Free Antivirus Help Contact Us  |   FAQ Help  |  Why Free
  Home Download Instructions Antivirus Reviews News

Sophos 9.5 Endpoint Antivirus Review

23. March 2011
sophos 9.5 main screen

    Sophos has recently released their new 9.5 endpoint protection that includes cloud integration and a firewall.   As one may know, I have used Sophos antivirus programs for 8 years, and I have been generally happy with the performance.  I currently have one installation protecting a windows server and appreciate the maintenance free capability compared to competitors.   I also appreciate that the company tends to be on the forefront of combating the latest viruses and exploits (essentially pushing the boundaries in the industry).  Also new in this version, is tamper and web protection,  Sophos Live real time updating, and more.

    The installation of Sophos 9.5 was easy.  There are two versions of the endpoint protection, the 70 megabyte standard, and the 75 megabyte edition with a firewall.  What’s nice is that both setup files support 32 and 64 bit systems all the way back to Windows 2000, in one compact executable.  The installer prompted to install the optional firewall component and also has an option to remove third party security software that may conflict with program.  After the installation completed, a restart was required to install the firewall driver.  After the reboot, it took Windows an additional 20 seconds to finish booting to the desktop.

new scan in progress 35 percent

    The Sophos 9.5 scanning options remain the same with the “Scan my computer” and the “set up a new scan”.  However, within the customize scan option there are new settings to configure.  In the advanced area one can specifically set to decompress which types of archives and which type files to skip.  This appears to be one of the most advanced exclusion type list of all free antivirus tested.  Sophos 9.5 scans at approximately 6 to 7 megabytes per second putting it slightly above the benchmark antivirus.  The program immediately detected a virus on the test system which ironically is Blue Atom Antivirus (Antivirus.exe and a Sus/Com-Pack-C).  Now this is clearly a false positive and which I believe is attributed to an overly sensitive HIPS engine.  I have also received a false positive from Webex PcNow by Cisco via a Reg-Mon alert.  NirCmd.exe was also found on the test system and is actually malicious.  The scan takes quite a while to finish (speed hasn’t changed significantly from previous versions and after 20 minutes was still on 2% presumably because of the rootkit scan which is separate and slow).  If one wants the scan to be faster disable the rootkit option.

advanced scanning settings

    In addition to an antivirus engine, Sophos 9.5 includes a firewall.  The problem is that this firewall prompts for every network /application protection.  For example, simply opening a common browser such as Internet Explorer or FireFox, one is prompted to allow or disallow.  The tradeoff is that for a small business or organization a large firewall rule set could be beneficial in keeping unwanted connections in and out of a system, however, for an individual, this could be extremely tedious to classify every single firewall rule (not to mention the radio boxes are in a different order from alert to alert).  I think the firewall should at least include some auto learning rules for common applications.  However, some good things about the firewall are its advanced handling of ICMP traffic (a frequently abused protocol), a LAN exclusion list for local networked computers, location based rule sets for roaming and wireless users, and an improved logging system which shows active connections and hidden processes.

firewall ie and firefox

    Some additional intriguing features are the tamper protection in which a user a must enter defined password to uninstall or modify the program, and a secondary update server if the first one failed.  
Resource usage is about the same with Sophos 9.5.  The programs uses about 160 megabytes across 9 process while idle.  When scanning, the memory usage remains about the same and uses about 10 percent CPU power, which is more than the average free antivirus.

tamper protection and secondary update server

    Some things that I would like to see improved are a more user friendly interface (probably won’t matter in a business setting), more efficient resource usage, possibly a memory scan, and better details about scans (a separate progress bar for different scanners).