Sophos UTM is very versatile when it comes to the deployment options available to you. You can purchase a physical hardware appliance, or deploy a virtual appliance on your own hardware, usually via VMWare or Hyper-V. Ths guide takes you through all the steps necessary to Sophos UTM on Hyper-V. Before you begin The components you will need include:. Physical machine with at least two physical network adapters or a similar multi-port adapter. Internet connection such as DSL router or similar service from your ISP. Windows Server 2012 R2.
Internal network using the 10.x.x.x range Step 1 – Download Sophos UTM ISO Start by downloading the Sophos UTM ISO image as this may take some time to complete, and you can perform step 2 below while you wait. Browse to.
Follow the download process and Sophos will email you a license key and grant you access to the downloads. You will need this key, in the form of a license file, to complete the setup.
Step 2 – Hyper-V configuration This guide uses a Windows Server 2012 R2 host. The Hyper-V host is configured with two NICs. One will be patched directly into a DSL router. The other is patched into the internal corporate network.
Step 2.1 Configuring Host networking Two virtual switches need to be created. The Internet facing virtual switch is named External – Internet. The connection type is External and the relevant NIC is selected. This virtual switch is not checked to “Allow management operating system to share this network adapter”.
The internal network facing virtual switch is named Internal – Corporate. The connection type is External and the relevant NIC is selected. This virtual switch is checked to “Allow management operating system to share this network adapter”. Step 2.2 Creating the virtual Machine The Sophos UTM appliance has very moderate minimum requirements from a CPU and RAM perspective. Because I have more resources available, I am going to create the virtual machine with the following specifications. I have found the UTM to perform smoothly with most options enabled with this specification:.
Generation 1 Virtual Machine. 4 x CPU. 4GB RAM Static. HDD 127GB Dynamic. Attached the downloaded Sophos UTM ISO from Step 1 above as a DVD Drive. Configure TWO Network adapters:.
One Connected to the Internal – Corporate Switch. One connected to the External – Internet Switch. If all the steps have been completed successfully, there should be no errors during start-up. In case you missed it, the web admin URL is listed at the bottom of the screen.
From now on you will stop using the console to work directly on the virtual machine. According to my source at Sophos, one of the UTM design goals is to never require an administrator to use anything other than the web interface. Step 5 – Sophos UTMs Initial Configuration Wizard Open your favourite browser and connect to the specified management URL.
Specify the Hostname of the UTM. Specify Company name. City. Country. Admin password. Admin email account.
The summary will indicate the choices you have made. Click Finish to complete this section. Step 6 – Additional Post Deployment Steps By this stage you should have a proxy that works fine for everything on its own internal subnet. If you have a small network deployment that only has one subnet you can skip this step.
Step 6.1 Create a static Route To allow clients from other subnets to also be able to connect and use the proxy, you need to add a static route to all internal traffic correctly though the internal interface. Routing basics: A machine can only have one default route.
If the machine does not know where to route traffic, it will use that route. Since the UTM has two interfaces, one will be the default. This is always the external interface because it routes everything to the internet. You therefore need to manually configure it to send any traffic destined for the internal network via the internal interface. Here’s how to do it:.
Select Interfaces & Routing. Select Static Routing. Click + New Static Route. Route Type will be Gateway Route. Click + next to Network to create a new network definition with the following settings:.
Name: Internal Corporate. Type: Network. IPV4 Address: 10.0.0.0. Netmask: /8 255.0.0.0. Click Save. You can use the support tools to check ping and trace route (tracrt). Step 6.2 – Configure proxy The next thing that needs to happen is that the proxy functionality needs to be configured.
Select Web Protection Web filtering By default the allowed Network only includes the subnet that the UTM is on. Click the folder next to Allowed Networks. Select and drag the Internal Corporate Network object we created earlier into the Allowed networks Box. Next, change the proxy mode from Transparent to Standard Mode. Click Apply. You should be able to surf the Internet from anywhere within your corporate network.
URL filtering should also prevent you from accessing sites blocked according to the specified categories. With your Sophos UTM now configured, it is another great time to take a snapshot of your VM. Don’t Forget Reporting! With the Web Filtering feature enabled, you now also have a great way of reporting on outbound web access across your organization using. Just install Sophos Reporter on a new server or VM, add the new server as a syslog server in Logging and Reporting Log Settings, and select the Web Filtering logs. You’ll start seeing your real time web traffic in a range of dashboards, be able to run detailed Overview and Activity Reports, and configure custom alerts. Check out the guide for more information.
