Sopho Anti-Virus for Mac stops and crashes during scan when it updates in OSX 10.8

I haven't seen a report of this exact issue before; others are having kernel panics (see the kernel panic thread) when on-access is enabled and network activity happens.  This is happening to people on 10.7 as well.

The crash during custom scan during definition update sounds different.  If you disable automatic updates in the preferences but keep your connection enabled, does the scan still crash?

What does console.app say about this (the syslog and the Sophos logs)?

Andrew, I did as you suggested. I updated first, turned off the autoupdate, left the wi-fi on and ran a manual custom scan. The custom scan mode just scans my entire hard disk on my MacBookPro.  The scan excludes my two external network drives hooked up thru a timecapsule to the network. From observation, I don't think Sophos checks external drives only hooked up thru the network anyway, does it?  The scan I ran actually finished with no problems. The MacBookPro Scan.log simply said:

Scan name: "MacBookPro"
Scan items:
Path: / enabled: yes
Exclusions:
Path: "/Volumes/Data/"
Path: "/Volumes/FW1000HD/"
Path: "/Volumes/Tunes 1000/"
Configuration:
Scan inside archives and compressed files: Yes
Automatically clean up threats: No
Action on infected files: Report only
Live Protection enabled: Yes

Immediate scan started at 2012-08-21 18:54:24 -0600

     2012-08-21 23:15:32 -0600 Issue: engine encountered an unrecognised file format at: /Users/garykolson/Downloads/StuffItDeluxe2011Trial.dmg

         Scan completed at 2012-08-21 23:57:50 -0600.

        1394466 items scanned, 0 threats detected, 1 issues

The Sophos Anti-Virus.log said:

     com.sophos.intercheck: Corrupt file: /private/tmp/5d37d8a0.$$$

I forgot to uncheck schedule, so custom scan ran again successfully at 3 am with similar message but a different "corrupt" /private/tmp file.

I wonder if 10.8 uses a slightly different tmp file now that Sophos is flagging as corrupt?

It would appear that something about the autoupdate is causing the Sophos program to crash when a scan is running.  Hope this helps.

The "corrupt" files are just incomplete temp files -- temp files are often flagged as corrupt.  The unrecognized Stuffit DMG isn't much of an issue either.

It sounds like the problem is that your network mounts are getting in the way of the full scan completing.  Out of curiosity, do you know if AutoUpdate ran during the scan either of those two times?

Those scans including the one I forgot to turn off were all made with the Autoupdate feature turned off.  I am currently running another custom scan with the Autoupdate turned on and the wi-fi turned on. This scan is currently about 50 percent done, and 3 autoupdates have occurred without the scan crashing. I'll keep you posted.

That last scan made it to the fourth autoupdate  and Sophos crashed.  As I said above this last scan on evening of 22nd had autoupdate on and wi-fi on.  There are no entries on custom scan log or sophos anti-virus log when program crashes.  I am looking for yesterday's system log to see if it discusses this.  Are several days system logs stored. I will let you know if I find anything. Oh, Apple just released 10.8.1. I will install and run scan again to see if anything has changed.

Gary

Thank you for your excellent level of feedback in these forums!  Isolating all the variables helps us all to know what isn't the problem as well as what may be.

After installing OSX 10.8.1, I ran a scan of the local drive with wi-fi and autoupdate on.  The local scan started at 12:01 MDT on 8/23/12. Sophos crashed just after 17:06:40 MDT on 8/23/12. By coincidence, I  was actually looking at system logs on same screen when it went down.  The program just disappeared from the screen. Sophos ran slightly over 5 hours and checked for an update every hour at 13:00:55, 14:02:23, 15:03:56, 16:05:07, but the program was up to date during these checks. However, the program checked again at 17:06:17. This time, the program needed to be updated, and the Sophos crashed.  Here is the Sophos Anti-Virus log for this incident:

com.sophos.autoupdate: Updating catalogue information at 16:05:07 23 August 2012
com.sophos.autoupdate: Catalogue updated at 16:05:09 23 August 2012
com.sophos.autoupdate: Download started at 16:05:09 23 August 2012
com.sophos.autoupdate: Download completed at 16:05:25 23 August 2012
com.sophos.autoupdate: Software is up-to-date at 16:06:17 23 August 2012
com.sophos.autoupdate: Info: Checked primary server at 16:06 on 23 August 2012
com.sophos.autoupdate: Sophos Anti-Virus is up to date
com.sophos.autoupdate:
com.sophos.autoupdate: Updating catalogue information at 17:06:17 23 August 2012
com.sophos.autoupdate: Catalogue updated at 17:06:18 23 August 2012
com.sophos.autoupdate: Download started at 17:06:18 23 August 2012
com.sophos.autoupdate: Download completed at 17:06:35 23 August 2012
com.sophos.autoupdate: Update started at 17:06:40 23 August 2012
com.sophos.autoupdate: Info: Checked primary server at 17:10 on 23 August 2012
com.sophos.autoupdate: Sophos Anti-Virus was updated
com.sophos.autoupdate:
com.sophos.intercheck: Sophos Anti-Virus
com.sophos.intercheck: Version 4.80, 06 August 2012
com.sophos.intercheck: Includes detection for 3879855 viruses, trojans and worms
com.sophos.intercheck: Copyright (c) 1989-2012 Sophos Ltd, www.sophos.com
com.sophos.intercheck:
com.sophos.intercheck: Using IDE files:
com.sophos.intercheck:

