Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 31 replies
  • Subscribers 6 subscribers
  • Views 30048 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV and TimeMachine

st181234

I installed the SAV for Mac today.

After installation, I made a local drive scan, and It found 4 threats.

I deleted the infected files.

After a while, I got alert from SAV that it denied access to the files, which had been deleted but still in my TimeMachine backup.

Although everything seems alright now, SAV interfered TimeMachine's operation.

Will this corrupt my TimeMachine backup?

:1000303


This thread was automatically locked due to age.
  • 0
    technorandy wrote:

    … it "fixed" the problem by removing my old backup …


    Please, can you provide the log of that removal? 

    Maybe paste the lines from the log to http://pastebin.ca/ or some other pastebin.

    :1000881
  • 0
    grahamperrin wrote:

    For reference (I'll tidy and interpret these later) …


     
    Using CharlesSoft TimeTracker, an apparent inconsistency after using sudo to delete some eicar test files from an early backup. I later realised that when using TimeTracker for this unusual type of troubleshooting, it's appropriate to clear caches before running the application. 
     
    TimeTracker aside for a moment: screenshot 002 is relevant. The point
    2010-11-14-125501
    where those .zip files appear, in Finder, is not the point at which they were backed up. They were backed up earlier. 
     
    Also relevant in that shot: I could copy, from that later point in the the Time Machine volume, a .zip that had been removed from an earlier point. And it was possible to extract from the .zip so this was true data (not a 'ghost' of some sort).
     
     
    Shot 002, a log of activity by SAV shows those .zip files cleaned from two points 
    2010-11-14-125501
    2010-11-14-142514
    both later than the original point of backup.
     
    Key point: those .zip files were surely backed up only once. I had made no modifications to the eicar test files. 
     
     
    Proving that Finder in Mac OS X Server 10.6.5 can not (must not) modify a Time Machine backup. I guess that Mac OS X 10.6.5 is similarly good. 
     
    Side note: these four shots were probably subsequent to a SuperDuper! attempt to restore, to the Time Machine volume, files that I had previously removed. SuperDuper! ran without error but in retrospect, I wonder whether this approach is foolproof. (A utility such as Continuum may be better suited to backing up and restoring Time Machine volumes.)
     

    Taking care to clear TimeTracker caches at appropriate points, but working with a TimeMachine backup that has been modified by my use of SuperDuper!, these 27 shots provide nothing conclusive. 

    ----

    Also noted, maybe during these experiments: 

    • if you configure Sophos Anti-Virus to delete things, and if it encounters something that can be cleaned, it will not delete that thing. 

    In terms of possible corruption, what's above probably brings nothing new/significant to this topic, but it's interesting to note in points (1) and (2) that a file backed up only once may appear at different points in the backup — if something other than Time Machine is used to modify the Time Machine volume. This persistence may be sane, there might be a good explanation somewhere around http://web.me.com/pondini/Time_Machine/Home.html if someone would like to look. 

    Underlying all of the above, an issue with the OS in Virtual Box: I later realised the clock in the guest machine sometimes lags considerably behind the clock in the host, and lags for a long time (probably until Date & Time preferences are reviewed/corrected in the guest). So don't treat these interpretations as perfect!

    :1000883
  • 0
    grahamperrin wrote:

    Apple Time Capsule?

    Hi, no. Its an AirportExtreme with a 2Tb drive connected to the USB port at the back and configured via the disk sharing options on the Airport. It appears as a supported volume in Time Machine so it isn't a hack.

    :1000901
  • 0
    grahamperrin wrote:

    Please, can you provide the log of that removal? 

    Maybe paste the lines from the log to http://pastebin.ca/ or some other pastebin.

    Thanks for your quick reply graham, and I do appreciate that Sophos have made this product available free..

    Ive taken the relevant parts from the Sophos Anti-Virus.log, not sure if this is the one you need, if not just let me know what the logs called. Cheers,

    Ian

    http://pastebin.ca/1994387

    :1000903
  • 0
    technorandy wrote:

    … AirportExtreme with a 2Tb drive connected to the USB port at the back and configured via the disk sharing options on the Airport. It appears as a supported volume in Time Machine so it isn't a hack.

    Is the volume Mac OS X Extended (Journaled)?

    Does the backup on the volume appear as a .sparsebundle?

    :1000911
  • 0

    Regarding TimeMachine - I don't have an infected machine, but I just recently (yesterday) moved from one iMac to another, using TimeMachine + System Setup to do a restore of my old iMac to my new iMac (virtually identical machines - I was shipped the wrong model; 2-core vs. 4-core; 4gb vs. 16gb). On restore, Sophos is installed, but cannot update, scan or even run in the background. It required an uninstall/reinstall on my target (new) machine. Just an FYI.

    :1000913
  • 0
    fmccb wrote:

    moved from one iMac to another … restore, Sophos is installed, but cannot update, scan or even run in the background

    Maybe the credentials used for updates were specific to your previous computer. 

    :1000915
  • 0
    technorandy wrote:
    … relevant parts from the Sophos Anti-Virus.log, not sure if this is the one you need … 

    The extract mentions Access to the file denied in a few places, but no mention of clean up or deletion/removal.  

    For viewing logs, the current version of SAV lacks a view menu. There are three different GUIs for the different classes of log. 

    Logs exist at the following paths: 

    /Library/Logs/

    • maybe just one file, Sophos Anti-Virus.log

    ~/Library/Logs/Sophos Anti-Virus/Scans

    • multiple folders, each one of which may contain multiple logs. 

    Try to find a log that corresponds with the time of the problem. 

    :1000919
  • 0
    grahamperrin wrote:

    Is the volume Mac OS X Extended (Journaled)?

    Does the backup on the volume appear as a .sparsebundle?

    Yes, the physical drive is formatted OS X Extended (Journaled)  - (HFSJ), however the Airport Extreme makes the disk available using AFP and SMB to all devices on the network. 

    The backup appears on the physical disk as a .sparsebundle

    :1000923
  • 0
    grahamperrin wrote:

    The extract mentions Access to the file denied in a few places, but no mention of clean up or deletion/removal.  

    For viewing logs, the current version of SAV lacks a view menu. There are three different GUIs for the different classes of log. 

    Logs exist at the following paths: 

    /Library/Logs/

    • maybe just one file, Sophos Anti-Virus.log

    ~/Library/Logs/Sophos Anti-Virus/Scans

    • multiple folders, each one of which may contain multiple logs. 

    Try to find a log that corresponds with the time of the problem. 

    _____________________________________________________________

    I have a total of 2 log files:

    /library/logs/Sophos Anti-virus.log  (that the previous sample was from) reproduced in its entirety http://pastebin.ca/1994650

    and 

    ~/library/logs/Sophos Anti-virus/Scans/Scan This Mac/2010-11-02 18/20/39 +0000.log corresponding to the single full system scan I have done. http://pastebin.ca/1994655

    I can see the scan, the files it found that were infected , and some corrupt files. There seems to be no log or entry for the removal of the items that I can see. The generic keygen it found was removed via the quarantine manager in the app

    :1000925