SophosScanD process consuming up to 95% CPU

---

Pelagus wrote:

Dear Bob,

I downloaded and installed the free home-edition for Mac, again from scratch. Note that download from your website still provides the older version which contains the problem. I manually updated from the shield menu which led to another over-100MB download. It might be better to offer the most current -fixed- version right away as the inital download from the website.

Anyway, as I initially had to re-install the buggy version it was clear that the problem was reproduced, SophosScanD started consuming over 95% again of CPU and my machine started heating up almost immediately. This ended abruptly after the update completed. Temperatures and CPU consumption are now back to normal. SophosScanD is no longer the most prominent process in the Activity Monitor although it is still present (apparently permanent) and appears to be using a lot of memory (93.3MB). It might still be helpful to understand what it IS and DOES exactly and why it would need so much of my machine's resources.

While the CPU and heat problems appear solved for now, I am still not convinced that SophosScanD is behaving the way it should and I am eager to find out what will happen once the "virus detection data package" encounters another end of life warning.

So far, so good.

---

Hello Pelagus,

Good questions indeed. I'll start with what SophosScanD is doing. Its purpose is to scan web downloads for malicious content e.g. thought you were downloading a cool new app but it turned out to be a trojan in disguise. Its part of the Web Protection feature. At startup, it needs to load a lot of virus detection data into memory and optimize it for high performance. One of the reasons our software is so unobtrusive is that its been designed to perform analysis against millions of known threats in only a coupld of milliseconds. Unfortunately, SophosScanD contained a defect that would tell the daemon to quit if it enountered a fatal error while loading the data. The way the code was written made the end-of-life warning identical to a fatal error. When it decided to quit, the system was told to restart it immediately (it should always be running). So it would start up, load data, organize the data in memory, and then quit again. 10 seconds later, the system started it again. Infinitely.

The defect in question has been fixed. In addition, we've made changes to how the virus detection data is delivered, so it will be easier to ensure rapid and smooth updates which should prevent your Mac from ever having detection data that is reaching its end of life.

---

Pelagus wrote:

Dear Bob,

I downloaded and installed the free home-edition for Mac, again from scratch. Note that download from your website still provides the older version which contains the problem. I manually updated from the shield menu which led to another over-100MB download. It might be better to offer the most current -fixed- version right away as the inital download from the website.

Anyway, as I initially had to re-install the buggy version it was clear that the problem was reproduced, SophosScanD started consuming over 95% again of CPU and my machine started heating up almost immediately. This ended abruptly after the update completed. Temperatures and CPU consumption are now back to normal. SophosScanD is no longer the most prominent process in the Activity Monitor although it is still present (apparently permanent) and appears to be using a lot of memory (93.3MB). It might still be helpful to understand what it IS and DOES exactly and why it would need so much of my machine's resources.

While the CPU and heat problems appear solved for now, I am still not convinced that SophosScanD is behaving the way it should and I am eager to find out what will happen once the "virus detection data package" encounters another end of life warning.

So far, so good.

---

Hello Pelagus,

Good questions indeed. I'll start with what SophosScanD is doing. Its purpose is to scan web downloads for malicious content e.g. thought you were downloading a cool new app but it turned out to be a trojan in disguise. Its part of the Web Protection feature. At startup, it needs to load a lot of virus detection data into memory and optimize it for high performance. One of the reasons our software is so unobtrusive is that its been designed to perform analysis against millions of known threats in only a coupld of milliseconds. Unfortunately, SophosScanD contained a defect that would tell the daemon to quit if it enountered a fatal error while loading the data. The way the code was written made the end-of-life warning identical to a fatal error. When it decided to quit, the system was told to restart it immediately (it should always be running). So it would start up, load data, organize the data in memory, and then quit again. 10 seconds later, the system started it again. Infinitely.

The defect in question has been fixed. In addition, we've made changes to how the virus detection data is delivered, so it will be easier to ensure rapid and smooth updates which should prevent your Mac from ever having detection data that is reaching its end of life.