New user several questions

Surely, someone can answer these questions. Btw, I discovered that running standard or as root, I was able to clean the eicar.com malware test file (http://en.wikipedia.org/wiki/EICAR_test_file) which I had installed in /System/Library, as a test.

I am particulary interested in knowing if running with admin privileges out of the shell script, given above, will for all intents and purposes, be the equivalent of running logged in to my admin account, at least for my user. And when one hits "Scan this Mac." does that mean Sophos will scan all partitions, and any attached (and rmounted) drives?

---

brvx wrote:

First, for the automatic update interval, how is the time calculated? Is it ordinary chronological time, or is it actual computer running time. For example, if I select automatic updating for daily, with the last update having occurred at 9 AM Tuesday, will the next update happen at 9 AM Wednesday, provided the computer is not sleeping at that moment. Or will it need 24 hours of actual computer running time, which might not happen if the computer is sleeping for extended periods perhaps until several days later?

---

Its "clock time" not time running on the computer. Your example of 9AM Tuesday and 9AM Wednesday is correct.

---

brvx wrote:

Second, I ran Sophos (9.0.8) yesterday booted from a 10.6.8 partition on an external drive. It calculated something like 1,900,000 files/folders to scan. The 10.6.8 boot volume was only around 701,000. The other volume on that drive, a 10.8.5, is around 607,000, which, if Sophos was scanning both, still comes nowhere near close to the total Sophos calculated. If I add in the internal 10.6.8 volume, the total is a figure around 2,001,000, still not the 1,900,000 I saw, but more plausible. Was it scanning all three volumes? I am very puzzled about the number of files Sophos calculated. Naturally, this scan took far longer than intended.

---

If you are scanning a whole volume, we ask the operating system for the number of files on that volume. If you select a group of folders to scan, we go count them ourselves. The operating system doesn't lie, but there are many more files on your disk that what Finder shows you. For example, the Finder normally hides /usr on your boot volume. On my MacBook Air, using the "find" command line tool, I see there are 2,9315 files in the /usr directory.

---

brvx wrote:

Finally, although I logged in to my admin user in order to run the scan, I am normally running out of a standard account for security. So, of course, there I could see that my admin user was out of bounds. But from the standard user, I ran a shell script which opened Sophos with root privileges (do shell script "/Applications/'Sophos Anti-Virus.app'/Contents/MacOS/'Sophos Anti-Virus' > /dev/null 2>&1 &" with administrator privileges) When I opened Sophos that way, I was able to see the other user, but I still got the notice that I was running using "current privileges." Not sure why that didn't disappear when opened as root, but what I wonder is, since that notice didn't disappear, if running as root will have the necessary privileges needed to scan all system files, and if anything is found, will I be able to "clean" that infection--should it really need to be cleaned? I would not like to have to log in to my admin account in order to do either of those, completely scan all system files, and clean, when necessary.

---

We are running the scanning process in the background. We either launch that background process with your current privilges, or we launch it running as root. The advantage of running with elevated priviliges is the ability to see every file on disk (root == superuser, effectively) and also perform cleanup on nearly every part of the disk (there are some special cases with unique filesystems that we can't actually touch even running as root). The GUI only tries to cover the case of being logged in as an admin user rather than root (when run as sudo) so the text wouldn't make as much sense. But we don't need to have the GUI running as root in order to run the background scan as root.

Hope that makes sense.

Thanks, but some questions remain:

If you are scanning a whole volume, we ask the operating system for the number of files on that volume. If you select a group of folders to scan, we go count them ourselves. The operating system doesn't lie, but there are many more files on your disk that what Finder shows you. For example, the Finder normally hides /usr on your boot volume. On my MacBook Air, using the "find" command line tool, I see there are 2,9315 files in the /usr directory.

I just mounted the external drive containing two partitions/volumes (10.6.8 and 10.8.5.) When I hit Scan this Mac booted from the internal 10.6 drive, and with those two external volumes mounted, Sophos calculated a figure in the neighborhood of  2,xxx.xxx files/folders, which is the figure I got earlier when I added up what Finder is seeing for all three. Next, I unmounted both external volumes, and started another scan. This time I got the 700,000 figure, which agrees with what Finder is seeing for just the 10.6.8 internal volume. It definitely looks like Scan this Mac scans all attached and mounted volumes.

We are running the scanning process in the background. We either launch that background process with your current privilges, or we launch it running as root. The advantage of running with elevated priviliges is the ability to see every file on disk (root == superuser, effectively) and also perform cleanup on nearly every part of the disk (there are some special cases with unique filesystems that we can't actually touch even running as root). The GUI only tries to cover the case of being logged in as an admin user rather than root (when run as sudo) so the text wouldn't make as much sense. But we don't need to have the GUI running as root in order to run the background scan as root.

