Most major antivirus companies cater to both the consumer and business markets. Sophos is no exception. This company’s main focus is on the business side, but consumers can get much of the same business-grade antivirus protection in the form of Sophos Home Free. It earns a great score in our antiphishing test, but doesn’t do so well in our hands-on malware protection test, and its independent lab results, while good, aren’t current. Still, it’s worth consideration, especially if you need to manage free antivirus protection for others.
In a business setting, employees don’t manage their own security tools. Rather, the IT department handles that task remotely. It’s not surprising, then, that configuration for Sophos Home is an online affair. With a free subscription you can install the product on three systems, Windows or macOS, and manage them online. So, for example, you could install the product on an aging relative’s computer, and remotely view and manage security events. A paid subscription to Sophos Home Premiumlets you manage up to 10 installations.
Installation was simple, if not quick in my testing. The installer warned that the process would take about five minutes, and it did. The very simple main window reports security status and offers two big buttons, one to scan for malware and one to manage settings. Clicking the latter takes you to the online management console. I verified that changes online took effect quickly. For example, when I turned off real-time protection the status panel changed to a warning in less than 10 seconds.
Lab Results Hiatus
For an evidence-based check on each antivirus utility’s protective abilities, I turn to four independent testing labs: AV-Test Institute, AV-Comparatives, SE Labs, and MRG-Effitas. Researchers at these labs put products through grueling tests and report their effectiveness. These are big operations, with more resources than I can bring to bear on a product, so I pay great attention to their findings.
In the past, Sophos has exhibited good ratings. Last year it earned AAA certification from SE Labs, the best of five certification levels. When last tested by AV-Test, it took 17.5 of 18 possible points. However, Sophos doesn’t appear in the latest reports from any of the labs that I follow.
My Sophos contact noted that AV-Test Institute recently tested the business-facing product, Sophos Endpoint Protection. With six points possible in each of three categories, it earned 5.5 for protection against malware, 5.0 for low performance impact, and 6.0 for few false positive reports. My contact noted that “we plan to participate in tests starting in 2018.” I look forward to having more lab reports including Sophos.
Bitdefender and Kaspersky both earn top marks in almost every test from all four labs. I created an algorithm to map all the tests on to a scale from 0 to 10 and derive an aggregate score. That algorithm gives Kaspersky a perfect 10, but there’s an asterisk. Kaspersky Free doesn’t include all features of the paid product, so it might not have done as well in testing. In my own hands-on testing, the free edition didn’t do quite as well.
Until recently, Bitdefender has cruised along with a 9.9 aggregate score, but a recent lower score brought that down to a still-good 9.0, the same as Avast. Here, too, it’s possible that Bitdefender Antivirus Free Edition might not have earned the same score.
I mentioned that you can install Sophos on both Windows boxes and Macs. Sophos Home (for Mac) recently earned certification from AV-Test, with 100 percent protection against Mac malware. It also eliminated more than 99 percent of Windows malware, and more than 95 percent of Mac PUAs (Potentially Unwanted Applications).
Hands-On Malware Protection Testing
Sophos doesn’t bother with multiple scan types. When you click Scan My Computer, it simply runs a full scan. You should definitely run a scan right after installation. Going forward, the real-time protection should handle any new malware attacks. On my standard clean test system, the scan seemed to go quickly at first, but it slowed way down at 92 percent, finishing in 43 minutes. The current average is 52 minutes, so this is a decent time.
Some antivirus utilities use the initial scan to mark known safe files, so they don’t have to scan them again. That can drastically reduce the time for subsequent scans. For example, Norton’s initial scan took an hour and 50 minutes, while a repeat scan finished in just 15 minutes. By observation, Sophos doesn’t attempt this kind of optimization. A repeat scan took just as long.
When I opened a folder containing my current malware collection, Sophos started deleting those it recognized. For each detection, it slid in a transient popup at the top right corner of the screen. These popups didn’t stay visible for long. I noted that some of the detected samples vanished from the folder on detection while others did not. Checking the account online, I found a lengthy list of PUAs whose fate awaited my decision. I clicked to clean them all, then clicked History to view the list of all removed threats. Sophos removed 74 percent of the samples on sight. That’s decent, but Symantec Norton AntiVirus Basic got 96 percent at this point.
I maintain a second set of samples, modified versions of the original collection. For each sample, I change the name, append zeroes to change the file size, and tweak some non-executable bytes. Sophos wiped out some of these as well, but not many. More than half of the tweaked samples whose originals Sophos whacked got past this initial inspection. Of course, the antivirus would have another chance to detect them at launch. And the missed modified samples didn’t include any ransomware.
To finish the test, I launched each sample that survived the initial antivirus purge. Sophos did manage to strip the bundled malware from a couple samples rather than deleting the whole package, which is good. It also missed a few. In one case, it reported that it blocked installation of a PUA over and over, so clearly another malware component was actively running, attempting that installation repeatedly.
When I totaled the results, I found that Sophos detected 89 percent of the samples and earned 8.4 of 10 possible points, the same as Trend Micro and barely above Microsoft Windows Defender Security Center. That’s not great, and I don’t have recent lab reports to fall back on. Still, previous success and good scores from the related business product somewhat offset this score.
Tested with the same set of samples, Norton and Webroot both managed 100 percent protection. The free Comodo Antivirus achieved the same feat against my previous malware collection. Tested with that previous collection, Avast scored 9.7 points and AVG took 9.5.
