Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 13358 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos and Time Machine - does Sophos 'touch' files?

rbarkman

I'm running Sophos 8.0.10C on ML 10.8.2.  My Time Machine backups suddenly became massive recently; not every time, but on at least 3 occasions in the last week, it backed up over 20GB of data.  I ran TimeTracker to discover what it was up to, and found that it was backing up what appeared to be every executable file on the system - all the apps, all the stuff in /sbin and so forth.  While it's possible a few have changed through updates, there's no way the whole **bleep** lot need to be backed up.
My immediate thought was that some process was 'touching' those files so that, as far as the file system is concerned, they've been modified and require backup.  It is worth noting that I think this has happened when either I've had to force the system to reboot or when the Sophos real-time scanner has gone away.  The two first occasions roughly correlate to situations where the system progressively locked up for reasons I have not yet fathomed.  The most recent huge backup, this morning, was not associated with the same type of event - instead, the Sophos UI server was killed (9) by launchd late yesterday, then the on-access kext was unloaded.  I wasn't sure how to reactivate it, but it came back this morning when I woke the system - then Time Machine did its monster backup.

My thought process is:  since AV scanners tend to concentrate on executables, I was wondering if some part of the Sophos suite might be the culprit.  If the Sophos suite gets munged in some way while it's doing its normal business, does that leave it in an 'indeterminate' state?  Is its first action to run around checking that nothing has been messed with in its absence?  And do those checks result in file system states changing, triggering an apparent need for Time Machine?

This is all speculation, but if I don't ask the question, I can't eliminate Sophos as at least a contributor to the issue (questions about why I needed to force-boot and why the UI server got killed notwithstanding).

:1011296


This thread was automatically locked due to age.
  • 0

    I did search, using a variety of search terms (e.g. "Time Machine", backuplarge, touch, applications) in Advanced Search, and found only one relevant thread, which did not have any resolution.  Presumably I am not picking the precise combination of keywords needed to pull up the correct threads.   So while you are 'sure' I will find the information, I'm absolutely convinced I will not - well, not without reading every one of the thousand or so threads on this forum to see if something relevant is hidden somewhere in it.

    Since you assure me that there are lengthy discussions on the topic, presumably you know where they are - perhaps you could direct me to them?

    :1011312
  • 0

    OK, today it did another 21GB backup, and this time all I did was a normal reboot, so the issue isn't related to forced boots.

    Could someone give me an answer the question?  I've crawled all over this forum and I can't see the answer anywhere, or anything related.  There's loads of discussion about Time Machine, but it's all about Sophos trying to clean viruses in TM backups.  That isn't my problem, so the many posts about it are not relevant.

    :1011396
  • 0
    I have the same problem and also cannot find any related information on the forums.
    :1012830
  • 0
    rbarkman wrote:

    Could someone give me an answer the question?  I've crawled all over this forum and I can't see the answer anywhere, or anything related.  There's loads of discussion about Time Machine, but it's all about Sophos trying to clean viruses in TM backups.  That isn't my problem, so the many posts about it are not relevant.

    We read files when another program tries to access it. We also read files for the on-demand scan feature. We don't modify files (unless a cleanup action is performed) and we don't rewrite any of the metadata that Time Machine uses. It basically has the same system impact as Spotlight indexing does. A number of us use Time Machine and don't have the issues you are seeing. TimeTracker shows 153mb for my most recent backup, and a long string of similarly-sized backups.

    The Apple support forums have many articles discussing this issue, and some of that information looks useful (the advice given seems to depend on your exact situation).

    :1012838
  • 0

    It appears this is not a Sophos problem as such.  The issue appears to be a conflict between installd (an Apple process used to install new or updated apps) and backupd (which carries out Time Machine backups).  If the two of them happen to coincide at the wrong moment, installd causes backupd to think that it should not back up any of the folders (such as Applications, Library & System) that installd may be changing.  So they get deleted from the current backup - then the next backup realises they are missing, so backs up the whole lot.

    There is a mechanism that is supposed to stop this, but it doesn't work.  I've reported it to Apple, and am working with an engineer on the problem.

    The reason that Sophos gets implicated is that it updates its virus signatures as frequently as every hour (it will skip if there is no update). That means that installd is running much more frequently with Sophos that it would on a non-Sophos system.   Most of us only run the installer a few times a week. Doing it hourly significantly increases the chance of a conflict with backupd.  Sophos doesn't appear to be doing anything wrong; it's using a piece of Apple software that appears to have a bug.

    :1013683
  • 0

    Hi rbarkman,

    Thanks for the detailed explanation, that makes a lot of sense. Note that in version 9 we are moving away from Apple's installer subsystem (installd) for the home edition product, so this conflicting issue being triggered more often might decrease over time for everyone.

    :1013689