So, if I understand that correctly, I will get a deeper scan when running Sophos from the shell script or from sudo than if I run it logged in to my admin user with "normal" privileges?

And, maybe you covered this, but I still don't understand why when running as root while logged in to my standard user, I'm still seeing the Scan with Current Privileges button. I don't remember seeing that when logged in to my admin. When runnning as root from the standard user, can I assume if I hit that button, the scan will be with the current privileges, which will be root privileges, even though that button seems to be associated with the limited privileges of the standard account?

EDIT: FYI, I just opened Sophos from sudo (by su ing from my standard to my admin account.) Unlike when running with the elevated privileges of the shell script, I did not get the Scan with Current Privileges button.

---

brvx wrote:

So, if I understand that correctly, I will get a deeper scan when running Sophos from the shell script or from sudo than if I run it logged in to my admin user with "normal" privileges? 

---

The scan is the same no matter how you launch the GUI app. You either get "current privileges" or you get elevated privilges e.g. root. We ask for permission to run as root.

With all due respect Bob, with that very brief reply, I don't think you've really addressed the substance of what I wrote in my latest post concerning the different modes of scanning and their related privileges. At least it isn't clear to me. Perhaps you were rushed for time; maybe you can review what I wrote again, and perhaps provide a more expansive answer directed more to the specifics of what I wrote.

EDIT: I am particularly interested in knowing what "current privileges" means when Sophos is opened with admin privileges by way of the shell script. (Perhaps you can run Sophos from that script as an AppleScript to see exactly what I'm talking about?) Does the appearance of the Use current privileges button there mean that Sophos does not fully recognize the admin privileges in that mode?  And eariler you did seem to be saying that Sophos would be able to scan at a deeper level when opened as root, either by the shell script or by sudo. No?

And do you have any comment about my observation that Sophos appears to be looking at and scanning all attached volumes (Firewire in this case.)

Or should we do this by email? Thanks

To add about the file count calculations the thread linked below may be of interest and particularly the video posted at the very bottom of page one.

http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Number-of-files-to-interrogate/m-p/14301/highlight/true#M6689

Thanks, I see how that would work. My way of dealing with that, now that I know better, would be to do a custom scan of just / by dragging the Hard Drive icon into the custom scan window.

By the way, would you happpen to have a link to a post, thread or faq that explains the Sophos logging?

---

brvx wrote:

EDIT: I am particularly interested in knowing what "current privileges" means when Sophos is opened with admin privileges by way of the shell script. (Perhaps you can run Sophos from that script as an AppleScript to see exactly what I'm talking about?) Does the appearance of the Use current privileges button there mean that Sophos does not fully recognize the admin privileges in that mode?  And eariler you did seem to be saying that Sophos would be able to scan at a deeper level when opened as root, either by the shell script or by sudo. No?

---

The terminology "current privileges" means that the scan runs with the same user identity and priviliges as the user who launched the GUI app. If you are running as user "Annabelle" and run the GUI, your scan would only be able to read the same files that the user "Annabelle" would be able to read. Doesn't really matter too much if "Annabelle" is a standard user or an admin user, there will be portions of the disk that "Annabelle" won't be able to read. A good example is the home directory of other users on the same machine. The permissions on a user's home directory excludes other users (even admin users) from reading their files by default.

Running the GUI from a script via sudo changes this quite a bit. The sudo command effectively raises your user rights to become the "root" user (superuser is another common term for this). In this case, "current priviliges" means you can read all files, even those files within all user's home directories. Its the same as what will happen when you choose to elevate your priviliges with the "Authenticate and Scan All" option.

Its important to note that the scanning process isn't actually running in the same context as the GUI user. We run scans in the background, regardless of how they are initiated. We do this in order to support the feature of scheduled scans, where we can't guarantee someone will leave the GUI app running.

---

brvx wrote:

And do you have any comment about my observation that Sophos appears to be looking at and scanning all attached volumes (Firewire in this case.)

---

The GUI says "Scan This Mac" and we are serious about it. That option will scan all non-network volumes. Not sure if the terminology is too confusing though.

---

brvx wrote:

Or should we do this by email? Thanks

---

And deny everyone else the opportunity to hear your concerns? Let's keep it in the public forum.

