Pros & Cons
-
- Excellent scores in our hands-on tests
- Effective ransomware protection
- Remotely manages up to 10 PCs or Macs
- Inexpensive
-
- Limited results from testing labs
- Ineffective parental control
- Advanced features require uncommon tech expertise
Sophos Home Premium Specs
| Behavior-Based Detection | |
| Hardened Browser | |
| Malicious URL Blocking | |
| On-Access Malware Scan | |
| On-Demand Malware Scan | |
| Phishing Protection | |
| Protection Type | Antivirus |
| Ransomware Behavior Detection |
You probably picture antivirus protection as something that resides on your computer and protects it against security threats. With Sophos Home Premium, that idea is only half right. Yes, a local app handles the malware fights, but its management lives in the cloud. You can manage up to 10 devices remotely when logged into the Sophos online dashboard. It’s a godsend if you’re tech support for your family or friends, and it costs less than many competitors. If your needs don’t match its profile, though, you’re better off choosing one of our Editors’ Choice winners, Bitdefender Antivirus Plus or Norton AntiVirus Plus, both of which receive high scores from testing labs and offer more bonus features than Sophos.
How Much Does Sophos Home Premium Cost?
Many antivirus companies let you purchase subscriptions for one, three, or five devices; some of them go up to 10 or more. Sophos skips the small change and jumps straight to an inexpensive 10-pack. For $59.99 per year, you can install Sophos Home Premium on up to 10 devices running Windows or macOS. Not sure if this antivirus is for you? A free trial is available, and you don’t have to put up your credit card to get it.
The $59.99 price for 10 devices is quite a deal. Norton AntiVirus Plus costs $59.99 to protect just one device. With Emsisoft Anti-Malware or Malwarebytes Premium, paying that amount protects three devices. And paying $59.99 per year for ESET NOD32 Antivirus gets you licenses for five devices. Sophos has the lowest 10-license price among popular brands.
Online Dashboard Puts You in (Remote) Control
Sophos just installs a small, local client on your PC. All configuration and logging activities take place in the online dashboard. That makes a lot of sense, given this app's business origins. IT departments manage antivirus from a central console; they don't rely on untrained employees to keep things running smoothly.
If you're the go-to tech support person for your family or circle of friends, consider installing Sophos for the whole gang and managing it remotely. It's easier than driving across town to sort out the mess they've made or trying to walk them through diagnosis and repair over the phone. There is a limit of 10 installations per subscription, which seems reasonable. Would you really want to manage more?
(Credit: Sophos/PCMag)The main screen of your dashboard displays all the devices you've protected, each with a number indicating the number of outstanding notifications. Click any device for more details and configuration options, or click Add Device to extend protection to another PC or Mac. You can click to download and install on the current system, or copy a link to send to someone else. Either way, it installs Sophos and connects the installation to your account for remote management.
When you select a device, you get a page with four tabs: Status, History, Protection, and Web Filtering. At the time of my previous review, there was a fifth tab titled Privacy that contained only the webcam protection feature. By observation, webcam protection, along with the Privacy tab, is no longer present.
The Status page features four large panels representing four protective components: Antivirus Protection, Web Protection, Ransomware Protection, and Malicious Traffic Detection. A fifth panel, Privacy Protection, is no longer present. On the History page, you see a list of everything Sophos has done to protect you, with an option to filter by event type. Web Filtering lets you configure the parental control system, which I’ll discuss below.
(Credit: Sophos/PCMag)That leaves the Protection tab, the place where everything happens. This tab has four sub-tabs: General, Exploits, Ransomware, and Web. Note that clicking most of the feature panels on the Status tab takes you to the corresponding area on the Protection tab.
Most users shouldn’t touch the controls on the General tab, as doing so would turn off various protective features. The one exception is turning on the scheduler. If you like, you can set Sophos to run a full antivirus scan on any day of the week. The Web tab (also reached by clicking Web Protection on the Status tab) similarly contains settings that you shouldn’t turn off.
(Credit: Sophos/PCMag)Since all configuration happens in this online dashboard, your friends and family members can’t mess up their antivirus installation. They don’t have access to the controls unless you give them the login credentials. You can even launch a scan of the remote computer if necessary. It’s quite a different setup from most antivirus utilities.
A Simple Local App Handles Security
The local client features a simple left-rail menu with four items: Status, Dashboard, Add Device, and Help. Dashboard and Add Device take you to the remote management dashboard. On the Help page, you can click to get help online, check for updates, or launch a troubleshooting system. A blue Scan button at the bottom-left launches a malware scan.
