Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 17147 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Script to turn On-Access scanning off/on

Georgia

Hi folks

Can anyone help me with a script to stop or start the InterCheck process on a Mac?

In short, I'm wanting to script On-Access Scanning to be off at the start of a backup (to improve performance) and restar when the backup finishes.

Thanks in advance

Georgia

:1002115


This thread was automatically locked due to age.
  • 0

    Just remember that stopping the intercheck process is exactly what malware would like to do... it's why you need to authenticate to stop it manually.  Writing a script to do this unattended might not be a good idea.  Also, you probably don't want to disable the InterCheck process, as that controlls autoupdates as well as on-access scanning.  Plus, it's self-healing (terminating the process won't help).

    That said, as long as your backup script is sudo'd, it should be possible; ou can use the Applescript suite to script the on-access component.

    :1002127
  • 0

    Hi, I also need to temporarily disable on-access scanning while a Mac OS X backup software ( SuperDuper ) runs to clone fthe hard drive because when Sophos detects a virus, it locks access to the file, the backup app retries, then aborts the whole backup. So the backups are not completing.This is terrible. I have to choose between virus protection and backups.

    It is more important to us to have a good backup, than to not backup infected files. I am OK with backing up infected files. We can run an AppleScript before & after the backup, so a good work around seems to be to disabe on-access scanning, run the backup, then re-enable on-access scanning.

    What I need some help with is the correct syntax of the AppleScript or shell script.

    I have so far to enable Sophos On-Access Scanning:

    tell application "Sophos Anti-Virus"
        "On-Access Scanning Component(1)"
    end tell

    This will compile, but doesn't seem to do anything.

    From the AppleScript dictionary of Sophos Anti-Virus for Mac (Home version)

    On-Access Scanning Component n [inh. Component] : The On-Access component of the Sophos Anti-Virus product.
    ELEMENTS
    contains exclusions.
    PROPERTIES
    enabled (boolean) : Whether on-access protection is enabled for this computer. Note: setting this property requires authentication.

    I understand the risks of writing a script that includes authentication to temporality disable the on-access scanning, but the only alternatives are to

        * never back up again, or
        * completely disable Sophos, or
        * only do attended backups, manually.

    None of which are very practical. It seems completely logical to disable on-access scanning while cloning the entire HD, and re-enable on-access scanning when the clone is complete. I can easily manually disable the On-Access scanning before I leave. The Backup script will run just fine, then the backup app can run an applescript to enable Sophos.

    If supported, it would also be acceptable if Sophos could log, but not disable access to an infected file. That would let the backup app continue without frustration. Moving the infected files is not a good idea, especially since all or most are within Apple Mail, and moving those would harm the integrity of the Mail database.

    What is the correct syntax for an AppleScript (or alternate) to enable or disable Sophos On-Access Scanning?

    Thanks,

     Dave Nathanson

     Mac Medix

    :1014065
  • 0

    Have you tried

    tell application "Sophos Anti-Virus"
       set "On-Access Scanning Component" to false with administrator privleges
    end tell

    ?

    :1014067
  • 0

    Hi Andrew,Thanks for your reply.  I pasted your example into AppleScript Editor, but it will not compile.(See attached photo)

    The error message is "Syntax Error   A administrator:true can’’’’t go after this false."


    Then I also tried:

    tell application "Sophos Anti-Virus"
       "On-Access Scanning Component(0)" with administrator privleges
    end tell

    and received a complie error saying:

    Syntax Error:

    A administrator:true can’’’’t go after this On-Access Scanning Component(0).

    It seems we are close! 

    :1014069
  • 0

    Disclaimer: Use at your own risk!

    I know if this...

    do shell script "launchctl unload -w /Library/LaunchDaemons/com.sophos.intercheck.plist" with administrator privileges

     Changing the 'unload' to 'load' reverses the process.

    :1014133
  • 0

    I found another way to get my backups done without interference from AV, and without giving up on AV. I used a Macro app: Keyboard Maestro instead of AppleScript to disable Sophos AV during backups.
    See attached screen photo (below) of my Keyboard Maestro script that will disable Sophos AV for Mac On-access Scanning.

    This script is triggered by launching the backup app, or by a keystroke, or by running an AppleScript or shell script to call KM & tell it which script to run. I would use AppleScript calls directly to Sophos except that I don't know how. If you search the Sophos Forums you’’’’ll see a few similar requests left unresolved.


    Anyway, I’’’’ve found a number of uses for Keyboard Maestro, so even though it is not free, it is well worth the minor price they charge for it. And there is a vibrant KM support community. Fun & powerful tool but most importantly, able to resolve the problem.

    I made a second, similar KM script to re-enable On-access Scanning which the backup app can activate when it is finished backing up.

    The only differece is the Start or Stop button, which I needed to identify by graphic appearance. Because of the non-standard way it was programmed, it is not identifiable by button label.

    Because this is automated, you’’’’ll need to save an admin username & pw in the script in cleartext. That needs to be your call, balancing your need for security against being able to run both Anti Virus and run a backup that doesn’’’’t lose access to the disk due to AV locking files. Anyway, this is going to work for me, and I wanted to let you all know one way how to disable Sophos Anti Virus for Mac via script. And how to re-enable it again. I'm sure there are other ways too. I wanted to report back to the group so that this problem will not be left unresolved.

     I hope you find this helpful.

    I wrote about the problem & resolution in more detail:

    http://www.nathanson.org/davesays/2013/how-to-disable-sophos-av-on-access-scanning/

     
    Best,
    Dave Nathanson
    Mac Medix

    Keyboard_Maestro_Script_to_disable_Sophos_Mac_On-access_Scanning.jpg  Keyboard_Maestro_Script_to_ENable_Sophos_Mac_On-access_Scanning.jpg

    :1014143
  • 0

    Thanks Ruckus ! That is very efficient! And importantly, it works!

    It does however seem to require manual intervention to enter a admin username & password. I'll pursue this some more, as there must be a way to authenticate within the shell script. It's just not my area of expertise.... Yet.  :-)

    :1014145
  • 0

    Hi,

    Also "Use At Your Own Risk!"

    An administrator's password can be used in a shell script .  So in your example:

    do shell script  "echo <password> | sudo -S launchctl unload -w /Library/LaunchDaemons/com.sophos.intercheck.plist"

    Hope that's useful.

    :1014149