"The terminology "current privileges" means that the scan runs with the same user identity and priviliges as the user who launched the GUI app. If you are running as user "Annabelle" and run the GUI, your scan would only be able to read the same files that the user "Annabelle" would be able to read. Doesn't really matter too much if "Annabelle" is a standard user or an admin user, there will be portions of the disk that "Annabelle" won't be able to read. A good example is the home directory of other users on the same machine. The permissions on a user's home directory excludes other users (even admin users) from reading their files by default."

Thanks for the much more detailed reply. (Btw, I have a reasonably good understanding of the superuser, OSX permissions and privileges to view accounts. But all that may be helpful to others reading this.) What I am trying to understand and where my confusion remains is what is the difference, if any, between running with the elevated privileges of the shell script out of my standard user and running from sudo? What you seem to be saying is that, running out of any given account, whether standard or admin, regardless of running with the elevated privileges of that shell script, will involve some limitation as to what can be scanned, and, I suppose, cleaned, as well. But note that when I run out of the shell script I am able to view and scan the other user(s), including the admin--they are no longer off limits--and that when, for example, I open Terminal from that same script I am given the same root# prompt that appears in single user mode, which is effectively as if running out of sudo.

So, again, pardon me for perhaps not getting this, what exactly are the current privileges when running from the shell script? Is that Scan with current privileges button there simply because I'm still logged in to the standard user and the UI in some dumb mannner isn't able to recognize that that button is no longer necessary, or are there any real limitations on those privileges from the shell script? I would have thought that shell script would be the equivalent of running from sudo/root. Just a different way of doing that.

 Again, if you haven't done so, perhaps you may want to run that script in AppleScript (not from Terminal) from a standard account to see exactly what I'm tallking about. (If you're interested, here's a Technical Note from Apple on that https://developer.apple.com/library/mac/technotes/tn2065/_index.html)

I don't understand everything in that article, but it may give you some more insight into what Sophos does with with that script. From that article: "Bear in mind that administrator privileges allow you to change any file anywhere in the system." Seems to mean it's equivalent to running as root.

"It's the same as what will happen when you choose to elevate your priviliges with the "Authenticate and Scan All" option."

What do I do to get that option? Haven't yet seen that.

"The GUI says "Scan This Mac" and we are serious about it. That option will scan all non-network volumes. Not sure if the terminology is too confusing though."

Yeah, I think that might be confusing. It might be helpful to add a quick line there about just what it will scan, and how to scan only the boot volume, and no attached volumes, if that's all that is desired. I think most people will take This Mac to mean just the boot volume. I know I did.

I only suggested carrying this on by email if that was more convenient for you. I'm quite happy to let it remain public.

---

brvx wrote:

So, again, pardon me for perhaps not getting this, what exactly are the current privileges when running from the shell script? Is that Scan with current privileges button there simply because I'm still logged in to the standard user and the UI in some dumb mannner isn't able to recognize that that button is no longer necessary, or are there any real limitations on those privileges from the shell script? I would have thought that shell script would be the equivalent of running from sudo/root. Just a different way of doing that. 

---

The phrase "current priviliges" could be re-written to say "as the current user". When you run a shell script from Terminal, it runs as the user who started Terminal. The "sudo" command definitely changes this. In Terminal type "whoami" to find out who you are. Type "sudo whoami" to see what I mean (it will tell you that you are root).

The same rules apply to running things from AppleScript. You can test this yourself with a little bit of scripting to run "whoami" both without and with the option "with administrator privileges". As mentioned in the technote, there are certain limitations to invoking commands this way. No idea why you want to run the GUI this way, but it doesn't really change how the software works. You should assume our support for AppleScript is subject to change in future versions of the software, so if you are looking for some specific features it would be useful to hear about it.

If you are running the GUI as a non-administrative user, we only offer you the chance to scan as that user. If you watch for the SophosAVAgent process in Activity Monitor you'll see what I mean.

If you are running the GUI as an administrative user, we offer you the choice of running as the current user, or to authenticate and run with elevated priviliges. If you watch Activity Monitor you'll see that after you authenticate your scans run as root. This means the scan can peek inside directories that your user (even an administrator) normally can't access. There should be obvious benefits to being able to scan all directories on disk, and the tradeoff is that we require you to authenticate as an administrator in order to do so.

---

brvx wrote:

I only suggested carrying this on by email if that was more convenient for you. I'm quite happy to let it remain public.

---

The downside to our free product is the lack of real-time customer support. Whether its via this forum or via email, you'll sometimes not get answers right away. So if you were hoping for faster responses via email you might be disappointed.  I have no problem with people emailing me directly (and it happens with some frequency, as my email is in my signature on every post) but I definitely have to prioritize how I spend my day. On the other hand, we really do value our hundreds of thousands of Home Edition users, and want to do our best to give everyone a good experience when possible.