Sophos AV Hangs

Hi Lankidden, 

Thanks for posting this it helps a lot.

Ive been looking into some of the reports of slow scanning times, scans seemingly sticking on certain files, and disk space getting used up.

We have found that certain DMG files (newer ones produced by 10.6) can sometimes be mis-classified as UTF-16 rather than DMG.  

This causes them to be scanned incorrectly, and if the DMG is of a suitably large size can result in the OS paging memory onto disk (so you see the disk getting used up).

You can test this to see if this is the issue you are seeing.

If you create a customer scan and configure it to scan your local drives and partitions.  

Now configure it to not scan archive files, and add an exclusion for *.dmg (add any file first, then double click the entry to be able to just type *.dmg).

Try running this scan.  If you are seeing the above issue then the scan should complete in a much better time, and shouldnt use up disk space at all.

We have a code fix for the identified DMG mis-classification issue and this will be released in the next few weeks once it has completed testing.

If the scan still causes the issue then please let me know and ill see what else we can look at to try and resolve this issue for you as soon as possible.

Thanks

Hi Jupp:

I saw your reply to Lankidden and was glad because I was having a similar problem. The "out-of-the-box" scan caused a complete system hang after getting through just 10-20K of 600K files. The custom scan you recommend seemed to work at first but then caused another system hang with less than 40K files left to scan. Can you suggest anything beyond excluding DMGs and archive files?

Thanks

Hi there,

Do you know whether or not the memory consumption is something that is temporary in that it will reset after reboot?

My system hangs completely and has to have a hard reboot - running this scan worries me quite a bit - do you know when the fix is scheduled for release?

Thanks.

I've also had total system lockups since installing. every few days it would just halt dead. 

There was nothing in my system logs to directly suggest a cause, but there was activity from the Sophos app so I removed it as an experiment to see if this was the cause. 

So far, no lockup, but due to the scarcity of the hangs and the slow re-occurence I'm not 100% on having figured it out. 

---

Jupp wrote:

We have a code fix for the identified DMG mis-classification issue and this will be released in the next few weeks once it has completed testing.

If the scan still causes the issue then please let me know and ill see what else we can look at to try and resolve this issue for you as soon as possible.

I have installed version 7.2.2C, which I assume is the version mentioned above. This is the only version I have used, downloaded on December 15th from your site (& MD-5 checked for good measure). I still get the 'drive full' message if I do a whole disk scan of my entire startup volume with archives & images allowed. The startup volume is approximately 350 GB with only about 150 GB used. To my knowledge, there are not many DMG files on it, & by far the largest is a copy of the Snow Leopard 10.6 retail installer DVD (approximately 7.8 GB). I run OS 10.6.5. The Mac is a 3.06 GHz 2008 iMac (ID: 8,1). I run no other AV software & no scan has reported anything other than two corrupted zip files in the Apple Developer folder.

Otherwise, everything works perfectly. I will supply any other info you might need.

It's 10 months later, Oct 2011, and this still seems to be an issue. Thanks to these postings I have been able to get Sophos working, though. I have the current Macbook Air bought late July, which came with Lion installed. I am running Windows 7 on Parallels. I was not able to successfully run the "out of the box" scan either. I ran custom scans as you suggested, unchecking search in archives and compressed files, and excluding *.dmg. I also excluded *alias, as I have read in these forums and also in ClamXav forums that aliases can engage the AV software in an endless loop. I had no problem with those scans. I added the *.dmg and *alias exclusions to the full-blown scan local drives and it hung, at least I think it did - it stayed on the same number for a while so I aborted it. When I unchecked scan archives and compressed files it seemed to stop for a short while but then picked up the pace and finished in maybe 10 minutes. I do think the user interface should be tweaked to make it obvious how to exclude a class of files instead of a particular file, or at least show instructions right there, and indicate recommended settings. I haven't done an exhaustive elimination of each exclusion, but I think people could benefit from trying each of the three - archives/compressed, .dmg and alias. Thank you!

I tried to run a full system scan last night. Just before I went to bed Sophos indicated that there were <very large number> files still be scanned, and had been stuck at that number for about 10 minutes. I decided to just leave it. 

Seven hours later it was still stuck at that number.

There's something wrong here.

I've got 7.3.4C installed.

Thanks for the feedback.  The issue is that when the scanner is "stalled" it provides no feedback that it is in fact still working, but scanning inside an archive -- other than the progress throbber still throbbing.  If you re-check search in archives and compressed files, you'll find that when you hit that stalled patch, it will appear to be doing nothing for a while, during which time it is unpacking and scanning a large archive.  When complete, the progress bar will continue to move.

The alias issue shouldn't be an issue, as the symlink files themselves are scanned, not the file they link to.  These days, aliases are really UNIX symbolic links.