Like most antivirus utilities, Sophos Home includes a component that keeps your browser from connecting to malware-hosting websites. I test this feature using a feed of recently discovered malware-hosting URLs supplied by MRG-Effitas. Even though these are typically just a day old, some have already vanished, or no longer include malware. I work through the feed, launching URL after URL. For those that are still dangerous, I record whether the antivirus kept the browser from visiting the URL, eliminated the malware during download, or totally whiffed the detection.
I found that Sophos blocked these dangerous downloads in five distinct ways. For URLs already on the blacklist, it displayed High Risk Website Blocked in the browser, along with an identifier for the malware that got the URL blacklisted. It also slid in a transient popup warning. For new discoveries, it reported Malicious Content Blocked, also identifying the detected malware. For the rare HTTPS site, the browser displayed an error message; the only indication that Sophos did anything was the transient popup. In a few cases, the reputation-based Download Protection displayed a big desktop overlay warning, with buttons to go ahead or (recommended) abort the download. I always chose the latter. Finally, if none of those protections kicked in, real-time protection scanned the payload for malware.
Out of 100 test URLs, Sophos blocked 92 percent, 84 percent by steering the browser away from the URL and 8 percent by wiping out the malware payload. That’s better than most. However, Norton managed 98 percent protection, and Trend Micro came close with 97 percent. Avira Antivirus came in third, with 95 percent.
When I repeated this test using Sophos Home Premium, the total protection rate came out the same. However, some of the samples that previously made it to the download phase were now blacklisted. My contact at Sophos confirmed that this makes sense. My previous test could well have been the tipping point to earn the site a spot on the blacklist.
Impressive Phishing Protection
Where a malware attack attempts to subvert your device, a phishing attack aims squarely at you, the user. Phishing fraudsters construct websites that look exactly like PayPal, or your bank, or even a gaming site, and hope you’ll foolishly enter your username and password. If you bite, the fraudster owns your account. These fraudulent sites quickly get blacklisted, but the perpetrators simply put up new ones.
The most dangerous phishing sites are those that are too new to have hit the blacklist. For testing, I scrape phishing-related websites for the newest reported fraudulent URLs. I launch each one in five browsers simultaneously. The product under test protects one browser, naturally, and another uses Norton, which consistently scores high against phishing. The other three rely on the protection built into Chrome, Firefox, and Internet Explorer.
The same Sophos component that detects malware-hosting URLs also protects you from phishing websites. In testing, I found that just about all of the detections used the High Risk Website warning, meaning the URL showed up on a blacklist. Just a handful reported new detections, identifying the threat as Malware/Phish-A. I did run into quite a few HTTPS sites. When Sophos blocked those, the browser displayed an error, and the transient slide-in notification was the only sign of its activity.
I discarded results for any URLs that weren’t true examples of phishing, and for any that couldn’t be reached by one of the browsers. Running the numbers for the rest, I found that Sophos did very well. More than half of recent products couldn’t beat the phishing protection in one or more of the browsers; nearly one in five scored lower than all three. Sophos beat them all, and its detection rate was just 2 percentage points behind Norton’s. Kaspersky’s free antivirus only lagged Norton by 1 percentage point. ZoneAlarm tied Norton, but that was the paid product. Check Point ZoneAlarm Free Antivirus+ doesn’t offer phishing protection.
A few products have done even better in this test. Bitdefender Free and Trend Micro actually beat Norton’s detection rate, by 5 points and 3 points respectively. And the full-scale Bitdefender Antivirus Plus came in a full 12 percentage points better than Norton’s score.
On the other hand, AVG AntiVirus Free took a serious tumble the last time I tested its phishing protection. In previous tests it typically lagged Norton by 20 to30 percent. I’m not sure what happened, but it came in fully 70 percent behind Norton in the latest test. The developers promised better results next time; I’ll hold them to that promise.
Limited Parental Content Filter
Like the Mac antivirus from Sophos, this product includes a simple content filter. You can apply a measure of parental control to any of your managed devices using this filter. There are 28 content categories, divided into three groups: Adult & Potentially Inappropriate, Social Networking & Computing, and General Interest. You can configure Sophos to block any category or an entire group. There’s also an option to have warn against accessing a category without actively blocking it.
In testing, the filter blocked all the racy sites I tried to visit, and it wasn’t fazed by the three-word network command that disables a few old-school filters. When I set it to just warn, it clearly stated that visiting the site may be inappropriate, and pointed that the act of proceeding would be logged.
However, Sophos has significant limitations. Unlike most other content filters, it’s not independent. It supports Chrome, Edge, Firefox, Internet Explorer, and Opera, but did nothing when I tried with Vivaldi. Because it can’t filter HTTPS traffic, a clever teen can totally evade both filtering and monitoring by using a secure anonymizing proxy.
Sophos doesn’t attempt to force Safe Search or cover up naughty pictures. If your teenager just wants to view naked girls (or guys), a simple image search will do the job.
This component won’t prevent a determined youth from ogling nudes or watching violent content. It could work to buffer a younger child against accidentally running into something nasty. Note, though, that you configure it on a per-device basis, not for each user account, so whatever filters you set up affect all users. At least it’s a bonus, not a central feature of this product.
Well Worth a Look
Sophos Home Free earns a very good score in our hands-on malicious URL protection test and an even better score in our antiphishing test. It doesn’t fare well in the malware protection test, but it has managed very good scores with the independent labs in the past. However, Sophos doesn’t appear in the latest reports from the labs that we follow; it should return in 2018.
AVG AntiVirus Free and Avast Free Antivirus appear in test results from all four of the independent labs that we follow, and routinely earn scores from very good to excellent. These two are our Editors’ Choice free antivirus utilities. Since Avast’s acquisition of AVG, both use the same underlying antivirus engine, but they retain other distinguishing qualities.