<snip>

com.sophos.intercheck:
com.sophos.intercheck: Info: On-access scanner started at 17:10 on 23 August 2012
com.sophos.intercheck:

So, it took about 4 minutes for Sophos to get the live scanner up and running. I checked the system log for this time period, and I see the following:

Aug 23 17:04:56 MacBkPro.local Dock[192]: CGSGetWindowTags: Invalid window 0xf32
Aug 23 17:04:56 MacBkPro.local Dock[192]: find_shared_window: WID 3889
Aug 23 17:04:56 MacBkPro.local Dock[192]: CGSGetWindowTags: Invalid window 0xf31
Aug 23 17:06:47 MacBkPro com.apple.launchd[1] (com.apple.xpcd.00000000-0000-0000-0000-000000000000[2347]): Exited: Killed: 9
Aug 23 17:06:47 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2347 [xpcd]
Aug 23 17:06:48 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2346 [com.apple.speech]
Aug 23 17:06:48 MacBkPro com.apple.launchd[1] (com.apple.speech.synthesis.activityd[2346]): Exited: Killed: 9
Aug 23 17:06:48 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2344 [cfprefsd]
Aug 23 17:06:48 MacBkPro com.apple.launchd.peruser.26[2342] (com.apple.cfprefsd.xpc.agent[2344]): Exited: Killed: 9
Aug 23 17:06:48 MacBkPro com.apple.launchd[1] (com.apple.Preview.TrustedBookmarksService[2334]): Exited: Killed: 9
Aug 23 17:06:49 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2334 [com.apple.Previe]
Aug 23 17:06:50 MacBkPro.local Mail[186]: _checkNewMail isAutoFetch
Aug 23 17:06:50 MacBkPro.local Mail[186]: doBackgroundFetch called
Aug 23 17:06:50 MacBkPro.local Mail[186]: [LogBlockedFetches] Prior to lock in _prepareToFetch <MFAosImapAccount:0x7ff201cacf90 (path=/Users/garykolson/Library/Mail/V2/AosIMAP-garykolson, active)>
Aug 23 17:06:50 MacBkPro.local Mail[186]: [LogBlockedFetches] Prior to lock in _prepareToFetch <IMAPAccount:0x7ff201cc46e0 (path=/Users/garykolson/Library/Mail/V2/IMAP-garykolson@imap.gmail.com, active)>
Aug 23 17:06:55 MacBkPro com.apple.launchd[1] (com.apple.security.pboxd[2330]): Exited: Killed: 9
Aug 23 17:06:55 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2330 [com.apple.securi]
Aug 23 17:07:17 MacBkPro com.apple.launchd.peruser.505[157] (com.apple.printtool.agent[2329]): Exited: Killed: 9
Aug 23 17:07:17 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2329 [printtool]
Aug 23 17:07:17 MacBkPro com.apple.launchd[1] (com.apple.hiservices-xpcservice[2325]): Exited: Killed: 9
Aug 23 17:07:17 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2325 [com.apple.hiserv]
Aug 23 17:07:18 MacBkPro com.apple.launchd.peruser.601[2295] (com.apple.cfprefsd.xpc.agent[2300]): Exited: Killed: 9
Aug 23 17:07:18 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2300 [cfprefsd]
Aug 23 17:07:20 MacBkPro com.apple.launchd.peruser.601[2295] (com.apple.distnoted.xpc.agent[2299]): Exited: Killed: 9
Aug 23 17:07:20 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2299 [distnoted]
Aug 23 17:07:22 MacBkPro com.apple.launchd.peruser.505[157] (com.apple.pbs[2293]): Exited: Killed: 9
Aug 23 17:07:22 MacBkPro kernel[0]: memorystatus_thread: idle exiting pid 2293 [pbs]
Aug 23 17:07:45 MacBkPro.local com.apple.SecurityServer[15]: Succeeded authorizing right 'system.install.apple-software' by client '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd' [309] for authorization created by '/usr/sbin/installer' [2375] (4,0)
Aug 23 17:07:45 MacBkPro.local com.apple.SecurityServer[15]: Succeeded authorizing right 'system.install.software' by client '/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/installd' [309] for authorization created by '/usr/sbin/installer' [2375] (4,0)
Aug 23 17:07:54 MacBkPro.local com.apple.SecurityServer[15]: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/UserEventAgent' [11] for authorization created by '/usr/libexec/UserEventAgent' [11] (100012,0)
Aug 23 17:08:06 MacBkPro com.apple.launchd.peruser.505[157] ([0x0-0x2a02a].com.sophos.sav[360]): Exited: Terminated: 15
Aug 23 17:08:33 MacBkPro com.apple.launchd[1] (com.sophos.intercheck[65]): Exit timeout elapsed (20 seconds). Killing
Aug 23 17:08:39 MacBkPro.local com.apple.SecurityServer[15]: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/UserEventAgent' [11] for authorization created by '/usr/libexec/UserEventAgent' [11] (100012,0)
Aug 23 17:09:24 MacBkPro.local com.apple.SecurityServer[15]: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/UserEventAgent' [11] for authorization created by '/usr/libexec/UserEventAgent' [11] (100012,0)
Aug 23 17:09:32 MacBkPro com.apple.launchd.peruser.505[157] (com.sophos.uiserver[340]): Exited: Killed: 9
Aug 23 17:09:40 MacBkPro.local WindowServer[100]: CGXDisableUpdate: UI updates were forcibly disabled by application "SophosUIServer" for over 1.00 seconds. Server has re-enabled them.
Aug 23 17:09:40 MacBkPro.local WindowServer[100]: reenable_update_for_connection: UI updates were finally reenabled by application "SophosUIServer" after 1.00 seconds (server forcibly re-enabled them after 1.00 seconds)
Aug 23 17:09:42 MacBkPro.local SophosAutoUpdate[2527]: AlreadyRegistered
Aug 23 17:09:51 MacBkPro com.apple.launchd.peruser.505[157] (com.sophos.uiserver[2481]): Exited: Killed: 9
Aug 23 17:09:54 MacBkPro.local SophosAntiVirus[2961]: reloading scheduled scans...
Aug 23 17:09:54 MacBkPro.local SophosAntiVirus[2961]: scheduleScanWithName: MacBookPro | B6641F0E-1930-4070-80E8-6908DA5DA61D | 505 | (
wednesday
) | (
"03:00:00"
)
Aug 23 17:09:58 MacBkPro.local com.apple.SecurityServer[15]: Succeeded authorizing right 'com.apple.ServiceManagement.daemons.modify' by client '/usr/libexec/UserEventAgent' [11] for authorization created by '/usr/libexec/UserEventAgent' [11] (100012,0)
Aug 23 17:10:01 MacBkPro.local anacron[3280]: Anacron 2.3 started on 2012-08-23
Aug 23 17:10:01 MacBkPro.local anacron[3280]: Normal exit (0 jobs run)
Aug 23 17:10:07 MacBkPro.local InterCheck[2951]: Live protection is Enabled
Aug 23 17:10:07 --- last message repeated 1 time ---
Aug 23 17:10:07 MacBkPro kernel[0]: Sophos Anti-Virus on-access kext activated
Aug 23 17:10:08 MacBkPro.local InterCheck[2951]: Live protection is Enabled
Aug 23 17:10:24 --- last message repeated 7 times ---

