Sophos Antivirus and macOS Catalina...

22 Oct 2019

So macOS Catalina is here. I and others have been working on getting our systems ready for Catalina for the last few months… and we’re just about there thank goodness!

There are lots of new features in Catalina… with Data Protection being a big deal when it comes to our anti-virus tool, Sophos. From Apple’s webpage:

Data protections:

macOS Catalina checks with you before allowing an app to access your data in your Documents, Desktop and Downloads folders, iCloud Drive, the folders of third-party cloud storage providers, removable media and external volumes.

Which is a problem for an anti-virus application that expects to have access to the whole disk - to make sure no nasties end up on your computer…

MDM to the rescue?

Apple’s mobile device management (MDM) framework does allow an admin to grant specific applications Full Disk Access to they can continue doing what they need to do.

Sophos support originally produced some frankly horrible instructions… but recently we finally got some documentation that was a little more helpful.

However - it wasn’t perfect… we don’t use Jamf and we don’t use Profile Manager.

Our MDM of choice SimpleMDM does allow for adding Privacy Preferences - but the UI didn’t seem to lend itself to adding all of the components required in that Sophos doc.

Open source tools to the rescue?

Enter Erik Berglund’s ProfileCreator - a GUI application for creating Apple configuration profiles. This made quick work of creating a suitable profile that I could upload into SimpleMDM as a “Custom” profile.

profile creator is magic

It was added at the device level… and appears to be installed correctly by SimpleMDM.

But how do we test that it’s working?

I was expecting to see Sophos or some Sophos components “pre-approved” in the Security & Privacy –> Privacy –> Full Disk Access part of system preferences. But, nope - nothing.

full disk access

So is it working or not?

LightBulb

There’s an anti-malware testfile available from eicar which isn’t actually a virus - but is detected as such by anti-virus applications!

So - if the eicar test file is downloaded to a user home directory and gets detected as malware - that proves the profile is actually doing something…

so that’s what I tried, running

curl https://secure.eicar.org/eicar.com >> test_file.com to download the test file to a user home directory on a device enrolled in MDM with the Sophos “Full disk access” profile installed.

Bingo! Detected as Malware. Then I repeated the experiment after manually unenrolling, and rebooting for good measure…

…and it looks like Sophos can still see malware and viruses, but what it can’t do is remove or quarantine them.

This is a concern - as we’ve configured Sophos to raise a ticket automatically if it finds malware it can’t remove. In a Sophos install without “Full Disk Access” approval, that’s basically every. Single. Detection… :(

MDM to the rescue!

It’s great for now that we can use the profiles framework and SimpleMDM to ensure Sophos can continue to work as expected.

If you’re a Sophos user - and are interested in what the profile looks like - you’ll find a copy here.

Published on 22 Oct 2019 Find me on Twitter!