Many companies that offer antivirus protection for consumers also sell endpoint protection to businesses. Sophos Home Premium gets its protective technology from the company’s business-level tools, including the remote management that’s common for businesses. This inexpensive antivirus scores high in our malware protection tests and the new mobile management app makes it more convenient than ever. If you have the technical skills, you can install its protection for your friends or family and manage it remotely.
How Much Does Sophos Home Premium Cost?
Sophos offers a free edition, which omits the most advanced features and lets you protect three computers, but even the premium edition isn’t expensive. For $60 per year, you can install the product on up to 10 PCs or Macs. That’s just $6 per year per device. With Bitdefender, ESET NOD32 Antivirus, Kaspersky, and others, you pay $39.99 per year for just one license, and $59.99 per year for three. McAfee also goes for $59.99 per year, but that price gets you unlimited installations on every Windows, macOS, Android, and iOS device in your household.
Online Dashboard
As with the free edition, Sophos just installs a small, local client on your PC. All configuration and logging activities take place in the online dashboard. That makes a lot of sense, given this product’s business origins. IT departments take care of antivirus management from a central console; they don’t rely on untrained employees to keep things running. If you’re the go-to tech support person for your family or circle of friends, consider installing Sophos for the whole gang and managing it remotely. It’s easier than driving across town to sort out the mess they’ve made or trying to walk them through diagnosis and repair over the phone.
To install Sophos on a new device, just log into the dashboard and click Add Device. You can click to download and install on the current system or copy a link that you can send to someone else. Either way, it both installs Sophos and connects the installation to your account for remote management.
The main screen of your dashboard displays all the devices you’ve protected, each with a number representing outstanding notifications. Click any device for more details and configuration options. Initially, it opens to the device’s Status page, subdivided into panels for Antivirus Protection, Web Protection, Ransomware Protection, Privacy Protection, and Malicious Traffic Detection. The free edition also displays these five panels, but only the first two are active.
Features Shared With Free Edition
When you pay for the Premium edition, you get everything found in Sophos Home Free and more. Read our review of the free product for a detailed description of the features shared by both.
When reviewing antivirus utilities, we always look to the reports regularly issued by four independent testing labs, AV-Test, AV-Comparatives, SE Labs, and MRG-Effitas. Sophos earned the top certification (AAA level) from SE Labs when last reviewed, but it dropped to the AA level in the latest report. That’s it for current lab scores.
A high score is good, but so is testing by many labs. Kaspersky, Avira Antivirus Pro, and Norton are among the nine products that show up in the latest reports from all four labs. Kaspersky’s aggregate score is a perfect 10 points, narrowly beating 9.9 points by Avast and ESET.
In our own hands-on malware protection tests, Sophos also earned top scores. It earned 9.7 of 10 possible points in our basic detection test, beating all but two other products tested with the same set of samples.
To test how well each antivirus defends against the very newest prevalent malware attacks, we use a list of malware-hosting URLs discovered in the last few days by researchers at MRG-Effitas. Out of 100 malware downloads, Sophos blocked 99%, most by preventing all access to the dangerous URL. Bitdefender and G Data also achieved 99%, while McAfee and Vipre Antivirus Plus blocked a perfect 100%.
Phishing websites don’t rely on malware to compromise your computer. Instead, they go for the weakest link—the user. If you enter your eBay credentials on a site that’s only pretending to be eBay, you’re hosed. When tested with very recent real-world phishing sites, Sophos caught only 84%, a good bit lower than in our last review. By contrast, in their latest tests, McAfee managed 100% detection while Bitdefender and Norton detected 99%.
Parents can configure Sophos to block access to websites matching any of 28 content categories, but you shouldn’t rely on it for parental control. The content filter works in supported browsers, which include Chrome, Edge, Firefox, Internet Explorer, Safari, and Opera. I verified empirically that your teen (who knows more about tech than you do) need only install a less common browser such as Brave to escape all control and monitoring.
In addition, if you choose the option to warn about bad sites rather than actively block them, Sophos lets HTTPS sites pass, meaning that a smart teen could simply visit HTTPS porn sites or foil the whole system by using a secure anonymizing proxy.
See How We Test Security SoftwareSee How We Test Security Software
Exploit Protection
Some malware coders spend their days analyzing and reverse-engineering operating systems and popular applications, looking for coding errors that leave holes in your security. As soon as they start to exploit those holes, the designers of the victim app or OS get busy patching, but until the patch comes out, your systems are vulnerable. In the Premium edition, Sophos aims to block these exploits directly, with special protection for common victim apps.
