Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 4116 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Complete lockups due to Sophos Anti-Virus

larsi

Sometimes (about 2-3 times a month) my Macbook Air displays the spinning beach ball in more and more applications until everything hangs and I have to restart. This happens on my family's other Macs, too. A few months ago I noticed that everytime this happens, the Sophos icon in the menu bar indicates that Sophos is currently updating. I checked my theory and indeed, every single time one of the Macs crashes, Sophos is doing an update. This cannot be a coincidence.

I then tried to find out what exactly happens and why all apps are crashing. I found out that they cannot access the hard drive anymore. They continue to work fine as long as they do not access the disk. As soon as they try to load anything from the disk, they stall and display the beach ball.

Usually, everytime an app wants to access the hard drive, Sophos intercepts this attempt, scans the file for viruses first and then allows the app to read it. I believe that there's some kind of bug in the Sophos update code that sometimes (usually updates work fine) makes Sophos intercept hard drive accesses without ever scanning and unblocking them.

This serious bug was affecting the commercial Sophos Anti-Virus 7 which my university used till last month, and it still affects Sophos Anti-Virus 8. It also affects the home edition of Sophos Anti-Virus 8 which all my family members use. We all use Mac OS X Lion and regularly update it.

The log files on a crashed computer look like this:

27.06.12 10:48:38,372 installer: Package Authoring Error: Infinite loop between <choice> attributes and mixed state aborted.
27.06.12 10:48:39,439 installer: Configuring volume "Mac OS X"
27.06.12 10:48:39,452 installer: Free space on "Mac OS X": 10,32 GB (10324697088 bytes).
27.06.12 10:48:39,452 installer: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.4959z5UUG"
27.06.12 10:48:39,460 installer: IFPKInstallElement (19 packages)
27.06.12 10:48:39,866 installd: PackageKit: ----- Begin install -----

The next entries happen after the restart.

:1007915


This thread was automatically locked due to age.
  • 0

    Thank you for the excellent feedback!

    That log snippet seems to indicate that you were in the middle of an install process when the machine locked up; I take it that the autoupdate was the only installer that you have running at that point?  This would seem to indicate that the autoupdate process was attempting to run a point release upgrade without taking down the on-access scanner, and failing due to the file being locked when attempting to write to the temporary file.

    What point release version is your copy of SAV on when this happens?

    :1007931
  • 0

    Thank you for your quick reply! Today, I had the same problem on my Macbook again. The log files look exactly as they did yesterday:

    28.06.12 13:39:36,855 installer: Package Authoring Error: Infinite loop between <choice> attributes and mixed state aborted.
    28.06.12 13:39:38,126 installer: Configuring volume "Mac OS X"
    28.06.12 13:39:38,140 installer: Free space on "Mac OS X": 10,9 GB (10898227200 bytes).
    28.06.12 13:39:38,140 installer: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.482bp7Jlz"
    28.06.12 13:39:38,148 installer: IFPKInstallElement (19 packages)
    28.06.12 13:39:38,379 installd: PackageKit: ----- Begin install -----
    28.06.12 13:43:12,000 bootlog: BOOT_TIME 1340883792 0

    After the restart, the about window shows:

    Version 8.0.4

    Engine 3.32.0

    Virus data 4.78

    I will now disable the on-access scanner and then manually start an update.

    :1007939
  • 0

    Ok, actually Sophos did automatically update again after the restart and it worked:

    28.06.12 13:48:25,988 installer: Package Authoring Error: Infinite loop between <choice> attributes and mixed state aborted.
    28.06.12 13:48:27,094 installer: Configuring volume "Mac OS X"
    28.06.12 13:48:27,109 installer: Free space on "Mac OS X": 10,97 GB (10969858048 bytes).
    28.06.12 13:48:27,109 installer: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.485GLBKM3"
    28.06.12 13:48:27,116 installer: IFPKInstallElement (19 packages)
    28.06.12 13:48:27,441 installd: PackageKit: ----- Begin install -----
    28.06.12 13:48:54,678 installd: Installed "Sophos Anti-Virus" ()
    28.06.12 13:48:54,843 installd: PackageKit: ----- End install -----
    28.06.12 13:48:55,479 installer: Removing temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.485GLBKM3"
    28.06.12 13:48:55,483 installer: Finalize disk "Mac OS X"
    28.06.12 13:48:55,483 installer: Notifying system of updated components
    28.06.12 13:48:55,483 installer: **** Summary Information ****
    28.06.12 13:48:55,484 installer:   Operation      Elapsed time
    28.06.12 13:48:55,484 installer: -----------------------------
    28.06.12 13:48:55,484 installer:        zero      0.01 seconds
    28.06.12 13:48:55,484 installer:        disk      0.02 seconds
    28.06.12 13:48:55,484 installer:     install      28.36 seconds
    28.06.12 13:48:55,484 installer:     -total-      28.38 seconds

    So the version numbers I gave you in the last posting were the version numbers *after* the update. I'm sorry, I hadn't realized Sophos had already updated itself again, this time successfully.

