SophosScanD process consuming up to 95% CPU

Well, it looks like this problem (or a similar one) was reported already back in June. Also, after updating to 9.1.5, I was still getting the same behavior, at least for a while. See this topic:

openforum.sophos.com/.../18029

So, just fyi, there seems to be still some conditions under which 9.1.5 will display the same high CPU and restarting.

<<our escalation process for critical issues needs to be reviewed. It shouldn't take a social media storm to get our attention in situations like this. We will do better going forward, and I appreciate your input about our progress.>>

Bob - Thanks for the update.  As I said above, I've been very happy with the smooth, unobtrusive and efficient operation of the software for a long time now and I appreciate your candor here. Thank you for making the home edition freely available.

Please note that I reported this issue as early as August 25th. It got pretty much ignored until a storm broke out on September 15th. Also, while "SophosScanD" was promoted here and there as a useful product feature, there was (and is?) no explanation to be found anywhere of what it actually is and does. Putting all that together, after a few days I uninstalled SAV and chose another AV. I will now try your solution - stay tuned.

Dear Bob,

I downloaded and installed the free home-edition for Mac, again from scratch. Note that download from your website still provides the older version which contains the problem. I manually updated from the shield menu which led to another over-100MB download. It might be better to offer the most current -fixed- version right away as the inital download from the website.

Anyway, as I initially had to re-install the buggy version it was clear that the problem was reproduced, SophosScanD started consuming over 95% again of CPU and my machine started heating up almost immediately. This ended abruptly after the update completed. Temperatures and CPU consumption are now back to normal. SophosScanD is no longer the most prominent process in the Activity Monitor although it is still present (apparently permanent) and appears to be using a lot of memory (93.3MB). It might still be helpful to understand what it IS and DOES exactly and why it would need so much of my machine's resources.

While the CPU and heat problems appear solved for now, I am still not convinced that SophosScanD is behaving the way it should and I am eager to find out what will happen once the "virus detection data package" encounters another end of life warning.

So far, so good.

Hi,

Thanks for your reply and details on this issue, I personally was not expecting such a fast response and fix as this is a free product after all and so was not expecting a gold gold service (like others who dont pay but demand better).

Anyway, thanks again seems to have fixed my issue and it is does re-occur thren the simple work around in the forums can be used again.

sudo launchctl remove com.sophos.scan

Cheers

Yes, excellent work Sophos, and for a free product as others have mentioned. I for one wouldn't mind paying (although I'm obviously not complaining), I've found detection rates to be excellent and the inobtrusive nature of the software is great.

Having uninstalled yesterday I activated a license I had for a well-known competitor's product, paid version (Russian, begins with a K) and while it looks very nice and scans quickly I didn't find the on-demand scanning as well implemented as Sophos version, it not always being obvious that a scan has taken place at all.

Thanks once again for the fix Sophos, keep it up.

---

Pelagus wrote:

Dear Bob,

I downloaded and installed the free home-edition for Mac, again from scratch. Note that download from your website still provides the older version which contains the problem. I manually updated from the shield menu which led to another over-100MB download. It might be better to offer the most current -fixed- version right away as the inital download from the website.

Anyway, as I initially had to re-install the buggy version it was clear that the problem was reproduced, SophosScanD started consuming over 95% again of CPU and my machine started heating up almost immediately. This ended abruptly after the update completed. Temperatures and CPU consumption are now back to normal. SophosScanD is no longer the most prominent process in the Activity Monitor although it is still present (apparently permanent) and appears to be using a lot of memory (93.3MB). It might still be helpful to understand what it IS and DOES exactly and why it would need so much of my machine's resources.

While the CPU and heat problems appear solved for now, I am still not convinced that SophosScanD is behaving the way it should and I am eager to find out what will happen once the "virus detection data package" encounters another end of life warning.

So far, so good.

---

Hello Pelagus,

Good questions indeed. I'll start with what SophosScanD is doing. Its purpose is to scan web downloads for malicious content e.g. thought you were downloading a cool new app but it turned out to be a trojan in disguise. Its part of the Web Protection feature. At startup, it needs to load a lot of virus detection data into memory and optimize it for high performance. One of the reasons our software is so unobtrusive is that its been designed to perform analysis against millions of known threats in only a coupld of milliseconds. Unfortunately, SophosScanD contained a defect that would tell the daemon to quit if it enountered a fatal error while loading the data. The way the code was written made the end-of-life warning identical to a fatal error. When it decided to quit, the system was told to restart it immediately (it should always be running). So it would start up, load data, organize the data in memory, and then quit again. 10 seconds later, the system started it again. Infinitely.

The defect in question has been fixed. In addition, we've made changes to how the virus detection data is delivered, so it will be easier to ensure rapid and smooth updates which should prevent your Mac from ever having detection data that is reaching its end of life.

---

sumguy wrote:

Well, it looks like this problem (or a similar one) was reported already back in June. Also, after updating to 9.1.5, I was still getting the same behavior, at least for a while. See this topic:

openforum.sophos.com/.../18029

So, just fyi, there seems to be still some conditions under which 9.1.5 will display the same high CPU and restarting.

---

Can you tell me what version numbers get displayed in the About box when you see this issue? Ensure that our product is fully updated, you should recieve new detection data regularly, keeping your system up to date ensures you never receive the end-of-life warning that triggered this problem in 9.0.11.

Phew, I can work on my laptop again! What a nightmare was that, I'm glad it's now resolved.

---

niek wrote:

Phew, I can work on my laptop again! What a nightmare was that, I'm glad it's now resolved.

---

Me too!