Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 6 subscribers
  • Views 42415 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New user several questions

brvx

First, for the automatic update interval, how is the time calculated? Is it ordinary chronological time, or is it actual computer running time. For example, if I select automatic updating for daily, with the last update having occurred at 9 AM Tuesday, will the next update happen at 9 AM Wednesday, provided the computer is not sleeping at that moment. Or will it need 24 hours of actual computer running time, which might not happen if the computer is sleeping for extended periods perhaps until several days later?

Second, I ran Sophos (9.0.8) yesterday booted from a 10.6.8 partition on an external drive. It calculated something like 1,900,000 files/folders to scan. The 10.6.8 boot volume was only around 701,000. The other volume on that drive, a 10.8.5, is around 607,000, which, if Sophos was scanning both, still comes nowhere near close to the total Sophos calculated. If I add in the internal 10.6.8 volume, the total is a figure around 2,001,000, still not the 1,900,000 I saw, but more plausible. Was it scanning all three volumes? I am very puzzled about the number of files Sophos calculated. Naturally, this scan took far longer than intended.

Finally, although I logged in to my admin user in order to run the scan, I am normally running out of a standard account for security. So, of course, there I could see that my admin user was out of bounds. But from the standard user, I ran a shell script which opened Sophos with root privileges (do shell script "/Applications/'Sophos Anti-Virus.app'/Contents/MacOS/'Sophos Anti-Virus' > /dev/null 2>&1 &" with administrator privileges) When I opened Sophos that way, I was able to see the other user, but I still got the notice that I was running using "current privileges." Not sure why that didn't disappear when opened as root, but what I wonder is, since that notice didn't disappear, if running as root will have the necessary privileges needed to scan all system files, and if anything is found, will I be able to "clean" that infection--should it really need to be cleaned? I would not like to have to log in to my admin account in order to do either of those, completely scan all system files, and clean, when necessary.


:1016041


This thread was automatically locked due to age.
  • 0
    brvx wrote:

    By the way, would you happpen to have a link to a post, thread or faq that explains the Sophos logging?

    I've just posted the message below in the Help section.  Does it help?

    http://openforum.sophos.com/t5/Mac-tools-help/Where-are-the-logs-for-SAV-for-Mac/td-p/16091

    :1016093
  • 0

    "The phrase "current priviliges" could be re-written to say "as the current user". When you run a shell script from Terminal, it runs as the user who started Terminal. The "sudo" command definitely changes this. In Terminal type "whoami" to find out who you are. Type "sudo whoami" to see what I mean (it will tell you that you are root)."

     

    Bob, maybe this is where the confusion is coming in: I understand that I'm running as the current user, in this case out of a standard account, but I am running the Application (Sophos) with admin/elevated privileges, by way of that shell script. I think I have to assume that the GUI, unlike when opening Sophos from sudo, remains set as "current privileges," (or if you prefer "current user") even though those privileges are now elevated. I am doing this precisely in order to be able to scan items that would otherwise be off limits, not just other users, but system items. I want to be able to look into every possible nook and cranny I can. If you think there is any meaningful difference between running Sophos from the shell script or from sudo, I can easily do the latter, as well. The shell script is a bit more convenient, since it's ready to go and I dont have to su to my admin account to run sudo.

    "If you are running the GUI as a non-administrative user, we only offer you the chance to scan as that user."

     

    That is exactly why I am running the Sophos application with admin privileges from that shell script, at least for on demand scanning,  As I said in my first post, I am running standard for security reasons (the idea being that if I were infected by some exploit, that exploit would, at least, not be allowed to execute with the elevated privileges of the admin account--you may want to correct me on that if you think that is wrong or add any caveats.) With that saved AppleScript, I can quite quickly open up Sophos from the standard account that way. I very rarely log in to my admin account. I only use it when needed for authenticating.