Summary If you have followed through the guide above, you should now have a fully functional Sophos UTM up and running, and you can start playing with all the other great features such as Application Control, IPS, Remote Access, Web Application Firewall and more. I hope you have found this guide useful for getting your Sophos UTM basic configuration up and running. If you ran into any issues, please let me know in the comments! Hi Etienne, I think you may have made an error with the Hyper V network setup above. Should it not be ” the internal switch is facing internal therefore connection type is Internal (not external).
Thanks for the great post. Step 2.1 Configuring Host networking Two virtual switches need to be created.The internal network facing virtual switch is named Internal – Corporate.The connection type is External and the relevant NIC is selected.This virtual switch is checked to “Allow management operating system to share this network adapter”. Hi Warren Thanks for raising that question. The terminology for the switch type is from Hyper-V. There are three kinds of switch types.
External These refer to connection that connect to an actual physical network adapter on the host. This would give access to network external to the host.
Internal This refers to a switch that can be share by virtual machines inside the host. One VM could network to another without physically breaking out of the host. Private Similar to internal but isolated. But yes, even when writing this article, it felt very wrong to to call a connection that terminates on your internal network and “external connection” especially in the context of a firewall. If you consider that it is from the hyper-V host perspective it makes a bit more sense. There article is correct – even though it sounds a little odd 🙂.
Hi Ren I am not sure what you are trying to accomplish here. Because there are both a physical and virtual switch in play here you need to specify where you are attempting to do what. I am going to take a guess here but hopefully it covers what you are after. When a Hyper-V host’s physical NIC is attached to a Virtual Switch it changes the mode from access to trunk. Access mode only allows for a single vlan to be used, as such it does not have to be tagged. Trunk mode allows for multiple VLANs and therefore requires the traffic be Tagged or it will default down to a single vlan If you can explain what your requirement is and what your network constraints are I can hopefully give you a better answer.
Regards Etienne. Hi Martin I am assuming your connection is lost from your “outside network” as in the physical network outside of Hyper-V. This could be due to a network driver issue in the hyper-v stack itself.
I had a similar issue with Dell blade server on a converged FCOE adapter. The final solution to this was to disable SRV-IO on the adapter. You can do this with PowerShell You can test if this is the cause by spinning up another VM and connecting it to a private network just between your test machine and the UTM. One last thing to try is to switch to using legacy network adapters on the UTM.
Let us know how you get on. Hi, after creating a new Switch and ENable SR-IOV, it seems to work better on my “outside network”. But it is not working how it should work. I configured two vSwitches (internal and external, I dont need private, the Server is hosted somewhere else). The internal vSwitch works fine, the external vSwitch loosed the connection for some seconds.
It is not possible to connect via VPN on the Sophos: responding to Main Mode from unknown peer x.x.x.x:10952 NAT-Traversal: Result using RFC 3947: peer is NATed max number of retransmissions (2) reached STATEMAINR2 There is no Sophos problem, the Network ist not working prober 🙁.
I assume you're trying to get Sophos Cloud installed from what I gather? Here's what we do. Create a folder called sophos inside of /private/var/tmp (eg /private/var/tmp/sophos). Download your Sophos installer from cloud.sophos.com.
Take the contents of the download and copy it to /private/var/tmp/sophos (copy Sophos Installer.app and Sophos Installer Components folder). Drag and drop the sophos folder into Composer. Make sure permissions are correct from the parent folder. Open the package source on the left to show the Scripts folder and right click on Scripts. Right click on Scripts and choose Add Shell Script postinstall. Use my postinstall script as a guide: #!/bin/sh ## postinstall # # Created using this Sophos KB article: # # sudo /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/Sophos Installer -install; # # Remove installer /bin/rm -rf /private/var/tmp/sophos; exit 0 ## Success exit 1 ## Failure Hope this helps.
It works as a normal pkg for Casper or ARD. Thanks for this! Really helpful when updating my Sophos workflows! I'm a small bit closer to figuring this out. Seems that this error where Sophos installs but then doesn't get the AutoUpdate configuration settings only applies to computers where Sophos was previous installed.
