Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 2800 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

My review of SAV Mac HE & 4 issues

Alphaman

As a long-time Sophos user (in my former life, working for a Fortune 500 company or two), I was excited to see the free SAV announced for the Mac.

I installed it today, put it through its paces, found an (unexpected) piece of Windows spyware on my system, and came to some conclusions about the product.  I then wrote it up in an article on my blog.

Clean sweep:

 http://aaron.sakovich.org/blog/pivot/entry.php?id=637

My issues boil down to the following:

  1. Progress bar during installation does not start off accurately.
  2. Putting a "Remove" app in the Application folder is annoying.  Everyone else leaves it in the .dmg; hopefully, I'll never need this app!
  3. A quarantined item with a long path name can wind up being obfuscated -- SAV puts an ellipsis in the path; if you must manually remove this file, you've got to pull the info out of the log file or search for the file name manually -- you can't glean the needed info from the quarantine window right in front of you!
  4. After removing the Windows spyware from my email, I later got an alert from SAV that it had found it again -- this time in my Time Machine backup.  My TM disk resides on a network server; what happens to the sparsebundle when TM tries to prune that infected email out of my backup, and SAV flags it as quarantined?  Will my sparsebundle get corrupted?

That's it, though.  I love the product, and applaud Sophos for releasing this!!!  THANKS!

Aaron

:1000106


This thread was automatically locked due to age.
  • 0

    I have basically the same question: is it safe to clean up viruses/malware found on a TimeMachine backup? To my understanding, files on TimeMachine shouldn't be messed with...?

    :1000275
  • 0

    Based on this guy's experience, I would be very afraid of letting Sophos anywhere near your backups: 

    http://recoveringphysicist.com/17/did-sophos-free-a-v-for-mac-kill-my-time-machine-backups

    :1000565
  • 0

    After reading this article I checked my time machine backups which went back to Dec 2009, now it is showing April 2010, thanks SOPHOs for destroying 3 months of back-ups - removing now and will take my chances as I have been for 20 years of running macs in a corporate environment. Proof that nothing is free!

    :1000597
  • 0

    Yeah, as I suspected, letting any program other than Time Machine into a Time Machine backup is a Very Bad Idea.  Given that the sparsebundle is a complex combination of data and metadata, dorking around inside it is redonculously problematic.

    If any AV package ever says it found something bad in a Time Machine backup, just say thankyouverymuch, but DON'T dork with it.  It can't hurt you from therein, as it would have to be restored to your system to be infectious -- and we all know the realtime component of SAV will prevent it from being restored.

    Thanks for the link!

    :1000605
  • 0
    karmaworld wrote:

    After reading this article I checked my time machine backups which went back to Dec 2009, now it is showing April 2010, thanks SOPHOs for destroying 3 months of back-ups - removing now and will take my chances as I have been for 20 years of running macs in a corporate environment. Proof that nothing is free!

    Are you sure that wasn't just normal database pruning going on?  Selectively deleting old backups from TM is not the expected failure mode of how such a program would corrupt your backup.  You would much more likely see what the good doctor saw in his blog post -- a complete loss of ALL your TM.

    Time Machine will prune your backup.  SAV doesn't have the intelligence to do such.

    :1000607
  • 0
    Alphaman wrote:
    • … My TM disk resides on a network server …

    … Time Machine backup … sparsebundle is a complex combination of data and metadata …

    … Selectively deleting old backups from TM is not the expected failure mode of how such a program would corrupt your backup.  You would much more likely see what the good doctor saw in his blog post -- a complete loss of ALL your TM.

    Time Machine will prune your backup.  SAV doesn't have the intelligence to do such.

    All true to the best of my knowledge, but I can think of at least three different Time Machine destination/target environments — one of which does not involve a .sparsebundle — and an obscure bug (not yet reported in the Home Edition area) that causes a volume unrelated to TM to be unexpectedly ejected — so I think it'll be prudent to separate the SAV versus TM puzzles into a separate topic. 

    Any objections? / Watch this space …

    :1000633
  • 0

    I have just installed SAV on my Mac -  also a long term Sophos user at work - run the scan and a couple of PC specific malware files were found and cleaned - but ALL of my Time Machine backups on the Drobo have gone!   

    I am not sure installing SAV was such a brilliant idea - I just wish there had been a Read Me file warning of the issues

    :1001759