Sophos endpoint protection introduced a feature in version 9.5 called "Web protection" This feature is a real time URL monitoring and filtering service run from the endpoint itself. Sites are checked against the cloud based database for safety before the browser is allowed to open the site. Another layer to this is that downloads are scanned. This protection is complementary when the machines are in your corporate network behind your web access protection mechanisms but it becomes really important when the laptops leave the office.
Malicious sites are one thing but compromised, legitimate sites are another. Often code is injected to the sites that link the browser up to a secondary malicious site that contain the actual malware. This original site that you actually intended on going is the referring site.
The feature is either on of off. The setting is set in the Antivirus and HIPS policy from the administrator console. By turning "ON" the block malicious websites setting you enable this.
When the browser attempt to open a compromised site the site will be blocked and a message will be rendered in it's place.
When these occur the events are also logged and synced back to the management console.
It is often very interesting and worry-some to see what the referral sites are.
The feature may seem redundant for corporate desktop machines but for portable PCs and Macs it is definitely worthwhile turning on, especially since the service run in the background where you have the Block sites setting turned on or off...