I've tried this on computers where I have used the Sophos Uninstaller to remove the software and then run the script to install it again, and I get this problem. If I run the GUI installer on a computer where Sophos was previously installed, it installs correctly and gets the AutoUpdate settings. I have no idea why the GUI installer would work but the silent install would not give me the expected and desired results. Fortunately, for me, it's a relatively small number of computers that are exhibiting this problem in my environment, so I can pull them in and manually install Sophos using the GUI installer. Any new computers that I image and then deploy have never had Sophos installed on them, so the silent install via script will install Sophos and then enroll them in Sophos Cloud and updates will continue.
If you're reinstalling you'll want to uninstall first. In my experience with Sophos you won't have any luck running an installer over the top of a Mac with Sophos already installed. Have you heard from Sophos? I just created a support ticket.
I can confirm repeated failing of Sophos Installer version 1.1.0 (downloaded today) on 2015 MacBook Airs running macOS Sierra 10.12.6. Fails by GUI: Or script initiation as root: 2018-02-21 09:41:25.135 Sophos Installer186 Starting Sophos Bootstrap Installer.
2018-02-21 09:41:25.707 Sophos Installer186 Installation failed. See install.log for detailed information. Note, nothing is logged at install.log. Update, Wed Feb 21 11:21:07 PST 2018: Now my previously functional 9.6.2 Sophos Installer fails.
This is via GUI. The installer appears to finish its needed downloading, says 'Verifying.' This is on multiple 2017 Touch MacBook Pros running macOS High Sierra 10.13.3. These are fresh macs done with our DEP flow and with FileVault encryption completed. I received an answer from Sophos Support Mid-last year there was an attack demonstrated at DEFCON (A hacker conference) that specifically attacked software which runs as root (and was demonstrated against our installer), during install time, by using non-standard privileges on several folders (including / and /Library). This prompted us to release a KB to check the validity of our installer. Article ID: 127252 Title: Sophos Anti-Virus for Mac: Risk of privilege escalation when using the Sophos endpoint installer URL: This was always intended as a stopgap measure until we could implement checking of the locations to install to.
This exploit requires non-standard rights on / and /Library, both of which Apple protects with SIP. When we updated our installed in late January 2018, we implemented these security checks to make sure that we could not get exploited by this, by ensuring the default rights of 755 Root Wheel were applied. We first had reports of customers running into this security check about 1.5 weeks ago, and thus created the KB you were sent, to validate the rights and how to correct it. I have opened a discussion with development to improve the messaging around this detection, including updating the GUI of the installer to properly notify when the installer runs into it, and directing to the appropriate article to correct the permissions. At this time, we are not intending on changing the security check and stop, since it is in response to a legitimate, known way of hacking our software, and it just requires Apple's default permissions on their security locked down directories.
But we can convey this information better, and I am working with development on that. Log into the 'cloud.sophos.com' console Protect Devices in the left-side navigator Send Link to Users Picked myself took the Mac download link out of the email it sent me. I've heard you can use the Sophos API to generate a user-less download link, but I've never found any supporting info on that.
It does have the downside of attaching all machines that get it via that link to my Sophos user, but we don't use that for any purpose so we ignored that bit. I had problems installing it on machines that had a conflicting AV or Sophos Home, but those were far between so I didn't account for them in the installer. It also seems to fail on Macs that were imaged via a clone, but those are also far between.
We had the issue where the manual install would fall straight away. After sending logs off to Sophos they found that a file didn't have the correct permissions (see below) com.sophos.bootstrap.helper using com.sophos.macendpoint.Installer.HelperTool. Error Domain=com.sophos.installer Code=1 'Error: supplied secure destination is not secure. Path: /Library/Application Support/Sophos/temp2052 Sophos' solution was to disable SIP and run a command. Not happening So found that the command 'sudo chmod 0755 /Library/Application Support/” can be ran without disabling the SIP and corrects the permission(s) This was added to a.pkg file (post script) with the path to the file which runs the manual install + sorts the permissions In terminal if this permissions command is ran and then use the silent installer one provided by sophos.it works. Sudo /private/var/tmp/sophos/Sophos Installer.app/Contents/MacOS/Sophos Installer -install My problem is now if these are combined into composer the sophos install/quit screen opens so is not silent - this is where Sophos did a runner. I haven't had much experience with postinstall scripts, but can confirm this works great as a separate script to run after caching the installer files.
