I'm running Sophos 8.0.10C on ML 10.8.2. My Time Machine backups suddenly became massive recently; not every time, but on at least 3 occasions in the last week, it backed up over 20GB of data. I ran TimeTracker to discover what it was up to, and found that it was backing up what appeared to be every executable file on the system - all the apps, all the stuff in /sbin and so forth. While it's possible a few have changed through updates, there's no way the whole **bleep** lot need to be backed up.
My immediate thought was that some process was 'touching' those files so that, as far as the file system is concerned, they've been modified and require backup. It is worth noting that I think this has happened when either I've had to force the system to reboot or when the Sophos real-time scanner has gone away. The two first occasions roughly correlate to situations where the system progressively locked up for reasons I have not yet fathomed. The most recent huge backup, this morning, was not associated with the same type of event - instead, the Sophos UI server was killed (9) by launchd late yesterday, then the on-access kext was unloaded. I wasn't sure how to reactivate it, but it came back this morning when I woke the system - then Time Machine did its monster backup.
My thought process is: since AV scanners tend to concentrate on executables, I was wondering if some part of the Sophos suite might be the culprit. If the Sophos suite gets munged in some way while it's doing its normal business, does that leave it in an 'indeterminate' state? Is its first action to run around checking that nothing has been messed with in its absence? And do those checks result in file system states changing, triggering an apparent need for Time Machine?
This is all speculation, but if I don't ask the question, I can't eliminate Sophos as at least a contributor to the issue (questions about why I needed to force-boot and why the UI server got killed notwithstanding).
This thread was automatically locked due to age.
