v8.0.6C constantly writing to LaunchDaemons folder

As a workaround (until this behaviour is changed, if it is), you could modify your applescript to include a whitelist including those specific plists.  Just check to ensure that the embedded path is pointing where it should be, and you should be able to ignore the updates.  This works for other plist files you may want to monitor as well.

Thanks, Andrew.  I'll use your idea as a temporary work around until Sophos A/V can be patched. 

Someone suggested an even more elegant solution to me, and one that you could use in other parts of the system too: checksum the file contents and keep that cached so that if there's a contents changed event, if the actual information hasn't changed, you can ignore it.  The plists shouldn't be changing contents... they just get overwritten (which has the benefit of removing corrupted plist files, among other things).

While the more elegant solution suggested would be fine for really technically inclined people, I would argue that this is beyond the scope that most users would want to tackle.  A better approach would be for Sophos to check it's plist files during auto-update, and only replace the plist file IF & WHEN corruption is detected; not constantly.

Thanks for the dialog. 

Hello RDuke,

excuse the interjection.

While I second your objection to the current behaviour I deem your argument somewhat inconsistent. I'd think that the A/V technique ... to employ an Applescript that monitors ... folders is also beyond the scope that most users would want to tackle, or am I wrong? :smileywink:

Christian

Hi Christian -

The concept and technical details to monitor Launch Agent folders was published by Topher Kessler on cnet.com:

http://reviews.cnet.com/8301-13727_7-57415311-263/monitor-os-x-launchagents-folders-to-help-prevent-malware-attacks/

and turned into an app that anyone can download and run:

http://www.circl.lu/pub/tr-08/

By using the application, you don't need to know how to create an Appplescript to take advantage of the technique. As pointed out in Kessler's article, "While malware scanners can detect threats once definitions for them are available, you can monitor or lock your systems' launch agents folders to more proactively prevent attacks on your system".

Hello RDuke,

The concept [...] was [...] turned into an app that anyone can download and run

forgive my ignorance - I'm not a Mac user (but then I don't think that the majority of them is aware of this app). Thanks for the clarification and the reference :smileyhappy:

Christian

I get the message 'One new item has been placed in the folder "LaunchDaemons" ' about 8 times EVERY DAY.   It drives me bonkers.  

My version of Sophos Free is 8.0.16c  

My operating system is OSX 10.8.4

Implementing any of the solutions mentioned in earlier posts on this topic are beyond my skills and I have been using PCs and Macs for 25 years.  Although I have paid $0 for what is an otherwise fine product, surely it's not a big ask for the makers to prevent this annoying unecessary behaviour from occuring or to include some Preferences that will enable me to turn off or limit the behaviour.

I am about to ditch Sophos Free and use something else.

Eeeeeearrrrrghhhh!.