scan of a USB flash drive when I plugged it in, although one can navigate manually to do this.

A first hard drive scan took about 18 minutes (finding nothing). Prior to uninstalling Avast, its Quick Scan took about 6 minutes on the same system. Subsequent SH scans took about 17 minutes, so presumably little caching is involved.

To see how SH handles detections, I installed 2 harmless test files that mimic malware: the eicar and trojansimulator files. The eicar file was detected and removed immediately upon installation. I was not offered any option to ignore it, or quarantine it. It just vanished into the ether. As far as I can tell, there is no quarantine/chest/vault from which you can restore removed files.

The trojansimulator file provoked no response from SH. (This comes as a zipped file that MBAM Premium's real-time protection won't even let me download on my regular computers, much less unzip or run). SH was perfectly happy to let it download, be extracted, and install a startup file that runs automatically. (WinPatrol PLUS, which was not installed on this system, would have detected and allowed me to block this change at this stage). On-demand scans by SH detected nothing, both before and after a restart. By comparison, on-demand scans by both MBAM Free and HitmanPro Free (owned by Sophos) detected trojansimulator files as malware on this system, and MBAM was able to remove them.

There is no access to log files of scan results from the GUI, but they are created as SAV.txt which can be found by navigating to C:\ ProgramData\Sophos\Sophos Anti-Virus\logs\. Or just do a search for SAV.txt with Windows Explorer.

There is no module to scan emails (a redundant feature, in my opinion).

System Performance Impact

My experience was that SH did not appreciably slow down opening programs, or browsing speed. I was able to measure times taken of a few tasks as surrogates, for the system with no AV, with Avast, and with SH installed: cold boot times (~ 60 sec), on-demand scans by HitmanPro (~ 3 min) and by MBAM (~ 10 min), and times to open Belarc Advisor (1-2 min) were similar under all 3 conditions.

SH played well with all my security programs. It allowed me to download, install and/or run CCleaner, WinPatrol, Secunia PSI, Emsisoft Anti-Malware, MBAM Free, SandboxIE, MVPS Hosts File, HostsMan, and SpywareBlaster without any conflicts.

Support

Sophos Home for Windows User Community:
https://community.sophos.com/products/sophos-home/f/sophos-home-for-windows

Help Menu and FAQs:
https://home.sophos.com/help

Uninstalling

I was able to easily and cleanly uninstall SH, using these instructions from Sophos:
1. On your computer, click Start > Control Panel > Program Features > Uninstall a Program.
2. Double-click Sophos Anti-Virus to uninstall.
3. Confirm you want to make changes to your computer.
4. Repeat this process for the Sophos AutoUpdate and Sophos Management Communications System components.
5. If prompted, click Yes to restart your computer.

Note that you will have to uninstall all 3 programs that were installed with SH. Sophos does not offer an uninstall tool.

Ref: https://community.sophos.com/kb/en-us/122709


Comments:

This product was all I expected - and less. It is certainly the simplest AV I've ever used, with minimal user input needed (or even possible). Depending on one's level of expertise and expectations, this can be perceived as a feature or as a shortcoming. Those who prefer to tinker with and tweak their AV will be disappointed, as will those who like to regularly run a "quick" scan (or schedule full scans in off hours). But for those who like their AV to run silently with a minimum of alerts or end-user input, or bells and whistles, SH fits the bill. The parental web filtering will appeal to those with young children, leaving aside the odd results of my limited tests. And it comes with no obnoxious nags to upgrade to a paid program. From my point of view the biggest hassle in daily use was having to log into the web dashboard to change anything, and having to search for the scan logs. I suspect the average user will not care much about this, but Sophos really ought to give a little local control back.

However, I do have 2 major concerns.

The first involves the automatic deletion of anything detected, with no option to ignore or quarantine, much less restore. This seems like a prescription for disaster, in the event of a false positive detection of a system-critical file. All AVs are subject to FPs, and SH is no exception. For example, in September of 2016, a SH false positive detection flagged winlogon.exe, an important component of the Windows Login subsystem, as a Trojan program called Troj/FarFli-CT. This blocked logging on to Windows 7 for some users. It is uncertain if this was detected by real-time protection, or only by those running a scan. Sophos fixed the FP with the next update within hours. For more details, see:
https://community.sophos.com/kb/en-us/125000

The second concerns potential incompatability of SH with the real-time web protection provided by Malwarebytes Anti-Malware Premium. They both use the same technology for intercepting web traffic, and folks using both are reporting problems connecting to the internet. The solution is to mutually exclude SH and MBAM Premium, or alternatively perhaps to disable at least Malicious Website Protection in Malwarebytes or disable Web Protection in Sophos. I have a lifetime licence for MBAM Premium, which I was able to activate after I ran all the above tests. I did not notice any conflicts or web connection problems, but as a precaution followed the advice from Malwarebytes in June 2016, outlined here:
https://support.malwarebytes.com/customer/en/portal/articles/2477531-configuring-exclusions-with-sophos-antivirus-and-malwarebytes-anti-malware?b_id=6438

Conclusion

SH for Windows is a simple and user-friendly free AV for those who don't want to be bothered by their AV, and trust that Sophos can handle all threats. As always, I cannot comment on its efficacy at blocking/removing malware, but eagerly await testing by the independent experts. I was not tempted to install it on my regularly used systems, but will retain it in the meantime on my test unit.
« Last Edit: November 13, 2016, 01:52:40 PM by joe53 »


There are any comments for this topic. Do you want to be the first?