Let me put it this way... At an old job, they had standardized on Sophos probably because it was one of the only AV programs that has a Mac and PC version. Pretty much everyone in the IT department thought it was a turd to put it rather diplomatically, and apparently on some conference call with Sophos and someone I worked with, even Sophos reps admitted it was a poor product.
And on a Mac, you really don't need an AV program... Yet. There are some ominous clouds on the horizon, but they don't seem to be moving terribly quickly.
One of the latest trends in the world of ne'er do wells is to try and exploit cross platform runtimes like Java and Flash. Ever since Adobe took over Macromedia and inherited Flash, security seems to be job 524. Flash and Acrobat seem poised to give Internet Explorer 6 a run for its money as the most exploited programs around.
But in your case, I'm going to go with the most likely scenario being Sophos is giving false-positives. Or it's reporting things like tracking cookies. I'd say get rid of the worthless POS, and don't bother replacing it with anything else. Every one is either trying to upsell you on the paid version or convince you to keep your subscription up to date, so they tend to be a bit misleading when it comes to just how serious something is.
Keep an eye on the situation, because some day it's bound to change and you'll actually need an AV program on Mac OS X, but for now don't waste your time or money on them, least of all Sophos.
CNET just advertised Sophos free antivirus edition. I actually installed this program and ran it. True, it is slow (about 1.5 hours to scan 500,000 files but it did not stall as one user reported. What it found (the other programs did not) was three Torjans and two spyware/malware "things". I can't call them programs because they are listed as documents. The interesting thing is that they all resided in a Java 6.0 cache folder. This update was recently installed through software update on an Intel MacBook Pro running 10.6.4. True, they are all listed as Windows Trojans/malware. But still, does Java really install malware or is it just something that Sophos engine took for such?
Anybody sharing this experience? Would be most grateful for informed comments.