(Credit: Sophos/PCMag)The Status page is the only one that relates directly to antivirus protection. It should look familiar, as it displays the same panels as the Status tab in the online dashboard. Clicking any of those panels sends you off to the dashboard to view and possibly change the app's configuration.
Run a Scan on Command or on Schedule
Many antivirus tools offer three scan choices: a quick scan of memory and likely malware hiding places, a full scan of the entire computer, or a custom scan where you choose the target and settings. With Sophos, clicking the Scan button runs a quick scan. You can also pull down a one-item menu to launch a full scan.
Be sure to run a full scan right after installation to root out any existing malware infestations. In theory, real-time protection should handle any attacks after the initial cleanup, but Sophos lets you schedule a repeating full scan for any day of the week.
(Credit: Sophos/PCMag)In a way, it doesn’t matter how long a full antivirus scan takes, because you can just let it scan in the background and go on using your computer. However, I do measure the time for a full scan, as a point of comparison.
In past reviews, Sophos has shown a wide range of times, from 15 minutes to 75 minutes and beyond. This time, a full scan took nearly 2.5 hours. Many competitors use that first in-depth scan to optimize for subsequent scans, so I timed a repeat scan. It was a little faster, taking about 90% as long as the first scan, but others show much more optimization. Bitdefender’s repeat scan took about 7% as long as the initial scan, and ESET shaved its second scan time to about 8%.
Lab Scores: High, But Sparse
Researchers at independent antivirus testing labs around the world put antivirus apps through grueling tests and regularly report on their effectiveness. I closely track reports from five labs: AV-Test Institute, AV-Comparatives, AVLab Cybersecurity Foundation, MRG-Effitas, and SE Labs. These labs are major operations, and their reputations depend on accurate testing, so I take their results seriously.
Sophos appears in the latest reports from just one of these labs. The experts at SE Labs challenge antivirus utilities using a capture-and-replay system that runs each antivirus through the same real-world malware attack. Contenders can earn certification at five levels: AAA, AA, A, B, and C. Sophos, along with the other tested antiviruses, achieved the highest rating, AAA.
I use an algorithm that maps each lab's results onto a 10-point scale and generates an aggregate result. With just one score, a perfect score, Sophos has an aggregate score of 10. That’s good, but I’m even more impressed with a high aggregate based on multiple lab results. Norton’s 10-point score is most impressive because it’s based on perfect scores from all five labs. Avast One Essential, also tested by five labs, reached 9.6 points. Tested by four of the five, ESET, Bitdefender, and Microsoft Defender Antivirus came in at 9.8, 9.6, and 9.3, respectively.
Malware Protection
When lab results are few or absent, my own hands-on malware protection testing becomes more important. To start, I simply open a folder containing malware samples that I collected and analyzed myself. Sophos detected just a handful at this point. Copying the samples to a new folder fully engaged its real-time protection. Over a period of five minutes or so, it detected and eliminated 98% of the samples, displaying transient pop-ups when it detected a threat and when it finished cleaning up a problem.
(Credit: Sophos/PCMag)Clicking the Manage button in any pop-up just opened the online console. I expected it to select the History tab automatically, but I had to do that myself. I found the list awkward and unwieldy. Each entry on the long-scrolling web page was tall enough that no more than three were visible at a time. Of course, the average user probably sees no more than one malware attack at a time and probably doesn’t dig into the detection history, so the awkward display may not matter.
Continuing the test, I launched each sample that hadn’t been removed during the initial sweep. Sophos detected almost all of them either at launch or during installation, resulting in a final detection rate of 99%. It didn’t allow any malware to place executable files on the test system, so it received the full 9.9 of 10 possible points.
Sophos has the best score of any antivirus app tested with this same malware collection. Malwarebytes came close, with 9.8 points. Avast, AVG, and Norton all scored the same, 9.7 points. That’s not surprising, as all three use the same antivirus engine.
Gathering and analyzing a new collection of malware samples takes a long time, so I only do it once a year. To evaluate how each antivirus handles the latest malware, I start with a feed of malware-hosting URLs from the London-based testing lab MRG-Effitas. These URLs are typically no more than a couple of days old. Launching each in turn, I record whether the antivirus prevents the browser from even opening the dangerous page, eliminates the malware payload on download, or does nothing. Once I have enough data points, I tally the results.
