Saturday, May 7, 2016

In Depth: Using Sophos Home Antivirus

Sophos Home: Free commercial-grade security for the home.
Is Windows Defender not cutting it for you? Do you feel like Windows Defender isn't as good as the usual run-of-the-mill antivirus vendors out on the market right now? Well, you wouldn't exactly be alone. Microsoft's own security product has had drastic improvements in the past, but Microsoft still seems a little off the pace when it comes to detecting newer infections.

Recently, I've discovered Sophos Home Antivirus after a recommendation by a user on Techtronix when the lounge (network lobby) was discussing antivirus/antimalware software. I decided to take a look because I was kinda bored of the Windows Defender + Malwarebytes Pro (that was going to expire soon anyways). After using the software for a few weeks, I've finally reached the conclusion that Sophos Home is actually software worth considering, especially if you're in the market for antivirus software.



Preface

Before I begin my in depth coverage of Sophos Home, I'd like to thank those who have already contributed to the current ongoing project, Redshift. Due to funding from readers here on Techman's World, Redshift has been constructed to an operational compacity.

This tutorial was conducted in a virtual machine. The stats are as follows:

With all of that being said (and I can answer more questions in the comments), let's get into the post.

Pre-install: Registering for Sophos Cloud

Sophos Dashboard: Creating an account
Sophos makes use of their well-known Sophos Cloud in their home product, much like in their enterprise-grade solutions. Sophos Cloud is basically an online control center that allows you to manage the antivirus software installations on all connected computers, from any device. Using Sophos Cloud, you can remotely enable or disable certain protections, add exceptions, conduct scans, and so on.

Sophos Cloud is a prerequisite to using Sophos Home; there is no other way around this. I'll argue more about the advantages of using a cloud-based system later on in the post, but for now I hope that your opinion isn't discouraged right off the bat.

Due to the nature of Sophos Cloud, I recommend stricter password security practices when making a password. Using a modern password manager that can generate passwords will solve this issue.

Installing

Sophos Dashboard: Overview screen
After registering an account on Sophos Cloud, you'll be taken to an overview screen that shows all of your connected devices. You can add up to 10 devices, whether those devices are PCs running Windows or Macs. Above is a (slightly censored) screenshot of my Sophos dashboard before I installed Sophos in my test VM. You'll see the machine in later screenshots.
To add a device to the dashboard, you can click the "Add Device" link over on the left sidebar. The executable downloaded (It was "SophosInstall.exe" for me) is tied to your account, so be careful about sharing it with others or backing it up online, if you're into that sort of thing. Any machine that the executable is installed on will be automatically linked to your Sophos Cloud account.
Sophos Extractor

Welcome to the Sophos Home Installer
When you run the .exe, a self-extractor will open (because the contents are compressed to save space) and eventually a normal-looking setup screen will appear. There is only one thing that requires user input: clicking "Install".
Installing Sophos Home
The time it takes to install Sophos Home entirely depends on the machine in question. Sophos is a decently sized piece of software, and it can take a while to install depending on the type of drive being used (HDD vs SSD), processor speed, network download speed, and so on. The installer says 10 minutes, but it didn't nearly that long for me. It took around 3 minutes. While installing, Sophos will also download updates to itself. Your network speed is what solely dictates how fast this part of the setup will go.
Installation is Complete
When finished, just click "Finish". Yep, no reboot required.

User Interface (Client side)

Sophos Home Client UI
Upon opening the Sophos Home interface, you'll immediately notice how simplistic (or if you're like me, how feature-lacking) it is. There's upsides and downsides to this kind of approach, but a big benefit is that more novice computer users (like my mother and father) won't feel overwhelmed.

There's not a whole lot that can be done on the client side of Sophos Home. The main controls are done via Sophos Cloud. Here's what the client UI can do, though:
  1. Run full scans
  2. View exceptions (antivirus, websites, applications)
  3. View help documentation
  4. View software version & time of last update
  5. Open a web browser window with the Sophos Dashboard
Sophos Cloud is what I would consider to be "the other side" of controls for this product. Due to how significant it is, I decided to not include it in this section. One thing is pretty clear though: this product relies heavily on the Sophos Cloud. Downtime with this service could have adverse affects on the security of PCs. Sophos Home still maintains a signature database, etc.
Scan with Sophos Home
When you install Sophos Home, an option is added to the right-click context menu for certain items. That option, of course, is to conduct an on-demand scan of the selected content. I'm not sure if this issue is at the fault of Sophos or the Windows teams over at Microsoft, but the "Scan with Windows Defender..." option is still present in the context menu, even if Sophos is enabled. When another antivirus software product is installed and activated on Windows, Windows Defender is automatically turned off. If you choose to scan using Windows Defender, it'll error due to it being turned off, but I found this a little interesting.