Sudo chmod a+x /pathtoinstaller/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer sudo chmod a+x /pathtoinstaller/SophosInstall/Sophos Installer.app/Contents/MacOS/tools/com.sophos.bootstrap.helper sudo /pathtoinstaller/SophosInstall/Sophos Installer.app/Contents/MacOS/Sophos Installer -install sudo rm -rf /pathtoinstaller/SophosInstall/ https://community.sophos.com/kb/en-us/120570. Whitelisting a Team ID blesses everything that uses that same ID. So Sophos installs something like 4 kernel extensions, but you can get away just doing the Team ID they all share. That single entry in my screenshot is the only Sophos thing we have to whitelist to Endpoint work. There's a good script in this other thread about finding these extensions and all the ID's associated with them. By, We run a simplified version of that on all our Macs 1x as a policy, then we just have to skim policy logs on a machine if someone needs one added to our global whitelist. We have 22 total Team IDs in there right now, but only Sophos and HP complained about needing it approved; the rest were pre-emptive.
I am new to Sophos Endpoint Protection and have to say it is proving a bit more challenging than I ever expected. Using @calvins script, I was able to automate the installation.
I was also able to make a configuration profile whitelist and thought I was home free. I have one last issue which I was curious how others were handling. After successfully installing Sophos on my test bed macs (which are local accounts not bound to AD) and another users computer who is bound to AD. I logged Sophos Central and noticed all of the devices were showing up under my User account under the people tab. Not a good thing, as this would not allow me to assign policies to groups. Are you guys using the AD Sync tool with Sophos.
And if you are, will the installer match up the user automatically? That's what I saw too.
My Sophos Home
As far as I know, it's because your user generated the link. We don't manage Sophos on a user-basis, so we didn't bother messing with it. But yeah, there are totally like 2,000+ Macs with the same user that generated the link in ours. I looked at automatically generating download links based on who was logged in when it ran with Sophos' API and didn't get very far. I think we also asked Sophos for a generic non-user based download link that never expired and I don't think we got anywhere with that. That was a while ago though, might be worth asking your rep.
For what it's worth here is our current Sophos situation. I downloaded from the Sophos Central Console the Mac installer. (This is in reality a downloader for the real installer, lots of people including myself have complained to Sophos about not being able to download a full installer since this means each and every computer downloads the entire full installer over the Internet.) I then used Richard Trouton's script as the basis for creating an Apple Installer package, as payload it contains the Installer nee Downloader and the Sophos Installer Components folder inside of which is one or more plists. These plists let you configure settings to apply to each client. As mentioned previously in this thread DeployStudio 1.7.8 - the current version causes a folder to have incorrect permissions which in turn causes Sophos 9.7 and later to fail to install. This can be fixed without having to mess with SIP by creating another DeployStudio workflow that runs a script that does the required chmod to fix the permissions, because this runs in single user mode it works even with SIP on, this workflow then triggers a deliberate reboot as the second - final step rather than letting it simply reach the end of the workflow, not sure if this is necessary or not, it might prevent DeployStudio messing the permissions again, at a minimum it makes this a very quick workflow. Note: This DeployStudio issue is supposedly fixed in the beta 1.7.9.
We do this before enforcing FileVault encryption but it would still be possible with an encrypted drive, in that case you would need to run Disk Utility in DeployStudio runtime to mount the encrypted volume and enter a valid password to authorise this. We do push via JSS a Profile containing a list of Team IDs to whitelist various Kernel Extensions, I have quite a list now. Arguably rather stupidly, even some of the Kernel Extensions included as standard with macOS have to be approved, e.g. Atto, Promise, HighPoint etc. I also approve VirtualBox, Parallels, VMware, TunnelBlick, Sophos and so on.
I install Sophos using the afore mentioned pkg via Munki, in Munki I have a conditional check script to see if the folder permissions are correct otherwise Munki will not try to install it. If Munki was to try to install it with the wrong permissions then the install would fail but a receipt would be left behind which would mean Munki would think it had succeeded when it hadn't. I do not find that all Macs show up under a single user, we are using local only accounts and it seems to show up under what ever user logs in when the Sophos agent 'phones home'.