On the Exploits tab, you find three panels: Exploit Mitigation, Protected Applications, and Risk Reduction. In previous editions, a Preferences panel allowed you to configure visual cues such as a glowing border around protected windows. Sophos tech support confirmed that the cues are no longer present, stating, “Given usability, user feedback, and other technical considerations, we have decided to remove the visual indicators of application protection from the Sophos Home product.”
Exploit Mitigation and Risk Reduction are turned on by default, with the option to dig in for advanced settings. Those advanced settings involve things like which apps Sophos should protect, and what kind of sneaky maneuvers it should block. Just leave those settings alone; they come configured for maximum protection. Well, almost. I’d suggest opening Risk Reduction and enabling the option to stop malicious thumb drives. Doing so prevents a weird sort of attack where a specially prepared thumb drive identifies itself as a keyboard and sends commands that let it take control of your PC.
As noted, Exploit Mitigation aims to block attacks on security holes in protected applications. However, it doesn’t peek at incoming network traffic to detect exploits as they arrive, the way Norton AntiVirus Plus does. That difference became clear when I ran my standard exploit test.
This test uses 30-odd exploits generated by the CORE Impact penetration testing tool and aimed at Windows itself and popular apps. Sophos didn’t detect exploits at the network level, but the real-time protection component blocked a third of the malicious payloads, reporting Malicious Content Detected. In a few cases, it flagged the attack using its official name. The test system is fully patched, so even the two-thirds of exploits missed couldn’t do any harm. Note that Norton’s antivirus catches exploits at the network level, routinely scoring 90% or better. Kaspersky Internet Security managed 81% in its latest evaluation (Kaspersky, like most security companies, reserves exploit protection for suite products.)
The tools managed on the Exploits page are among the most complex in this product. Fortunately, you don’t have to understand them to benefit. Just leave them alone to do their work.
Premium Ransomware Protection
Another feature that Sophos doesn’t offer for free is ransomware protection. In theory, the regular malware scan and real-time antivirus protection should prevent ransomware attacks, just as they prevent other malware infestations. However, the consequences of missing a brand-new ransomware sample are more significant and permanent than for other types of malware. Even if your antivirus gets an update that wipes out the zero-day ransomware an hour after the attack, your files are still encrypted and useless.
The full scan eliminated all my ransomware samples, as expected. To simulate attacks by zero-day ransomware that evades usual protection, I turned off the real-time component and put my folder of ransomware samples back in place. After double-checking the status of ransomware protection, I started releasing real-world ransomware attacks on the virtual machine test system.
Sophos detected and eliminated all but one of my encrypting ransomware samples, including one that attempts to encrypt the whole drive rather than just certain files. It did miss a screen-locker ransomware sample, which makes sense given that it aims to detect encryption activity. In general, screen lockers are less of a concern.
As for the missed encrypting sample, it simply didn’t do anything. Without any activity, behavior-based detection has nothing to detect.
One sample managed to cause some trouble before its demise, though Sophos eventually caught and killed it. It managed to encrypt over a thousand files and leave almost 900 copies of its ransom note. The encrypted files had extensions like .LOG, .DAT, .JSON, and .TMP—not important documents but rather bits and pieces of system information. And they weren’t in the Documents folder or any similar important location, but rather in folders devoted to things like browser settings. My impression is that Sophos stopped the attack at the point when it would’ve affected important files. But I still worry about the thousand little files lost.
It’s worth noting that Webroot SecureAnywhere AntiVirus would have avoided that problem in an unusual way. It journals all activity by programs it can’t identify as good or bad, and shares behavior information with its cloud-based analysis system. If the cloud says thumbs down, Webroot kills the program and reverses all its actions, including file encryption actions. Webroot does warn that a massive encryption attack could overrun the capacity of the journaling system.
I’ve occasionally encountered ransomware protection systems that suffer a window of vulnerability during the boot process. For example, in testing F-Secure Anti-Virus, I found that ransomware launched at boot time managed to do its dirty deeds before the ransomware protection system kicked in. I tested Sophos by configuring some real-world ransomware samples to launch at startup. It had no trouble preventing the attacks.
The RanSim ransomware simulator from KnowBe4 simulates 10 different ransomware attack techniques, along with two legitimate encryption activities. Ransomware protection tools should block the 10 attacks but leave the two legitimate modules alone. Some behavior-based ransomware protection tools ignore the simulations, because they are not truly ransomware, so I don’t penalize a product for a poor score in this test. Yet I can applaud a good score, like that achieved by Sophos. It prevented nine of the 10 simulated attacks, though it did also disable one of the legitimate code modules.