 You can see the sophos going down and the operating system recovering and sophos reestablishing live scan coverage about 4 minutes after crash.  I hope this can help you isolate why autoupdate causes a crash.  At least I can run live scan, and custom or local scan when I want, and it will run if I turn off autoupdate during the scan.

Gary

When you say "stops continuing", are you talking about leaving it for two hours and seeing no progress, or leaving it for two minutes and seeing no progress?  Does it happen to list some sort of archive file or removable volume as the current scan item when the progress bar stalls?  The bar only progresses for each outer item on your system, so if you're archive scanning and have to unpack an archive, all the contents still count as one item.

Since you appear to have a number of external volumes mounting/unmounting during the scan, this will ensure you get the "this scan has never been completed" comment when you're done -- and you may find that the "scan local drives" scan is really slow with some sorts of external drives attached.

my error log

Dec 14 18:45:46  -Mac-mini com.sophos.intercheck[55627]: /Library/Sophos Anti-Virus/InterCheck.app/Contents/Resources/Sophos Anti-Virus.kext failed to load - (libkern/kext) different version/uuid already loaded; check the system/kernel logs for errors or try kextutil(8).
Dec 14 18:45:46  -Mac-mini com.sophos.intercheck[55627]: InterCheck: ic_worker_start waitpid
Dec 14 18:45:46  -Mac-mini com.apple.launchd[1] (com.sophos.intercheck[55627]): Exited with code: 1
Dec 14 18:45:46  Mac-mini com.apple.launchd[1] (com.sophos.intercheck): Throttling respawn: Will start in 10 seconds