Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 31 replies
  • Subscribers 6 subscribers
  • Views 30035 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV and TimeMachine

st181234

I installed the SAV for Mac today.

After installation, I made a local drive scan, and It found 4 threats.

I deleted the infected files.

After a while, I got alert from SAV that it denied access to the files, which had been deleted but still in my TimeMachine backup.

Although everything seems alright now, SAV interfered TimeMachine's operation.

Will this corrupt my TimeMachine backup?

:1000303


This thread was automatically locked due to age.
  • 0

    Backups made by Time Machine are read-only — so a backup of a threat should remain, in that backup, until that backup is eventually purged by Time Machine (when the volume used for backup lacks free space). 

    If you prefer your on-access scanner to automatically disinfect or remove threats — and if a threat is in an area that's read-only — I'd expect Sophos Anti-Virus to:

    1. fall back gracefully to simple quarantine listing of the threat; and 
    2. play nicely with other processes. 

    CORRECTION

     
    Backups made by Time Machine appear read-only to the end-user …
    :1000361
  • 0

    Looking at a mixed topic nearby, http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/My-review-of-SAV-Mac-HE-amp-4-issues/td-p/106


    @ st181234 (opening poster):

    would you mind if we shift disucssion of Time Machine with Sophos Anti-Virus Home Edition from that topic, to this one?

    :1000637
  • 0

    Thank you Sophos, you have now corrupted my effing Time Machine backup.....

    7 months of backups ALL GONE..... ALL CORRUPTED - the Sparsebundle has been corrupted....

    Just great....

    :1000707
  • 0

    Anecdotal hints of bad interactions between SAV and TM are floating around. I documented mine (loss of 19 months of TM backup data) pretty extensively at http://recoveringphysicist.com/17 and reached out to Graham Cluley for any comments, then updated the blog post with his observations. Bottom line: Sophos believes they are playing nicely with TM and could not be the cause of data loss there. But in my experience TM is quite fragile -- great when it works but easy to mess up. (I wrote about another mysterious TM failure at http://recoveringphysicist.com/15/ .)

    [Note added 2010-11-12, 16:15 Z] Word from Sophos that they are still investigating my data loss and may have something to post soon on the forum.

    :1000735
  • 0

    At separating out discussion of Time Machine environments (was: My review of SAV Mac HE & 4 issues): 

    grahamperrin wrote:

    Alphaman wrote:
    • … My TM disk resides on a network server …

    … Time Machine backup … sparsebundle is a complex combination of data and metadata …

    … Selectively deleting old backups from TM is not the expected failure mode of how such a program would corrupt your backup.  You would much more likely see what the good doctor saw in his blog post -- a complete loss of ALL your TM.

    Time Machine will prune your backup.  SAV doesn't have the intelligence to do such.

    All true to the best of my knowledge, but I can think of at least three different Time Machine destination/target environments — one of which does not involve a .sparsebundle — and an obscure bug (not yet reported in the Home Edition area) that causes a volume unrelated to TM to be unexpectedly ejected — so I think it'll be prudent to separate the SAV versus TM puzzles into a separate topic. 

    :1000749
  • 0
    grahamperrin wrote:
    at least three different Time Machine destination/target environments — one of which does not involve a .sparsebundle
    1. local volume, connected via e.g. FireWire or USB, and backing up without hacks
    2. Time Capsule
    3. Mac OS X Server, not involving a .sparsebundle
    4. … other Apple-supported environments?
    5. … other environments involving hacks?
    :1000751
  • 0

    Hi folks

    The latest is that Sophos is still investigating the issue reported by a small number of users on this forum about Time Machine backups being deleted whilst running Sophos Anti-Virus for Mac Home Edition.

    As a precautionary measure, while our investigation continues, we would recommend that, if you detect malware in your Time Machine backup,you do not tell Sophos to clean it up.

    From a protection point of view, you are still safe. Sophos Anti-Virus for Mac Home Edition continues to protect you (through its on-access scanner), checking any file you access for malware, including files restored from backup.

    As our investigations continue we will provide further updates.

    Thanks.

    :1000759
  • 0
    kdawson wrote:

    … loss of 19 months of TM backup data …

    http://www.wuala.com/grahamperrin/public/2010/11/12/a screenshot 001, 

    kdawson, what's reported by the Time Machine status menu option to Verify Backups?

    http://diigo.com/0dnjx http://diigo.com/0dnjy and http://diigo.com/0dnjz for highlights from 

    http://web.me.com/pondini/Time_Machine/Works.html

    http://web.me.com/pondini/Time_Machine/12.html and 

    http://web.me.com/pondini/Time_Machine/A2.html respectively. 

    :1000767
  • 0

    You learn something new every day... never thought to hold down the option key while selecting the TM menu item before.

    --And I love the note at the bottom of the Time Machine Works page: "NOTE:   Try to avoid looking at your backups via the Finder.  If you accidentally change, move, or delete anything, they can be hopelessly corrupted."  Too true....

    :1000771
  • 0

    I've added my TM volume to the SAV exclusion list -- there's no need to take a chance, and based on the nature of the content, no need to be scanning the volume anyways.  Anything in there shouldn't be deleted by an outside program, and any malware therein will be caught should you try to restore it to a protected volume.

    Is there a way that SAV could check if a volume is used for TM, and if so, automatically add it to the exclusion list?

    :1000779