Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 782 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Controlling of Intercheck

St0n3

Is there anyway to see on which file Intercheck is working right now?

Cause sometimes Intercheck running at 50-70% over minutes, sometimes it seems to be hours (when I leave the house and the Mac is still running).

There have to be a log or a terminal command to get this information, or not? Maybe I was to blind to find this command or log, then I hope you can help me :-)

:1009774


This thread was automatically locked due to age.
Parents
  • 0

    The command to use to see what files a process has open is "lsof"

    You'll want to use Activity Monitor or the "ps" command to get the PID (process ID) of InterCheck (might as well get the PIDs for other Sophos processes as well -- in Activity Monitor, you can search for Sophos to list the rest).

    Once you have the PIDs for the processes you want to monitor, use the following command:

    "lsof -r -p nnn,nnn,nnn" where -r keeps it looping looking for open files, -p tells it to only list the following PIDs, and "nnn,nnn,nnn" is a list of comma-delimited PIDs you want to monitor.

    You can also take off the -r and put "> openfiles.txt" at the end to write a single check for open files to a text file called "openfiiles.txt" in the current working directory.

    I generally find that scanning goes by so fast that lsof doesn't show any open files.

    Another tool you could use is a tool called FSEventer, which will generate a real-time graph of filesystem events as they happen, and helpfully shows which files were accessed but are no longer being accessed.  It is graphical, and has a lot of filter possibilities.

    It also doesn't necessarily catch files that are opened and closed before the program gets its turn looking at the event queue, so it may not find files opened by Intercheck either.  It will list any that are open for any length of time, however -- which appears to be what you're looking for.

    :1009782
Reply
  • 0

    The command to use to see what files a process has open is "lsof"

    You'll want to use Activity Monitor or the "ps" command to get the PID (process ID) of InterCheck (might as well get the PIDs for other Sophos processes as well -- in Activity Monitor, you can search for Sophos to list the rest).

    Once you have the PIDs for the processes you want to monitor, use the following command:

    "lsof -r -p nnn,nnn,nnn" where -r keeps it looping looking for open files, -p tells it to only list the following PIDs, and "nnn,nnn,nnn" is a list of comma-delimited PIDs you want to monitor.

    You can also take off the -r and put "> openfiles.txt" at the end to write a single check for open files to a text file called "openfiiles.txt" in the current working directory.

    I generally find that scanning goes by so fast that lsof doesn't show any open files.

    Another tool you could use is a tool called FSEventer, which will generate a real-time graph of filesystem events as they happen, and helpfully shows which files were accessed but are no longer being accessed.  It is graphical, and has a lot of filter possibilities.

    It also doesn't necessarily catch files that are opened and closed before the program gets its turn looking at the event queue, so it may not find files opened by Intercheck either.  It will list any that are open for any length of time, however -- which appears to be what you're looking for.

    :1009782
Children
No Data