However we do not use the user name information much anyway, it helps tracking which user to speak to if there is a problem but we can do that via the machine name anyway. I have not found that my pkg with the original downloaded Sophos Installer expires, it has been working for several months. I am finding that far too often when a Mac updates Sophos this results in Sophos Central flagging 'one or more services is not installed or running', clearly this is because during the update the old version of a service is removed and the new one installed and started and there is an inevitable gap, Sophos need to fix this.
One Monday I came in and 10% of our Macs had such reports. These typically clear themselves by/during the next time the client phones home or updates. However as these are red-flag rather than amber-flag error this is causing a lot of extra work to double check all machines are indeed properly protected. I have a ticket open with Sophos over this. I'm using the script that has been posted here a few different ways.
Do you all have an issue with the installer script hanging? Outside of the script, running int -install command I get a hang here: DATE TIME Sophos Installer1027:12677 Starting Sophos Bootstrap Installer. I have a config profile that allows the Team ID, so it's not hanging there. The app actually installs and is running fine, but the script never exits properly. Anyone else have this issue, and more importantly, is there a work around? I have not had that problem.
I see the the lines below in the details after the script runs. I replaced the path/link to the installer with /hereiswhereyourinsallernamegoes// since it is specific to my install. Script result: We are getting Sophos Endpoint from:% Total% Received% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 -:-:- -:-:- -:-:- 0 0 0 0 0 0 0 0 0 -:-:- -:-:- -:-:- 0 100 2677k 0 2677k 0 0 2577k 0 -:-:- 0:00:01 -:-:- 2574k 100 2760k 0 2760k 0 0 2645k 0 -:-:- 0:00:01 -:-:- 2644k 2018-07-09 14:48:38.146 Sophos Installer266 Starting Sophos Bootstrap Installer. 2018-07-09 14:50:00.161 Sophos Installer266 Installation successful. / We're experiencing the same where the Sophos installs successfully as always, but within the last week or two, the installer isn't closing to allow other policies to run. Same script we've used for over a year with no changes. Haven't determined what's changed or the cause.
EDIT: I have to imagine this is coincidental, but looking at when we started noticing the issue, it coincides with when JAMF separated Sophos Antivirus and Sophos Endpoint in Patch Reporting (https://www.jamf.com/jamf-nation/discussions/28681/sophos-antivirus-and-sophos-endpoint-software-title-split). I added a few lines to my installation script so it will watch for Sophos to start up and then kill the installer. It's kind of a hacky workaround, but in my limited testing so far it seems to work. If a user is logged in it looks for SophosAgent to be running, and if the computer is at the login window it just waits for Sophos Endpoint.app to show up in /Applications. My script is based on a that was posted near the beginning of this thread, so if you need to do the permissions checking and such you'll obviously need to adapt it. Also, I'm still relatively new to bash scripting, so if anyone sees something I could have done better I would welcome some feedback.:) #!/bin/bash # Sophos Installation Script # # # Isaac Nelson 19 March 2018 # Updated 27 July 2018 with workaround for bug that causes the installer process to hang even though installation has completed successfully. I'm having the same issues.
Had success with 's script mixed in another( ) due to install failures with just isaac's alone. Regarding the if then else loop at the bottom maybe I'm being dense but the $currentUser variable is going to return the console user i.e. The logged in user, not root. The script would hang at that point every time in my case because root was never logged in despite the jamf binary running scripts, etc. I changed it so that it says '$currentUser' '$currentUser' and it killed the installer process like clockwork every time I tested the policy.
Hacky for sure, but it worked. $currentUser will return the logged in user unless nobody is logged in (meaning the computer is at the login screen), in which case it will return root. '$currentUser' 'root' checks to see if the console user is anybody other than root (that's what the '!' In there does). If someone is logged in, the installer process won't be killed until SophosAgent is up and running. Otherwise, if the console user is root, the installer process will be killed after Sophos Endpoint.app shows up in /Applications.
I put that in because if nobody is logged in SophosAgent will never start up so the installer process will never get killed. Does that make sense? Basically what's happening is this: If somebody is logged in, wait for the SophoAgent process to exist, then proceed to the end of the script where the installer process will be killed.
Else, if nobody is logged in, wait for /Applications/Sophos Endpoint.app to exist, then proceed to the end of the script where the installer process will be killed. Let us know if you're able to get a response from Sophos. I'd much rather have them fix their installer than rely on a hacky workaround!