(Credit: Sophos/PCMag)Sophos blocked 44% of malware downloads by preventing access to dangerous URLs. By observation, it uses the warning High Risk Website Blocked for URLs already on the blocklist, which accounted for most of its detections. For new discoveries, the message reads "Malicious Content Blocked."
Real-time protection caught the malware payloads for another 55% of samples, giving Sophos a near-perfect 99% protection score. Aura, Emsisoft, Norton, and UltraAV also scored 99% in their own malware downloads test, while Avira reached 100%.
Similar Products
Our Current Picks for The Best Antivirus Software for 2026
Sophos doesn’t require a browser extension to screen out dangerous websites, which usually would mean its protection is browser-independent. I verified that it works in Brave, Chrome, Edge, Firefox, and Opera. However, it didn’t work with my hand-coded “ultimate off-brand browser.” It also didn’t work with some less common browsers, such as DuckDuckGo, Mullvad Browser, and LibreWolf. If you use an uncommon browser, Sophos may not protect it.
Phishing Protection
Sophos watches network traffic and cuts off access to malware-hosting websites, but those aren't the only sites you need to avoid. Just because phishing sites don't typically contain malware doesn’t mean they can’t cause plenty of trouble. A phishing site masquerades as a secure and sensitive site, anything from banking to email to dating. If your eyes are sharp enough, you'll spot the scam and move on. But if you enter your credentials on the fake page, you've given the fraudsters access to your account. Fortunately, Sophos helps steer you away from phishing sites.
To test phishing protection, I scrape the newest reported fraudulent sites from websites that track such things. I include both verified frauds and sites too new for analysis. I launch each one in four browsers simultaneously. Of course, one browser is protected solely by the antivirus under testing. The other three depend on the built-in phishing protection in Chrome, Edge, and Firefox. If the page doesn’t load correctly in all four browsers, I discard it. If it's not a clear attempt to steal credentials for a sensitive site, I discard it.
(Credit: Sophos/PCMag)Phishing pages do their best to emulate the real site they’re faking. For most, that includes using a secure HTTPS connection. A few years ago, when Sophos encountered a secure but fraudulent page, it would display a browser error page with a pop-up notification to explain the issue. More recent versions handle secure and nonsecure frauds exactly the same, by displaying the High Risk Website warning and identifying the problem as Phishing & Fraud.
Sophos aced this test, with 100% protection, joining nine competitors in the winners’ circle. Other apps that scored 100% include Avira, McAfee AntiVirus Plus, and Webroot Essentials.
Ransomware Protection
In theory, regular malware scans and real-time antivirus protection should prevent ransomware attacks, just as they prevent other malware infestations. However, the consequences of missing a brand-new ransomware sample are more significant and permanent than other types of malware. Even if your antivirus gets an update that wipes out the zero-day ransomware ten minutes after the attack, your files are still encrypted and useless. That’s why Sophos, like many competitors, offers a dedicated ransomware protection component.
In testing, real-time antivirus protection eliminated all my ransomware samples, as expected. To simulate attacks by zero-day ransomware that evades typical protections, I disabled the real-time component and restored my ransomware sample folder. I then started releasing a dozen real-world ransomware attacks, one at a time, on the virtual machine test system.
Sophos detected and terminated all but one of my file-encrypting ransomware samples—the odd man out wasn’t detected because it didn’t take any action during the test. The defensive behavior proved quite different from regular real-time antivirus, taking over the whole screen to announce its findings rather than just using a transient pop-up. It detected some samples immediately on launch, but in other cases, the ransomware ran for several minutes before exhibiting the dangerous behavior that triggered detection. Two of the samples encrypted two files apiece before being nabbed, and a third managed to encrypt more than 40 files. But in every case, these were low-interest ancillary files, just logs and such.
(Credit: Sophos/PCMag)In addition to those file-encrypting samples, I have a couple that act on the whole drive. One encrypts the drive and demands ransom, while the other is a blunt instrument that just wipes the drive completely. The Master Boot Record Protection feature clearly did something, because after each ransomware attack forced a reboot, the malicious code did not run on reboot.
Things weren’t totally rosy, though. The damaged system opened to the Boot Manager screen, giving me a choice. I could reinstall Windows (and lose my files) or repair the PC (which didn’t work). My contacts at Sophos managed to duplicate the problem, which was caused by some adjustments they made to avoid blocking normal activities, such as disk formatting. An update due in June will restore the expected behavior, meaning Sophos will stop the ransomware and leave the disk intact. Had ransomware disabled a production PC in this way, I could still have recovered the files by mounting the hard drive in another computer.
