Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 5960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with Sophos Mac Antivirus Home Edition

bilbo--baggins

I have been evaluating Sophos with the intention of buying a 5 license version of the small business edition.  However, somehow I ended up downloading the free version of the home edition rather than the small business edition.

I've had various problems - firstly, running it on my 2011 MacBook Pro with 7200 rpm hard drive and only has 260 of  670GB used - yet the disk scan seems to take forever (in the realm of 24hrs to get half way).  This was with the Mac set to never sleep.

When I did on a repeat attempt tell the Mac to sleep the file count didn't reduce after waking.

I also had an issue where it found a trojan in an email attachment (from an email I had sent for analysis) - it couldn't remove the file and told me to remove it manually, which I did (using Time MAchine to select delete all backups of that file).  However after that the scan file count didn't go down at all.   I also found that after quitting Sophos Antivirus and relaunching it it still told me there was a trojan - I checked, it was gone, trash was empty, I cleared the item from the quarrantine list, quit and relaunched, and it was back again.

Looking in the logs, the most recent items it was scanning were items I started to download but then cancelled - and it reported them as being corrupt (and perhaps this was causing it to get stuck or run very slowly???).  There certainly shouldn't have been anything suspicious about those files as they were 1) Lion installer from the Mac app store and 2) the Windows trial version of Sophos that I had accidentally started downloading on my Mac instead of within VMWare fusion.

Now - given that I was trying to evaluate this software to buy, I'm not very impressed at all with it's lack of stabilty.  The last time I ran antivirus was when Apple included VirusBarrier X5 with .Mac subscriptions. That used to crash my Mac so I removed it and haven't used antivirus software since on my Mac (have successfully used McAfee Total Protection in Windows).

I contacted support at Sophos - and despite repeatedly asking if (apart from the licensing terms) there was a difference between the Mac SBE and Mac Home Edition - none of the replies would confirm or deny this.  If the Mac SBE is effectively the same - then I can assume that these problems would be faced with the paid version too.  They also said I would have to come to these forums to get support (even those I made it clear I was trying to evaluate the software in perparation for purchasing it for 5 machines).

This testing was on my MacBook Pro - which has a relatively clean recent installation of everything, and has nothing too critical on it.  My first experiences of Sophos means there is no way I'd even want to test it on my Mac Pro.

Unfortunately we need antivirus software for PCI compliance, and McAfee Total Protection isn't up to standard because it only keeps 30 days of scanning logs.  

Basically writing this here because at least it seems that Sophos do monitor these forums - so even though my initial experiences have been quite bad (I didn't even mention the fact that while installing Sophos in VMWare Fusion/Windows XP while running the Disk Scan in Mac OS it caused my Mac Pro to completely freeze) - maybe these are issues that with the right support and bug fixes could be fixed?

:1004021


This thread was automatically locked due to age.
Parents
  • 0

    Thank you for being so thorough in outlining your issues on these forums.  You likely were having problems with Support because they are set up to handle support of our SBE product only.

    The "forever scan" issue has cropped up for a number of users; this seems to be linked to scanning of specific kinds of large archives/Boot Camp partitions.  If you turn off archive scanning, the problem will go away (but you also won't have scanned inside archives).

    It sounds like most of your issues are archive-related -- when the scanner hits a large archive, the file count won't go down until after it has fully extracted and scanned all archive contents and is ready to move on to the next item.  For large archives, this can take a very long time, as the scanner is configured to let you get on with your usual work while it scans in the background.  I will flag up the sleep/wake aspect just in case there is some further issue there.  In my own testing, I have not had problems interrupting a scan with a sleep/wake cycle.

    The email attachment issue is due to file caching -- even though the original files were fully removed, the OS caches the files from many applications, including Mail -- resulting in the attachment still existing in the Caches folder (it should indicate that it is at that location, however).  The Quarantine list is real-time, so the files should vanish from the list when the cache is purged, even without quitting and relaunching.

    The installers you mention would definitely cause a slowdown if you have archive scanning enabled, as the Lion installer is a package archive with multiple levells of archives and disk images inside -- this will take a while to unpack and scan at the best of times, and if it's a partial file, the scanner will attempt to do its best with the parts it can find.  However, the scanner will drop that file and flag an error (which it sounds like it did) as soon as it hits an issue it can't resolve.

    From your comments, I take it you're currently running the software on Snow Leopard?

    One of the best suggestions I can make re: stability and speed is to disable scanning in archives and compressed files for on-access scans.  This does reduce security slightly, but also prevents actions happening which can cause the majority of performance and stability edge cases.  Unfortunately, these issues will always exist when handling archives; fixing them would result in decreased accuracy/security surrounding scanning of archives (which means, fixing the issue would likely result in archives not getting thoroughly scanned in the first place, removing much of the benefit of enabling such scans).