    While were at it, another question: I adopted Sophos only recently because it's beginning to look like Apple will no longer be supporting Snow Leopard with security updates--although, XProtect updates, for what limited protection they give, may continue. Even though I have Mountain Lion, which has just recently been patched with a security update, and is known for better sandboxing, and is probably safer (and it looks like Apple is continuing support for 10.7 and beyond), I prefer to keep using Snow Leopard. As far as I understand this, Sophos, or any A-V for that matter, works by way of a catalog of file definitions. Since what may not be further adddressed by Apple in 10.6 are OS vulnerabilities, can you perhaps explain what kind of protection Sophos can offer in that regard. It would seem it would only be able to identify known payloads or exploits aimed at those vulnerabilites, but not the vulnerabilities themselves.

    And many thanks for taking the time with this. I do understand you have priorities, and can wait as long as necessary until you have the time for a reply.

    :1016095
  • 0
    brvx wrote:

    Bob, maybe this is where the confusion is coming in: I understand that I'm running as the current user, in this case out of a standard account, but I am running the Application (Sophos) with admin/elevated privileges, by way of that shell script. I think I have to assume that the GUI, unlike when opening Sophos from sudo, remains set as "current privileges," (or if you prefer "current user") even though those privileges are now elevated. I am doing this precisely in order to be able to scan items that would otherwise be off limits, not just other users, but system items. I want to be able to look into every possible nook and cranny I can. If you think there is any meaningful difference between running Sophos from the shell script or from sudo, I can easily do the latter, as well. The shell script is a bit more convenient, since it's ready to go and I dont have to su to my admin account to run sudo.

    If you launch the GUI via the command line using sudo, the effective user of the GUI is "root". If you launch the GUI using AppleScript with the "with administrator privileges" option, the effective user of the GUI is also "root". You can use the "whoami" command to figure out which user you're running as in your scripts.

    When the GUI detects it was launched as a standard user, it will only scan the disk as a standard user. Otherwise it will give you the option to authenticate as an administrative user (doesn't have to be the same user as you are running as) to enable scanning as root.

    It seems confusing to say this, but it doesn't really matter how you launch the GUI as long as you can satisfy it with administrative credentials to prove you should be able to scan all files on the disk. Once you've satisified the GUI that you are authorized, we run the scan in the background as root. That root process has no relationship with the GUI e.g. it really doesn't matter how you launched the GUI and what user its running as.

    You might be interested to look at the scheduled scan feature. You can configure scheduled scans if you are an administrative user. Once scheduled, they always run in the background as root. You wouldn't need to launch the GUI to run your scans.

    brvx wrote:

    While were at it, another question: I adopted Sophos only recently because it's beginning to look like Apple will no longer be supporting Snow Leopard with security updates--although, XProtect updates, for what limited protection they give, may continue. Even though I have Mountain Lion, which has just recently been patched with a security update, and is known for better sandboxing, and is probably safer (and it looks like Apple is continuing support for 10.7 and beyond), I prefer to keep using Snow Leopard. As far as I understand this, Sophos, or any A-V for that matter, works by way of a catalog of file definitions. Since what may not be further adddressed by Apple in 10.6 are OS vulnerabilities, can you perhaps explain what kind of protection Sophos can offer in that regard. It would seem it would only be able to identify known payloads or exploits aimed at those vulnerabilites, but not the vulnerabilities themselves.

    Re: the recent "goto fail" SSL bug, it only affected 10.7 and up. Hence Apple only needed to offer a security patch for 10.7 and up. They have not formally declared end of life to 10.6 but I would expect it will happen this year. We will not support 10.6 forever either.

    Our product is built to detect malicious software by the patterns we find in files on disk. These patterns can be as specific as the executable instructions that attempt to take advantage of vulnerabilities. Depending on the vulnerability, the code required to exploit it may be so specific that it wouldn't matter who made or distributed the malicous software, we'd detect it. But this is not universally true. Like all things in life, the real answer is "it depends". We'd prefer to create "generic detection" patterns when we can, but its not always possible.

    Continuing to run a very old operating system is a poor choice, security wise. Security researchers are typically only looking at the latest stuff, and the older versions may contain problems or vulnerabilities that go undetected for years. The "goto fail" SSL bug is a really good example of a bug that can live in old code for a long time. Nobody knows whether its been exploited or not.