My testing aims to simulate a situation where the real-time protection system has missed a zero-day ransomware attack. Confronted with prevalent real-world ransomware samples, and with real-time protection active, Sophos caught them all, though one accomplished some serious mischief before its demise. Based on my testing, it’s also likely to handle those pesky zero-days.
Keystroke Encryption and Safe Banking
The Free and Premium editions both offer Web Protection, to keep browsers and other programs away from dangerous URLs, and Download Reputation analysis, to fend off downloads that aren’t known malware but have a bad reputation. The Premium edition adds Safe Online Banking, which consists of Safe Browsing and Keylogger Protection.
Kaspersky, Bitdefender, and several others offer browser protection designed to isolate your financial transactions from other processes, thereby preventing data theft. With Sophos, Safe Browsing simply warns if your browser has been compromised. I assume it works; I don’t have a way to compromise a browser for testing.
Keylogger Protection, on the other hand, is easy to test. I turned off other protection components, to keep Sophos from wiping out a free keylogger that I installed. I verified that the keylogger captured my keystrokes in Notepad, which isn’t protected by Safe Browsing. When I typed in a browser instead, the keylogger caught only gibberish. When I tested the similar feature in G Data Antivirus, the keylogger received nothing at all from the browser. Note that G Data includes a separate component called BankGuard, which isolates the browser against other kinds of data-stealing attacks.
Do note that modern keyloggers generally do a lot more than log keystrokes typed by the victim. The one I chose recorded URLs visited, captured everything that was copied to the clipboard, and snapped periodic screenshots. Sophos didn’t protect against those actions, but real-time protection would have wiped out the keylogger before it could even load.
Webcam Spyware Protection
Many kinds of spyware aim to capture your credit cards or other kinds of personal data that malefactors can monetize. Perhaps the creepiest spyware, though, is the kind that secretly activates your webcam and spies on you when you think you’re alone. Quite a few antivirus utilities now include spyware protection components to prevent this pervy peeping.
Bitdefender, Kaspersky Anti-Virus, and ESET don’t get in the way of legitimate applications that need to use the webcam. However, when an unknown program tries to peek at you, they suspend its access and notify you. If it’s some new video-conferencing tool you just installed, you can mark it as trusted. If you didn’t trigger use of the webcam, just block its access.
Webcam Protection in Sophos is much less sophisticated. When a process accesses the webcam, Sophos simply slides in a transient notification about that access. There’s no blacklist or whitelist, and if you’re not looking at the screen, you could miss the notification. This level of protection is less effective than simply taping the camera or using a sliding shutter. Interestingly, Sophos Home Premium (for Mac) does more to protect against webcam snoops. Like Bitdefender, Kaspersky, and ESET, it warns when an untrusted program tries to use the cam, and lets you allow, stop, or whitelist the program.
In addition, the content of the notification can be confusing. When I launched a Google Meet session, Sophos reported webcam access by Host Process for Windows Services 10. The average user might have no idea what that is.
New Mobile Management
New in this edition, Sophos offers a mobile management app that runs on iOS or Android. A banner across the top of the online dashboard touts the app, with links to install on each platform. For testing purposes, we installed it on a Moto G5 Plus running Android Oreo.
After installation, you must log in to the app—it’s not like the desktop installers that automatically connect to your account. You can choose to use your device’s biometrics for authentication, or just stay logged in. Sophos sends a verification code to your registered email to complete the pairing.
With that setup complete, you have full control over all your Windows and Mac installations from your mobile device, just as you’d get by logging into the online dashboard. The main screen gives an overview of device status, with the option to add new devices. Tap a device to view its recent activity, configure its settings, or launch a scan remotely.
This new app is a very welcome addition, especially for those managing security for friends or family. If you get a support call from Uncle Clem, you can take care of it on your mobile device, wherever you may be. Nice move, Sophos!
A Good Choice for the Right User
If you’re enough of a techie to comprehend its range of features, Sophos Home Premium lets you install and remotely manage Sophos protection on up to 10 PCs or Macs. It earns great scores in our hands-on malware protection tests. In addition, it brings advanced features such as keylogger defense, ransomware protection, and exploit mitigation.
Sophos Home Premium is a good antivirus for the right user, but we’ve identified several Editors’ Choice antivirus products that suit just about any user. Bitdefender Antivirus Plus and Kaspersky Anti-Virus consistently get excellent scores from the independent labs. McAfee AntiVirus Plus doesn’t score as high in lab tests, but it offers unlimited cross-platform licenses—not just for Windows and macOS but for Android and iOS as well. Finally, Webroot SecureAnywhere AntiVirus packs unique and powerful behavior-based detection in a tiny package.
