Showing results for 
Search instead for 
Do you mean 
Posts: 268
Registered: ‎09-20-2010

How to check that your download is genuine – using a checksum

[ Edited ]


If you have downloaded Sophos Anti-Virus for Mac Home Edition version 9 from a location other than Sophos you should confirm that it is genuine by matching the checksum of the file you have with the checksum we publish.  You may also want to checksum the file you have downloaded from to ensure 100% of the file has been transferred to you computer and saved correctly. 


The instructions below guide you through how to generate a checksum for your Sophos download using the correct type of checksum.


What is a checksum?


Each version of a file has a unique checksum. This can be used to determine the authenticity of the file and ensure no part of a large file has been lost during the download process.  There are different checksum methods (common ones are MD5 and SHA).  We publish the check for the Mac Home Edition as a SHA 256 checksum.


Where is the offical Sophos checksum?


Click the link below to see the SHA 256 checksum for Sophos Anti-Virus for Mac v9.



How do I generate a SHA 256 checksum?


You need to use Terminal and generate the checksum with the correct command then match the long code the command generated with the one mentioned in the text file linked above.


  1. From Spotlight open Terminal by typing 'Terminal' and pressing enter.  Example:

  2. Change Directory to the folder containing the file you downloaded.  Commonly this is the 'Downloads' folder.  If so type cd Downloads and press enter.
    Tip:  To show the folder you are currently in type pwd and type cd.. to go up a level and back out of the current folder.  You can type pwd again at any point to see where you are.

  3. Type ls to listed the contents of the current folder.  You will see all the files and folder in the current folder.  The official SAV for Mac v9 download is called '' but if you downloaded from somewhere else the file may have been renamed.  Don't worry, changing the filename doesn't affect the checksum - if the file is genuine!

  4. Once you have found the file you want to generate a checksum for type: shasum -a 256

    Note: change the '' bit to match the file name that you downloaded if different.

    The command will generate a really long code (64 numbers and letters).  Example:
    Important:  The code you see will probably be different from the screenshot above - don't worry.  If your code looks a little short: make sure you have included the -a 256 bit as you need to output a SHA 256 checksum and the 'shasum' program outputs a 'SHA1' if you miss this off.

  5. Compare the 64 character code you see in Terminal's window with the one published in the text file linked above.  They should be identical.



Communities Moderator, Sophos
Knowledgebase  |  @SophosSupport  |  Video tutorials
If a post solves your question use the Accept as Solution button and award kudos.