    :1016101
  • 0

    Thanks for the informative reply. Just wanted to point out that, from what I've read, including discussions at ASC (Apple Support Communities), the go to fail bug was only present in 10.9. And there were many more vulnerabilities patched in 10.9 (and 10.7 and 8) besides that one in those recent updates. And what is worrying is that Apple more or less identified what those were, at least in broad terms, maybe giving the bad guys some ideas about how to exploit those vulnerabilities in 10.6, some of which I understand are also present there.

    But because of security concerns, I am considering dual booting Snow and ML on the internal drive, with Snow reserved when needed only for running PPC apps. Apple will never "formally declare" EOL for any OS. They have never done that, and I expect they won't for Snow. They'll just let it languish until everyone figures out there will be no more security updates.

    I'm hearing that 20% of Apple desktop users are still running Snow, so I hope you will be able to continue support for Snow, obviously not indefinitely, but for a good long time to come.

    EDIT: Oh, and you wrote,"When the GUI detects it was launched as a standard user, it will only scan the disk as a standard user. Otherwise it will give you the option to authenticate as an administrative user (doesn't have to be the same user as you are running as) to enable scanning as root."

     

    All I get from the standard account is "To scan all files on this Mac, you must log in with an administrator account" with these radio buttons: "Cancel" and "Scan with current privileges." Not seeing how to authenticate from there.

    :1016103
  • 0

    I am so sorry to post this as an reply, but I had difficulties to find the “submit/post a question” key and option on this site!

     I have Mac OS X 10.7.5 Lion 2012,  as it was suggested in the Apple forum, I downloaded the Sophos av for Mac,  but keep seeing the following warning in auto up date.   Please help

    3/5/14 10:42:08.332 AM SophosWebD: <SMENode: 0x7ff9cb042dd0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe" UserInfo=0x7ff9cb020910 {}

    com.sophos.autoupdate: Error:       Could not contact primary server at 10:23 on 05 March 2014

    com.sophos.autoupdate:       Access was denied

    com.sophos.autoupdate:

    :1016107
  • 0
    acito777 wrote:

    3/5/14 10:42:08.332 AM SophosWebD: <SMENode: 0x7ff9cb042dd0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe" UserInfo=0x7ff9cb020910 {} 

    You can ignore this error message, its not really an error condition. What is happening is that either your browser or the remote website has decided to disconnect unexpectedly. Surprisingly, this is common and our code handles this condition. We originally put the error message in the code to better understand why and when it was happening but now that we do understand it, we'll be removing the message at some point.

    acito777 wrote:

    com.sophos.autoupdate: Error:       Could not contact primary server at 10:23 on 05 March 2014

    com.sophos.autoupdate:       Access was denied

    com.sophos.autoupdate:

    That is odd. Can you tell me a little bit more about how you connect to the Internet e.g. do you have a special network configuration? Any network filtering that might be preventing our software from reaching our update servers?

    :1016109
  • 0

    Bob, you may find the following rather interesting.

    Time to re-evaluate safety of Mac OS X

    And would you happen to know if Sophos has catalogued all those? Curious to know if there is a full catalogue of Sophos (Home) for OSX somewhere.

    :1016139
  • 0
    brvx wrote:

    And would you happen to know if Sophos has catalogued all those? Curious to know if there is a full catalogue of Sophos (Home) for OSX somewhere.

    No idea if we already have detections for the samples but the chances are good. The "white hat" security community is usually pretty good about sharing information about emerging threats and new discoveries. The advantage of a company like Sophos is that we have full-time staff working around the world to develop and distribute identities for this kind os stuff as they appear in the wild. Visit our website, click the "Labs" tab at the top of the page.

    Re: your question about "full catalogue" - we don't really publish information as a single list (its a huge database). We do make information available on our website, and its searchable.

    :1016155
  • 0

    Thanks for the information. BTW, I was only asking for the malware database for OSX, which I would think would significantly shorten the list.

    Another thing, but not at all important, I see that I have become an "Occasional Advisor."  Seems a rather curious and unwarranted elevation of status. :mansurprised:

    :1016165