Number of files to interrogate

Finder is probably only picking up on the main HD where as the scan locates all local volumes - everything under /Volumes/.   Example:

If I look in Disk Utility it says I have ~500k of files on the main drive and without TM mounted when I start a scan the SAV GUI is about right.  When I plug in my Time Machine DU counts the files per drive so I have to add the main HD to the TM drive.  The TM drive has about 500k of files too.  If I run a scan with SAV with the TM mounted I see about 1 million files, so it's correct.  Example:

Ruckus,

Thanks for the detailed response - and the video which helped explain exactly what you were recommending.

Whilst I do have my Time Machine drive excluded from the scans, I thought this may be the problem area.  So, what I did was to stop the TM backups and scan again.  But my hopes were short lived as the scan still shows way in excess of 2 million files where Finder shows less than a million.

By the way, I have never had a successful completed scan since installing Mavericks (and having the number of files mysteriously increased as explained above).  But that is another topic where there are many other threads suggesting I'm not the only one.

You maybe able to tell from the video I'm running Mavericks too.  SAV for Mac 9.0.3 is the first version that should run OK on Mavericks but official support comes with the release of 9.0.5 (hopefully around the end of November 2013).  I can't say if 9.0.5 will solve everything but before its release Maverick users like ourselves are just it a little bit of limbo. :smileyhappy:

So if you have excluded the TM volume your scan log shows the exclusions and says this right?...

Scan name: "Scan Local Drives"
Scan items:
Exclusions: 
	Path: "/Volumes/Time Machine/"
Configuration:
	Scan inside archives and compressed files: Yes
	Automatically clean up threats: No
	Action on infected files: Report only
	Live Protection enabled: Yes

Does it show any other drives it's going to scan?

Another thing you can do (to speed up the scan) is to exclude compressed files (uncheck this option)...

And have you tried (if the scan log shows the TM volume is excluded) unmounting the TM drive altogether and testing that?

Ruckus

Thanks for the further response

First, a great leap forward - the scan completed!  All 2,300,000 of them.

So this is now getting interesting.  I have found the place where it tells me the scan log info.  And whilst I have definitely got the TM excluded (on my machine, it is called 'My Book for Mac') the log shows the following:

Scan name: "Scan Local Drives"
Scan items:
Configuration:
Scan inside archives and compressed files: Yes
Automatically clean up threats: Yes
Action on infected files: Move to folder at path "/Users/Shared/Infected/"
Live Protection enabled: Yes

As you will see, there is no sign of the EXCLUSIONS.  And I accept that I have a different 'Action' but I'm sure that shouldn't matter.

I have unticked 'Scan inside archives and compressed files' already to speed things up.

But, the final point you suggested is the best bit.  I unmounted the external drive - and lo and behold, the scan count dropped to 900,000 which is the same as in my Finder.

So even though I have the drive excluded, Sophos doesn't appear to be taking any notice of it.  Please see below for proof:

I accept that this free version is unsupported (apart from wise souls such as yourself), so hopefully this will get seen by the powers that be and get respolved one way or the other.

Cheers

The screenshot is missing - seems like the link is wrong. Can you post that again? Working without the screenshot can we go through a few points so I'm clear...

1. Yep, the difference in cleanup/action on detection doesn't matter so we can gloss over that.

2. You say you have excluded the Time Machine but it isn't shown in the scan log - as you have pointed out. Either that's the wrong scan log extract or the exclusion is wrong. Screenshot will help.  There is only one scan right?

3. To quote: "I have unticked 'Scan inside archives and compressed files' already to speed things up". The scan log extract doesn't say that. The extract says: "Scan inside archives and compressed files: Yes" - it should say 'No' if the option was unchecked.

4. To quote: "First, a great leap forward - the scan completed!" - so the scan now works, but what has actually changed?  Is the unmounting of the drive the change that helped? Anything else?

5. Do you only have one scan set up that you're configuring? I just want to avoid any possibility of having a custom scan or two and mixing the running of one scan, with the settings of another and the scan log extract of a third etc.  Points 2 and 3 suggest a mismatch of scans to logs or --and perhaps more unlikely-- a problem with your installation - something I don't see on my Mac with 10.9).