I've occasionally encountered ransomware protection systems that suffer a window of vulnerability during the boot process, allowing ransomware launched at boot time to do its dirty deeds before the ransomware protection system kicks in. I tested Sophos by configuring some real-world ransomware samples to launch at startup. It had no trouble preventing the attacks.
My testing aims to simulate a scenario in which the real-time protection system missed a zero-day ransomware attack. Confronted with real-world file-encrypting ransomware samples, without the help of real-time antivirus protection, Sophos caught them all before they could do any harm. That suggests it would also handle those pesky zero-day ransomware attacks.
Parental Content Filter
Like Sophos Home Premium for Mac, this antivirus comes with a very simple parental control content filter. To configure it, you log in to the online console and choose the Web Filtering tab. Filtering is per-device; there's no option to filter for one user account and not others. And you won’t find screen time control or any other parental monitoring features.
The filtering page lists 28 content categories organized into three groups: Adult & Potentially Inappropriate, Social Networking & Computing, and General Interest. For each category, you can configure Sophos to block or allow access.
(Credit: Sophos/PCMag)There’s no preset system based on age, and no categories are blocked by default. If you choose to use this feature, be sure to block the Proxies & Translators category. Otherwise, your clever teen could totally evade the content filter using a secure anonymizing proxy.
In testing, the content filter blocked all the naughty sites we tried, and it didn't fall to a three-word network command that defangs some outmoded parental control systems. As with its blocking of dangerous and fraudulent sites, Sophos now handles secure HTTPS pages the same as non-secure pages. That is, it displays a Website Blocked page along with the category that triggered blocking.
I mentioned earlier that filtering out dangerous pages works in most browsers, but not all of them. That’s no big deal if you use a browser that’s even minimally popular. However, this lack of true browser independence becomes a problem for parental content filtering. All your kid needs is an unsupported browser, and the parental content filter becomes useless.
(Credit: Sophos/PCMag)You might get some benefit from this content filter if all you want is to shield a very young child from encountering the sleazy side of the internet. A child who objects to parental control and monitoring will have no trouble getting around it, though. Yes, this is a bonus feature, not a central antivirus component, but I'd still like to see it either improved or removed.
Protection Against Exploit Attacks
Some malware coders spend their days analyzing and reverse-engineering operating systems and popular applications, looking for programming errors that leave holes in your security. As soon as they start to exploit those holes, the designers of the victim app or OS get busy patching. However, until you install the resulting patch, your systems are vulnerable to attack. Sophos aims to block these exploits directly, with special protection for common victim apps.
On the Exploits tab, you find panels for Exploit Mitigation, Protected Applications, and Risk Reduction, along with a few more arcane settings. Exploit Mitigation and Risk Reduction are enabled by default, with the option to dig into advanced settings. Those advanced settings include which apps Sophos should protect and which sneaky maneuvers it should block. Just leave those settings alone; they come configured for maximum protection.
(Credit: Sophos/PCMag)Exploit protection is more commonly included in a firewall within a security suite. Bitdefender, Norton, and Sophos are among the few antivirus products that offer anti-exploit protection. To test this feature, I rely on 30-odd exploits generated by the CORE Impact penetration testing tool, targeting Windows itself and popular apps.
Sophos didn't detect exploits at the network level, but the real-time protection component blocked 18% of the malicious payloads, reporting Malicious Content Detected. That’s better than McAfee’s 14% but a good bit lower than the 29% reached by ESET and Norton. Do note that the test system is fully patched, so missed exploits couldn't do any harm.
(Credit: Sophos/PCMag)Overall, scores on this test have been declining. The current top scores are 55% for G Data Antivirus and 53% for Bitdefender. But once again, missed exploits can’t harm the fully patched test system.
The tools managed on the Exploits page are among the most complex in this app. Fortunately, you don't have to understand them to benefit from their efforts. Just leave them alone to do their work.
Safe Online Banking: Not What You Think
Web Protection prevents access to malicious and dangerous websites, and Download Reputation scoring helps keep you away from files that, while not definitively malicious, have troublesome traits. You can find settings for both by selecting Protection, then clicking the Web tab.
(Credit: Sophos/PCMag)Bitdefender and a few others offer browser protection to isolate your financial transactions from other processes, thereby preventing data theft. Safe Online Banking, also found on the Web tab, simply checks for browser compromise when you visit sensitive sites. I assume it works; I don't have a way to compromise a browser for testing.