Hey, your hack worked a treat Specifically I just used these parts in my own script: # Kill the installer once Sophos is up and running (workaround for bug that causes the installer process to hang even though installation has completed successfully) # Wait until SophosAgent is running before finishing up (checking every 5 seconds) # User logged in if ! '$currentUser' 'root' ; then until /usr/bin/pgrep SophosAgent; do /bin/sleep 5; done #Login Window elif '$currentUser' 'root' ; then until -e '/Applications/Sophos Endpoint.app' ; do /bin/sleep 5; done sleep 10 fi /usr/bin/killall 'Sophos Installer' Looks like all my Sophos contacts have left Sophos, but i'm asking out licensing person if they have any others. If I get a hold of anyone and get any success i'll post here. I've been using this spreadsheet: for the most part to get Team IDs. We also have a policy that runs a script 1x/computer to find Team IDs of the popular places kernel extensions get dropped so we can have it handy in policy logs. Right now we do Sophos, VMWare, Apogee Digital, MOTU Audio, PreSonus Audio, Parallels, VirtualBox, Zoom, HP, Cisco, SoftRAID, Jabra, Epson, ATTO, Wacom, Paragon Software, Accusys, Digidesign, Highpoint-Tech, CalDigit, Areca, and Promise. About half of those were because people were getting approval prompts, the rest we did preemptively.
I have also come across this issue this week, but only sometime after the 09/21/18 as we prepped 10 new iMacs on this date and they all installed fine. If I run the installer manually it installs fine. But if I use my script or manually run /Users/Shared/Sophos Installer.app/Contents/MacOS/Sophos Installer -install it hangs forever. At Starting Sophos Bootstrap Installer Have checked /library and /library/Application Support Permissions and all look fine. Ive only noticed this week as we configuring Adobe update server and new test machine we getting no software due to this. Think my next step is Sophos support anyone have any luck?
Camaras de vigilancia en mexico. My script is: cd /Users/Shared/ rm -R Sophos curl -O unzip SophosInstall.zip & /dev/null chmod -R +x /Users/Shared/Sophos Installer.app/ /Users/Shared/Sophos Installer.app/Contents/MacOS/Sophos Installer -install rm -R Sophos exit. We started to see this behavior back in August. Ditto on all of this, Steve. We also started seeing this behavior in August. Also, intermittently, with no clear reason why Sophos would install on some machine but not others, or why the installer would hang. Quite frankly, I've become quite unhappy with Sophos over the last few years. There are better products out there, with software teams that can build a proper.pkg installer.
I'm replacing my entire fleet in June 2019 and if Sophos can't straighten out their installer mechanism - so that I don't have to script ridiculous workarounds to make it work as expected - then our Sophos contract will be terminated and replaced with a vendor that is paying attention to the Mac platform. I'm looking at Cylance, Malwarebytes Breach Remediation, and perhaps Avast. (recommendations welcomed). So as of right now, the solution is to make Sophos a policy and have it run based on a smart group? We used to have it set to recurring checkin. The policy would run in terminal after doing a sudo jamf policy. All of our policies would run the same way.
I decided to automate this and have all policies run during enrollment. I have one policy running during enrollment and it fetches other policies. Sophos was the problem in this matter. Sophos would hang and other policies wouldn't execute because of that. Once I took out Sophos everything else ran. As of right now I changed Sophos to have run during recurring checkin.
It's not necessarily to have Sophos install as a policy scoped to a Smart Group, the solution is to have the install run as a background process ( by adding the ampersand & to the end of the install command:./Sophos Installer.app/Contents/MacOS/Sophos Installer -install & By running the install command as a background process the jamf binary does not get 'stuck' waiting for Sophos to finish installing. Instead the policy will complete even though Sophos is still installing on the machine. The reason I took Sophos out of our provisioning and instead made it a policy scoped to a group of machines, was so that I could keep Sophos installed on the machines, and not have to worry about it making my provisioning stick. Not sure if this is related to the recent problems with installing Sophos anyone is having but figured I'd share anyway.
At my job we started noticing issues installing and updating Sophos around 10.9.18. Had a case open with Sophos. Couldn't install using terminal with the bootstrap hang and also couldn't install with the manual installer as the download would hang at 23mb downloaded. My ISO department found that something in the file being downloaded triggered an adobe acrobat threat that, if true, allowed elevated privilege access. This had to be whitelisted on our firewall.
Sophos Install
Once it was, installs were successful all around.