User Interface (Server side)

REDSHIFT-WINTES Overview on the Sophos Dashboard
The server-side interface (Sophos Cloud) is where all settings are changed for Sophos Home. Items such as exceptions must be set via the Sophos Cloud, instead of at the client side. There's obvious upsides and downsides to this, but I think this may be the thinking of Sophos developers: You can remotely administer the protection of a PC, without a user on that PC disabling the software. For example, you can install Sophos on a child's machine and decide to block a website without the fear of the child disabling the software, if other good security practices are followed.

When you click on a machine in the Sophos Dashboard, you'll be taken to its own overview page, as pictured above. Those are the 3 main settings toggles for the machine in question. You can control real-time protection, PUP (potentially unwanted programs), and web protection. Ticking the On/Off button will have an almost instant effect in Sophos Home itself. The longest delay that I've ever seen was just a few seconds.


Exceptions

Exceptions / Exclusions

Antivirus, etc. exceptions are controlled via the Sophos Dashboard. They are shown in the Sophos UI, but you can't change them without visiting the dashboard.

Exceptions are set per machine. There isn't a global sync of exceptions for all machines that are added to your account, although this could be an interesting feature to have. For all machines that I have tied to my account, I have to individually add exceptions for all common pieces of software.

As far as I am concerned, exceptions are applied almost as soon as they are set (same kind of delay). I haven't seen Sophos attempt to scan directories that are added to the exceptions list, nor does Sophos seem to manually scan these directories if you do a right-click context menu scan.


Web Controls

Web Category Access
The Sophos Dashboard has one component left that I'd like to touch on: its web controls. Using the web category feature, you can choose to block certain categories of websites on specific machine. An ideal use case for this feature would be for PCs that children use. Maybe you don't want them browsing pornography, or getting involved with online chat rooms. Maybe you don't want them on Amazon and running up a huge bill on your credit card (but that's another set of issues entirely). Whatever the reason, Sophos has these nice categories that you can choose to either allow, show a warning, or block.
Website Blocked: amazon.com. To keep you secure online, access is blocked to websites categorized as Shopping. This setting can be changed in the Sophos Home Dashboard.
The Sophos Dashboard doesn't tell you what sites fall into each category, but I decided to test out its blocking feature anyways. I went ahead and blocked "Shopping", and proceeded to head on over to amazon.com in Microsoft Edge. 
Sophos Home - Web Content Blocked. Access to some content on this website was blocked.
But wait, what if you choose to visit amazon.com via HTTPS? Well, Sophos will still block the website, but it won't show that nice browser page within Edge. Due to the nature of HTTPS, it'll just force-close the HTTP connection and show an alert in the Windows notification area instead.

If you a category to warn, you'll get this kind of message:
Questionable Website: www.amazon.com. This website may contain questionable content categorized as Shopping and you are warned that you  may not want to proceed. You can either proceed at your own discretion or return to the page you were previously viewing. If you proceed, this will be logged in your Sophos Home Dashboard.
Indeed, if you do proceed to visit a website that Sophos threw a warning for, it will be logged in the dashboard. I guess this could be a less restrictive way for parents to monitor their children, or employers to tip off their employees (in Sophos' enterprise product) that they don't want them to visit certain websites.

Sophos' web blocking isn't fool-proof, though: I already found a website that wasn't categorized in their Shopping filter: Jet.com. At the time of this post, this website still wasn't present in their filter. I've actually used Jet before to buy 4 desktop fans for use in Redshift.

Antivirus Testing

I'm not too educated on testing viruses in virtual machines (specifically, how to secure the network), so I didn't cover this section, for now. However, I'm going to embed 2 videos from YouTube channels that I personally trust when it comes to antivirus testing and reviews. That would be The PC Security Channel and Remove-Malware.com / mrizos, respectively.


Wrap-up

Overall, I think that Sophos Home is probably the newest free antivirus product that is actually worth its salt. It comes from a very reputable company where their main audience is the enterprise space, and it offers basic features that I think that every antivirus product should have. Compared to the likes of Bitdefender free, Sophos Home has the ability to add exceptions, something I consider to be absolutely essential to any antivirus that I would personally consider using. Sophos Home will automatically remove severe threats that it finds, but it does leave less-severe detections up for the user to decide.

Sophos Home is what I use on Redshift for the past few weeks, and I have a very high opinion of it. If you're in the market for trying out a different antivirus, give this a try.