I've suddenly started getting a "Sophos Anti-Virus is not running" message after restarting my Mac. Running OS X 10.7.4. When I check Activity Monitor, SophosUIServer and SophosAutoUpdate appear to be running normally. The application itself does not run in the background and never has. Why am I getting this message?
Thanks!
Hi,
The shield will be grey if the on-access scanner isn't running. The on-access scanner process is named "Intercheck" and sounds like its not running either. There are a few things you can check:
1. Verify that the LaunchDaemons directory and contents are correct. There have been sporadic reports of problems when the permissions of that directory are incorrect. You want to make sure the directory "/Library/LaunchDaemons" and all files inside are owned by "root" and group "wheel". You also want to make sure the permissions are not set to be world-writable ("everyone" should be read-only). Note that this directory is normally not visible in the Finder. Press Command+Shift+G then type in the path "/Library" to go to that location directly.
2. Verify that the files "com.sophos.*" in the directory "/var/run" exist and are set with the correct ownership and permissions.
srwxrwxrwx 1 root daemon 0 20 Mar 12:23 com.sophos.sau.ipc
srw------- 1 root daemon 0 20 Mar 12:23 com.sophos.sau.ipcs
-rw------- 1 root daemon 6 20 Mar 12:23 com.sophos.sau.pid
srwxrwxrwx 1 root daemon 0 20 Mar 12:23 com.sophos.sav.ic.ipc
srw------- 1 root daemon 0 20 Mar 12:23 com.sophos.sav.ic.ipcs
-rw------- 1 root daemon 6 20 Mar 12:23 com.sophos.sav.ic.pid
srwxrwxrwx 1 root daemon 0 20 Mar 12:23 com.sophos.sav.ipc
srw------- 1 root daemon 0 20 Mar 12:23 com.sophos.sav.ipcs
-rw------- 1 root daemon 6 20 Mar 12:23 com.sophos.sav.pid
srwxrwxrwx 1 root daemon 0 20 Mar 12:23 com.sophos.sav.quarantine
srwxrwxrwx 1 root daemon 0 20 Mar 12:23 com.sophos.sav.scan
3. Check for any errors in the Intercheck logs. In the Console application, look for the log named "Sophos Anti-Virus.log" for any odd messages. There have been sporadic reports of errors initializing the detection engine.
Keep me posted on your status.
I'm having this problem since around 2 months, as I started to install Sophos as additional Antivirus on my Mac. After a few weeks i began to have the problem with the disabled On-Access-Scans.
Also I got the Error Message "Sophos-Antivirus-Fehler - Sophos Antivirus wird nicht ausgeführt (ENG: Sophos Antivirus Error - Sophos Antivirus is not running)
I tried reinstalling the Version for OSX10.8 twice and i also installed the Version for OSX10.7, in both i got the error message.
The LaunchDaemon directory and its content is correct, the permissions are also all correct. Point 2 in bobcook's checking description i'm not able to understand. There are no entrys in the "Sophos Anti-Virus.log" data. The Intercheck-Process isn't running.
I hope you can unterstand my message, and help us.
Greetings from Germany.
Hi Artemis99,
Very interesting situation. You mention that you've installed our product as an additional anti-virus product on your Mac. What other soultion are you using? I ask because I might be able to set up a similar machine in our test lab.
What output do you get when you run this command:
kextstat | grep -i sophos
On my Mac (running OS X 10.8.3) I get this:
213 0 0xffffff7f82096000 0x5000 0x5000 com.sophos.kext.sav (8.0.4) <5 4 1>
If Intercheck is not running, you shouldn't see anything listed. If you do, its an error condition (which explains why Intercheck isn't happy).
Other things to check would include permissions on the various files under /Library/Sophos Anti-Virus. But if you've recently reinstalled then those should be correct (the installer would normally fix any issues automatically).
Im using "VirusBarrier Express" as additional scanner to Sophos, but it is just a "On Demand Scanner", so it's no very secure at all.
In the moment my Sophos has enabled On-Access-Scans and following output: (OSX 10.8.3)
138 0 0xffffff7f82713000 0x5000 0x5000 com.sophos.kext.sav (8.0.4) <5 4 1>
When it is like the last time, in a few updates i will have a deactivated On-Access Scan again. I will execute the command again, when the On-Access-Scans are again disabled. I'll keep posting you.
I keep getting the "not running" message since about 1-2 months. I have reinstalled the latest version (twice), but it doesn't help, if anything I seem to be getting this error more often.
Rebooting often fixes the issue for the time being.