    I understand it's very difficult to debug something if the bug is not always reproducible, but I'd be very happy if this bug could be corrected. Since the whole Mac stops working, one often loses some unsaved data.

    :1007941
  • 0

    I get the same issue where i have sophos crash during the update, however i have noticed it happens after i have either powered on  the machine or open it from standby. I have to power off and start again.  If i run the update manually it does do work without any glitches.

    macbook pro - max osx 10.7.4

    Sophos anti-virus 8.0.4c

    :1008001
  • 0
    I am experiencing exactly the same thing. Following standby, when I wake up the mac, sophos starts updating and I have complete spinning ball melt down. Is there no fix?
    Sophos 7.3.12
    OS X 10.7.4
    :1008019
  • 0
    i'm having the same problem. I had it first with V.7, updated to V.8 but the problem persists, so I've now removed Sophos and won't re-install it until it's been fixed. OS X 10.7.4
    :1008021
  • 0

    Hi,

    I have been having the same issues with my ProMac, I also get a clear grayish film type screen that takes over, tells me I have to hold the off button to restart my computer. This has been happening for the past 2 weeks, I have uninstalled a few programs, thinking it was the problem. It continued to happen. Today I checked the String matches, I discovered the same problem.

    9/3/12 4:12:01.369 PM installer: Free space on "Macintosh HD": 116.76 GB (116755292160 bytes).
    9/3/12 4:12:01.369 PM installer: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.1745sC8R3W"
    9/3/12 4:12:01.386 PM installer: IFPKInstallElement (19 packages)
    9/3/12 4:12:01.674 PM authorizationhost: SFBuiltinEntitled: installer is not entitled for system.install.app-store-software
    9/3/12 4:12:01.706 PM authorizationhost: SFBuiltinEntitled: installer is not entitled for system.install.app-store-software
    9/3/12 4:12:01.706 PM com.apple.SecurityServer: Failed to authorize right 'system.install.app-store-software' by client '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd' [1770] for authorization created by '/usr/sbin/installer' [1745]
    9/3/12 4:12:01.792 PM installd: PackageKit: ----- Begin install -----
    9/3/12 4:12:07.860 PM com.apple.launchd.peruser.501: ([0x0-0xe00e].com.sophos.sav[167]) Exited: Terminated: 15
    9/3/12 4:12:19.000 PM kernel: sav: deactivating event listener failed
    9/3/12 4:12:19.000 PM kernel: sav: current scan list:
    9/3/12 4:12:19.000 PM kernel: sav: (pid 1682 [mdworker], vnode 0xffffff80120f4360 [/Volumes/Time Machine Backups/Backups.backupdb/Lady Selene’’’’s MacBook Pro/2012-08-17-080100/Macintosh HD/Users/ladys/Pictures/iPhoto Library/Originals/2011/May 9, 2011/DSC_0234.JPG], [context 0xffffff800ce7f7e0] [result 0] [setup 0] [disconnected 0] [vfsbusy 1]) - 1 waiter(s)
    9/3/12 4:12:19.000 PM kernel: sav: (pid 1083 [backupd], vnode 0xffffff800de9d000 [/Volumes/Time Machine Backups/Backups.backupdb/Lady Selene’’’’s MacBook Pro/2012-08-19-105711.inProgress/7C5547AB-282F-4688-B4FA-B26EE4D6A896/Macintosh HD/Library/Application Support/Carbonite/Data/Carbonite_IBF_118.tmp], [context 0xffffff800ceb39f0] [result 0] [setup 0] [disconnected 0] [vfsbusy 1]) - 1 waiter(s)
    9/3/12 4:12:19.000 PM kernel: sav: available kctl entries: 8
    9/3/12 4:12:28.215 PM com.apple.launchd: (com.sophos.intercheck[80]) Exit timeout elapsed (20 seconds). Killing
    9/3/12 4:12:30.215 PM com.apple.launchd: (com.sophos.intercheck[80]) Job has not died after being killed 2 seconds ago. Simulating exit.
    9/3/12 4:12:30.215 PM com.apple.launchd: (com.sophos.intercheck[80]) Simulated exit: <rdar://problem/9359725>

    >>> >>> >>> 

    this was when my Mac Crashed   

    Thank you 

    ~Lady~

    :1009714
  • 0

    Yes, that is a kernel panic -- it happens when something operating at the core of your operating system doesn't behave as expected.

    You appear to have at least two things going on there: one is that an installer program is failing to get the proper credentials to run its install -- do you have GateKeeper set to only allow software to run that has been downloaded from the App store?

    Secondly, you have a JPEG file in your August 17 Time Machine backup that is getting an access conflict -- likely between Sophos and Time Machine (was TM running at the time this happened?).  You may want to exclude /Volumes/Time Machine Backups/ from your on-access scans to fix this issue, at least temporarily.

    :1009734