    There are differences between the Home Edition and SBE, but most of those have to do with the interface/reporting/control side -- features are missing from the Home Edition -- the underlying AV engine is the same.  How this affects the issues you have been experiencing is unknown, until we isolate what part of the product is causing your issues.

    I'm glad you turned to these forums instead of giving up after your initial negative experiences -- hopefully we can resolve your issues both with the Home Edition and with the SBE offering.  I'd recommend uninstalling the Home Edition and getting the SBE demo -- this will let you see how many of the problems are at the product level and how many are issues with how the underlying engine is functioning.  Plus, support will be able to handle your calls appropriately.

    One rule of thumb with AV software: never run two scanners at the same time -- they will almost always conflict.  Sophos does have a product specifically for deploying to VMs which would work in the situation you've outlined, running an end-point scan on the same physical data that you're taking control of with another on-access scanner is a recipe for lock-ups, kernel panics and blue screens.  Pausing your scan while running your VM would likely have prevented the issue.

    One last bit of advice: if you do end up trying the SBE offering, these forums are still a great resource for searching for similar problems and solutions to the issues you are facing, as a portion of the product (including detection engine and data) is nearly identical.  I'd also recommend a read through the other issues and solutions presented in these forums as part of your product review -- that way, you will be more equipped should issues arise with the SBE offering.

    :1004057
Reply
  • 0

    Thank you for being so thorough in outlining your issues on these forums.  You likely were having problems with Support because they are set up to handle support of our SBE product only.

    The "forever scan" issue has cropped up for a number of users; this seems to be linked to scanning of specific kinds of large archives/Boot Camp partitions.  If you turn off archive scanning, the problem will go away (but you also won't have scanned inside archives).

    It sounds like most of your issues are archive-related -- when the scanner hits a large archive, the file count won't go down until after it has fully extracted and scanned all archive contents and is ready to move on to the next item.  For large archives, this can take a very long time, as the scanner is configured to let you get on with your usual work while it scans in the background.  I will flag up the sleep/wake aspect just in case there is some further issue there.  In my own testing, I have not had problems interrupting a scan with a sleep/wake cycle.

    The email attachment issue is due to file caching -- even though the original files were fully removed, the OS caches the files from many applications, including Mail -- resulting in the attachment still existing in the Caches folder (it should indicate that it is at that location, however).  The Quarantine list is real-time, so the files should vanish from the list when the cache is purged, even without quitting and relaunching.

    The installers you mention would definitely cause a slowdown if you have archive scanning enabled, as the Lion installer is a package archive with multiple levells of archives and disk images inside -- this will take a while to unpack and scan at the best of times, and if it's a partial file, the scanner will attempt to do its best with the parts it can find.  However, the scanner will drop that file and flag an error (which it sounds like it did) as soon as it hits an issue it can't resolve.

    From your comments, I take it you're currently running the software on Snow Leopard?

    One of the best suggestions I can make re: stability and speed is to disable scanning in archives and compressed files for on-access scans.  This does reduce security slightly, but also prevents actions happening which can cause the majority of performance and stability edge cases.  Unfortunately, these issues will always exist when handling archives; fixing them would result in decreased accuracy/security surrounding scanning of archives (which means, fixing the issue would likely result in archives not getting thoroughly scanned in the first place, removing much of the benefit of enabling such scans).

    There are differences between the Home Edition and SBE, but most of those have to do with the interface/reporting/control side -- features are missing from the Home Edition -- the underlying AV engine is the same.  How this affects the issues you have been experiencing is unknown, until we isolate what part of the product is causing your issues.

    I'm glad you turned to these forums instead of giving up after your initial negative experiences -- hopefully we can resolve your issues both with the Home Edition and with the SBE offering.  I'd recommend uninstalling the Home Edition and getting the SBE demo -- this will let you see how many of the problems are at the product level and how many are issues with how the underlying engine is functioning.  Plus, support will be able to handle your calls appropriately.

    One rule of thumb with AV software: never run two scanners at the same time -- they will almost always conflict.  Sophos does have a product specifically for deploying to VMs which would work in the situation you've outlined, running an end-point scan on the same physical data that you're taking control of with another on-access scanner is a recipe for lock-ups, kernel panics and blue screens.  Pausing your scan while running your VM would likely have prevented the issue.

    One last bit of advice: if you do end up trying the SBE offering, these forums are still a great resource for searching for similar problems and solutions to the issues you are facing, as a portion of the product (including detection engine and data) is nearly identical.  I'd also recommend a read through the other issues and solutions presented in these forums as part of your product review -- that way, you will be more equipped should issues arise with the SBE offering.

    :1004057
Children
No Data