I'm running OSX 10.8.3 and the latest version of Sophos. Executing the kexstat cmd from that previous post I get:
114 0 0xffffff7f82317000 0x5000 0x5000 com.sophos.kext.sav (8.0.4) <5 4 1>
And the listing of the /var/run gets me this:
srwxrwxrwx 1 root daemon 0 2 apr 20:06 /var/run/com.sophos.sau.ipc
srw------- 1 root daemon 0 2 apr 20:06 /var/run/com.sophos.sau.ipcs
-rw------- 1 root daemon 4 2 apr 20:06 /var/run/com.sophos.sau.pid
srwxrwxrwx 1 root daemon 0 2 apr 20:06 /var/run/com.sophos.sav.ipc
srw------- 1 root daemon 0 2 apr 20:06 /var/run/com.sophos.sav.ipcs
-rw------- 1 root daemon 5 2 apr 20:06 /var/run/com.sophos.sav.pid
srwxrwxrwx 1 root daemon 0 2 apr 20:06 /var/run/com.sophos.sav.quarantine
srwxrwxrwx 1 root daemon 0 2 apr 20:06 /var/run/com.sophos.sav.scan
If I do a "ps -e|grep InterCheck" I get the pid for the grep command.
Can I provide you with any other info?
Hi rippje,
Thanks for your description, it means that the on-access scanner process (Intercheck) isn't running but the kernel extension (kext) is still installed. This isn't going to make Intercheck very happy.
You can attempt to manually uninstall the kext with this command:
sudo kextunload -b com.sophos.kext.sav
Then attempt to force restart Intercheck with this command:
sudo launchctl load -w /Library/LaunchDaemons/com.sophos.intercheck.plist
Note in both cases you will need to provide an administrative password for the sudo command. Let me know how it goes.
Thanks Bob.
When I try the kextunload I get an error (when Sophos is still running correctly). So I'll wait for it to stop again and I'll let you know.
(kernel) Kext com.sophos.kext.sav did not stop (return code 0x5).
(kernel) Kext com.sophos.kext.sav can't unload - module stop returned 0xdc008017.
Failed to unload com.sophos.kext.sav - (libkern/kext) kext (kmod) start/stop routine failed.
Hi Bob,
Just a moment ago Sophos stopped running again and I tried your suggestion (kextunload and launchctl). Sophos came back up again after that. Very nice, thanks!
Although that still does not solve the underlying problem, I'm glad I can bring Sophos back without having to reboot.
I'm fairly new to OSX, so could you explain what I just did?
The posted solution by Bob Cook did not work for me.
below is my log:
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Resources/preupgrade
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Resources/preinstall
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Resources/preflight
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Resources/postupgrade
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Resources/postinstall
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Resources/postflight
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Resources/VolumeCheck
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Packages/SophosAVSrv8.0.8.1.pkg/Contents/Resources/preinstall
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Packages/SophosAVSrv8.0.8.1.pkg/Contents/Resources/postflight
com.sophos.intercheck: Corrupt file: /Library/Caches/com.sophos.sau/warehouse/CID/Sophos Anti-Virus Home Edition.mpkg/Contents/Packages/SophosAV.mpkg/Contents/Packages/SophosAVSUMScanKit8.0.8.1.pkg/Contents/Resources/preinstall
com.sophos.autoupdate: Download completed at 06:07:22 08 April 2013
com.sophos.autoupdate: Software is up-to-date at 06:07:25 08 April 2013
com.sophos.autoupdate: Info: Checked primary server at 06:07 on 08 April 2013
com.sophos.autoupdate: Sophos Anti-Virus is up to date
com.sophos.autoupdate:
com.sophos.autoupdate: Updating catalogue information at 07:07:24 08 April 2013
com.sophos.autoupdate: Catalogue updated at 07:07:25 08 April 2013
com.sophos.autoupdate: Download started at 07:07:25 08 April 2013
com.sophos.autoupdate: Download completed at 07:07:26 08 April 2013
com.sophos.autoupdate: Software is up-to-date at 07:07:28 08 April 2013
com.sophos.autoupdate: Info: Checked primary server at 07:07 on 08 April 2013
com.sophos.autoupdate: Sophos Anti-Virus is up to date
com.sophos.autoupdate:
com.sophos.autoupdate: Updating catalogue information at 08:07:27 08 April 2013
com.sophos.autoupdate: Catalogue updated at 08:07:28 08 April 2013
com.sophos.autoupdate: Download started at 08:07:28 08 April 2013
com.sophos.autoupdate: Download completed at 08:07:30 08 April 2013
com.sophos.autoupdate: Update started at 08:07:30 08 April 2013
com.sophos.intercheck: Fatal Error: Unable to initialise virus detection engine [0x80040200]
com.sophos.intercheck: Sophos Anti-Virus cannot continue
