Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 2510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos AV Mac Edition 7.3.5C - hangs trying to clean up non-existent file?

rdsh

Since I came back this afternoon (family have been using the Mac), SAV keeps popping up a message to say it has detected a threat. When I open the quarantine manager, it says the threat is Mal/KeyGen-M and the filename is '...'

Under threat details, for the Path and Filename is says "To view all components of the threat, you must authenticate as an administrator", and under Action Available is says "The threat can be cleaned up". However, when I authenticate as admin, the Path and Filename is still blank. If I then choose the clean up the threat, quarantine manager says "Cleaning up threats", shows me a progress bar and then goes no further. Even leaving iot for an hour or more this window doesn't go anywhere and the only way out of it is to Force Quit the app. Later on the message pops up again and so the cycle repeats.

I have noticed the following console messages for Sophos:

25/11/2011 21:51:34.910 com.sophos.notification: 2011-11-25 21:51:34.909 SophosAVAgent[1331:207] <IPCConnection: 0x429200> exception raised in delegate's message handler: *** -[__NSArrayM insertObject:atIndex:]: object cannot be nil

25/11/2011 21:52:42.953 com.apple.SecurityServer: Failed to authorize right 'com.sophos.cleanup' by client '/Library/Sophos Anti-Virus/SophosAntiVirus.app' [1084] for authorization created by '/Applications/Sophos Anti-Virus.app' [1302]

25/11/2011 22:12:37.319 com.apple.launchd.peruser.501: ([0x0-0x42042].com.sophos.sav[1302]) Exited: Terminated: 15

Any ideas - is this a false alarm of some sort, and if not how can I find out what file SAV is complaining about and how to clean it up?

:1004577


This thread was automatically locked due to age.
  • 0

    I'm not sure what's causing the issue without a few more details (I don't know what those details would be offhand), but I do know that Mal/KeyGen-M detects Windows license key generators, and will do absolutely nothing on a Mac.

    I'd suggest logging in to your machine using an admin account and running a scan there...

    :1004585
  • 0

    Many thanks for the reply, and the reassurance that this 'keygen' thing isn't a threat under Mac OSX. I guess the main problem is that this threat detected message pops up every five or ten minutes so it's a bit intrusive. I did log out and log back in as root, then I opened Quarantine Manager at which point the same quarantined file was showing (again with no path or filename). I selected the item and chose to clean up but the same thing happened, the progres bar appeared and after a while I had to force quit the process to get out of it. I also checked the console (while logged in as root) and saw the same Sophos message about something not allowed to be 'nil'.

    I will do as you suggest though and log in as root and run a full scan to see if it can locate the offending file (complete with path and filename) and then clean it up.

    What I did wonder (and this is pure speculation on my part) is - could Sophos be detecting something in memory, i.e. a running process, that matches the characteristics of this keygen threat?

    Anyway, I will post the results of my scan as root as soon as I can.

    :1004595
  • 0

    Well yesterday evening I logged on to the Mac as the root user and ran a full scan of the boot drive. I left this running over night and this morning the progress bar showed it was about 70% of the way through, but there was a message on screen saying "Scan cannot be completed. An error occurred running the scan".

    Not sure what to do next. My first thoughts are to uninstall and then re-install Sophos AV (I have a Sophos Remove.app in my Applications folder which I assume will do the trick). Anything else I should try first?  Many thanks.

    :1004611
  • 0

    The Mac product currently doesn't scan in-memory, so it wouldn't be detecting it there... if your swap file is unencrypted, it is possible it is detecting it there.  More likely, it is detecting it on a network share, or in a transient cache/temporary folder.

    One way to get rid of it would be to go to Sophos Anti-Virus Preferences and temporarily switch your "When a threat is found" option from "Log Only" to "clean up" or "Move" -- or if you're feeling lucky, "delete".  If it keeps coming up after that, we'll have to dig deeper into your scan logs to figure out what's going on.

    :1004621
  • 0

    Just wanted to provide an update on where I got to with this.

    I noticed that every time the message popped up to say a threat had been found, OSX 10.7 Time Machine was actively backing up. Unfortunately the details I found when looking at the Quarantime Manager were still no more helpful than before, with "...," being all that was shown in the path/filename for the suspect file(s).

    I assumed that 'on access' scanning might be checking one or more files it felt were questionable so I erased my Time Machine backup disk and started Time Machine backing up from scratch. This appears to have fixed the problem as I haven't seen the warning message since doing this a few days ago.

