11-12-2012 12:50 PM
Periodically my outbound firewall LittleSnitch tells me that Sophos AV for Mac is trying to contact the IP at 10.0.0.98. This would be the address of the DNS nameserver that my company operates over a VPN.
Why would Sophos be trying to contact this server?
Solved! Go to Solution.
11-12-2012 11:59 PM
for AutoUpdate the download server has to be resolved - this should happen in 1 hour intervals. In addition if Live Protection is enabled when a lookup-enabled detection is triggered.
11-13-2012 03:36 PM
Just to clarify: Live Protection uses custom DNS requests to contact Sophos regarding suspicious files. The DNS lookup request is actually transferring the data to be examined to the Live Protection server; the response to this request contains the "good/bad" verdict. This data does not contain any actual content from your computer, but contains a hash of the flagged file, to be compared to known hashes in the Live Protection system. For it to work, Little Snitch has to let these queries go through.
If you have auto-update and live protection disabled, Little Snitch should not be triggering any Sophos-related connection attempts.
11-13-2012 04:55 PM
Yes, I do have Live Protection enabled. What I gather from your response is that Sophos AV needs to make a DNS call in order to contact the Sophos server. This seems perfectly normal. It just so happens that we use our own DNS server on our VPN. So that explains it.
My original question arose because it seemed like "it kept doing this". This may be an artifact of my use of Sophos, in that I probably cleared some rules, so the rules had to be set up again. Plus I probably only created temporary rules, and thus the notifcations from LittleSnitch recurred. Finally, there have been some threat reports recently of malware in emails filtered by my spam filter. So this again all makes sense.
Thanks for your response.