Ruckus,

Thanks again for the quick response.

The picture I sent was from 'Grab' which looked OK in my version but obviously never made it to the published post.  I have instead added a couple of attachments - one showing the exlusions and the other the settings.

- I do only have one scan - and because it would not originally finish its scan, I uninstalled and reinstalled the app.  So one definitely.

- As for the 'great leap forward' - it stuck again so will have to do yet another uninstall and install (if I stop the scan and even if I quick Sophos, when I fire it up again, it still shows where it left off)

Maybe the scan log I'm looking at (photo attached) is not the log you're refering to so I'd be obliged if you could confirm how to get to the log you mean.

Cheers again

The exclusion you have is for the on-access scanner.  Note the mention of the term 'on-access'...

You need to add an exclusion to the on-demand scan.  Open the Scans window and either double-click the white area somewhere or right-click and select 'Scan settings'...

Note:  You can also access the scan log from the right-click sub menu...

Once you have the scan settings open you can add an exclusion for 'My Book for Mac' on the exclusions tab.

Hopefully once this is set your scan will run OK.  While you're in the scan settings uncheck the scan compressed files option on the 'Options' tab to speed it up even more...

Ruckus

Just when I thought I was going to tell you that after following your instructions and actually carrying out the correct procedure (many apologies for that), it looks like I still have the same problem.

Please see the latest attachments below.

Totally bamboozled now....... unless I've made another mistake.....

As an aside, the scan stopped working again - it froze - and even though I Force Quit the app, when I fired it up again, it started where it had left off - frozen.  Again, the only way to get out of it was to uninstall and install again.  However, if I stop scanning in a 'controlled way', then it stops without problem.

Cheers

FYI:  Rather than uninstalling and reinstalling try forcing the 'SophosAVAgent' process to quit from Activity Monitor (if the scan locks up).

So the issues are:

1. The item count shown at the start of the scan would indicate that the Time Machine volume is being included in the scan.
2. The scan hangs part way through and this may be due to the exclusion not being applied in point 1.

For number one I've videoed below what I've seen.  It seems the behavior is that the scan does an item count of all drives and that is the number you see when the scan starts.  However the scan doesn't actually scan the drive being excluded and completes earlier - in never counts all the way down to zero items.

Have a watch of the video below to see if that makes sense to you and it should answer point 1.  Obviously point 2 still needs to be addressed - I'll ask Bob to comment - but chances are it's not to do with the Time Machine being scanned, maybe it's a file on your main hard drive.

I spoke to Bob (product development for Sophos Anti-Virus for Mac).  It's expected behavior for the scan to do what the video shows.  It's the way the product works as to can only query the operating system and return the number of items Mac OS X calculates - with or without exclusions.

Another thing Bob said is that the scanner can look like it's hung at a particular point, but it's probably just working through a large file or folder.  You should therefore give it time - leave it over night to work through the scan.

I also looking back over past posts and noticed a post where you may be able to see the files being scanned.  Tweaking the original command slightly (changing .txt output to .log) you could run the command below and open the .log file with Console (basically double-click it and it will open in Console) and watch for the point were the scan seems to stall.

1. Open Terminal (search for Terminal from Spotlight).
2. Type (copy and paste this) and press return: sudo sweep / -dn 2> ~/Desktop/manualscan.log
3. Enter your password (won't be displayed as you type) and then press enter.
4. Double-click the .log file that should have been created on your Desktop.
5. Sit back but keep one eye on it.  Also watch the Terminal as files the scanner can't open will be reported in that window and not the log file.
6. If the scan seems to stall be ready to note the file name in TextEdit etc.  The log can move fast but I'm assuming if the scan stalls you'll have a good bit of time to note the file name(s).
   If the scan log never seems to pause it could be due to the activity you're now seeing.  For example the normal program may be doing the same thing but hides the file names being processed and when it gets to a certain folder (with big files or lots of files) it just seems to stall.

Post back how it all goes.