    So it looks like my problem is solved for now. I still don't know why SAV had a problem showing me which files were problematic or why full scans appeared to fail, but for now I'm just happy the messages have gone away.

    Many thanks for your assistance and patience.

    :1004665
  • 0

    There's a thread about this elsewhere I think... Time Machine had an issue where it could corrupt files during backup when the file was locked for access and your TM configuration was set up in a certain way.  This means that SAV could then get stuck trying to scan this file when TM is attempting a refresh -- TM should just skip or replace, but the combination could get messy.  Out of curiosity, are you using a sparse image bundle, or a real filesystem for your backup volume?

    :1004669
  • 0

    I'm running a 2008 Mac Pro with four internal disks and the whole of the disk in bay #4 is turned over to Time Machine. The disk is a single 2TB partition and the output from Disk Utility is shown below. Hope this helps.

        Name :     TMBackup
        Type :     Partition

        Disk Identifier :     disk1s2
        Mount Point :     /Volumes/TMBackup
        File System :     Mac OS Extended (Journaled)
        Connection Bus :     SATA
        Device Tree :     IODeviceTree:/PCI0@0/SATA@1F,2/PRT3@3/PMP@0
        Writable :     Yes
        Universal Unique Identifier :     63694381-3B20-3DF1-9AB4-AE95E2424FBC
        Capacity :     2 TB (2,000,054,960,128 Bytes)
        Free Space :     1.41 TB (1,410,388,480,000 Bytes)
        Used :     589.67 GB (589,666,480,128 Bytes)
        Number of Files :     3,459,632
        Number of Folders :     322,757
        Owners Enabled :     Yes
        Can Turn Owners Off :     Yes
        Can Repair Permissions :     No
        Can Be Verified :     Yes
        Can Be Repaired :     Yes
        Can Be Formatted :     Yes
        Bootable :     Yes
        Supports Journaling :     Yes
        Journaled :     Yes
        Disk Number :     1
        Partition Number :     2


    :1004677
  • 0

    What you say about backup corruption is scary. Is there still a problem in 10.6.8? What do we do to avoid corruption in TM backups from this problem?

    :1005243
  • 0
    rdsh wrote:

    I'm running a 2008 Mac Pro with four internal disks and the whole of the disk in bay #4 is turned over to Time Machine. The disk is a single 2TB partition and the output from Disk Utility is shown below. Hope this helps.

        Name :     TMBackup
        Type :     Partition

        Disk Identifier :     disk1s2
        Mount Point :     /Volumes/TMBackup
        File System :     Mac OS Extended (Journaled)
        Connection Bus :     SATA
        Device Tree :     IODeviceTree:/PCI0@0/SATA@1F,2/PRT3@3/PMP@0
        Writable :     Yes
        Universal Unique Identifier :     63694381-3B20-3DF1-9AB4-AE95E2424FBC
        Capacity :     2 TB (2,000,054,960,128 Bytes)
        Free Space :     1.41 TB (1,410,388,480,000 Bytes)
        Used :     589.67 GB (589,666,480,128 Bytes)
        Number of Files :     3,459,632
        Number of Folders :     322,757
        Owners Enabled :     Yes
        Can Turn Owners Off :     Yes
        Can Repair Permissions :     No
        Can Be Verified :     Yes
        Can Be Repaired :     Yes
        Can Be Formatted :     Yes
        Bootable :     Yes
        Supports Journaling :     Yes
        Journaled :     Yes
        Disk Number :     1
        Partition Number :     2


    This looks like a standard volume, so there's no threat of corruption here.

    :1005261
  • 0

    Anything using sparse image bundles has a potential for corruption if some other process attempts to write data.  Sophos currently has a hands-off approach to Time Machine backup archives, and has for over a year -- so corruption shouldn't be an issue in this case.  This hands-off approach is what causes other issues when malware is found on a Time Machine backup.  SAV will prevent you from restoring the data from the backup, but it will not "clean up" the data on the backup; you should do this via Time Machine itself.

    Any OS prior to 10.7 uses the old FileVault 1 encryption, which is where the problems seem to exist.  As such, if you're using 10.6.8 and use Time Machine on an encrypted volume, do not manage the data on that volume through anything other than the Time Machine interface.  That includes using the Finder; just leave the control to Time Machine and let it manage the data.

    :1005263